################################################################ # ThreatFox IOCs: Suricata rules # # Last updated: 2024-04-26 19:49:50 UTC # # # # Terms Of Use: https://threatfox.abuse.ch/faq/#tos # # For questions please contact threatfox [at] abuse.ch # ################################################################ # alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webcamcn.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262647; rev:1;) alert tcp $HOME_NET any -> [156.248.54.11] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262648; rev:1;) alert tcp $HOME_NET any -> [216.224.125.193] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262649; rev:1;) alert tcp $HOME_NET any -> [38.181.20.8] 9227 (msg:"ThreatFox KrBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262650; rev:1;) alert tcp $HOME_NET any -> [27.124.46.73] 9817 (msg:"ThreatFox KrBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f993692117a3fda2.php"; depth:21; nocase; http.host; content:"109.172.112.246"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262652; rev:1;) alert tcp $HOME_NET any -> [109.172.112.246] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262653; rev:1;) alert tcp $HOME_NET any -> [185.172.128.111] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/koo1/decipher.csv"; depth:18; nocase; http.host; content:"nitio.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/koo/kpyqgtbbzswvoy6.bin"; depth:24; nocase; http.host; content:"nitio.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k1/fdoimu226.bin"; depth:17; nocase; http.host; content:"nitio.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k2/unconscientiousness.jpb"; depth:27; nocase; http.host; content:"nitio.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nitio.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262659; rev:1;) alert tcp $HOME_NET any -> [94.156.8.104] 80 (msg:"ThreatFox CloudEyE payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yftql16.bin"; depth:12; nocase; http.host; content:"94.156.8.104"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262661; rev:1;) alert tcp $HOME_NET any -> [94.156.128.246] 3323 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262662; rev:1;) alert tcp $HOME_NET any -> [101.99.92.10] 13500 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tampabayllc.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262701/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_26; classtype:trojan-activity; sid:91262701; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 7719 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moranhq.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"156.248.54.11.webcamcn.xyz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hm2.webcamcn.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262645; rev:1;) alert tcp $HOME_NET any -> [154.53.42.53] 8448 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262644; rev:1;) alert tcp $HOME_NET any -> [85.209.11.243] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262643; rev:1;) alert tcp $HOME_NET any -> [93.71.184.63] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pronethellas.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dezx/oblqlsgpaa72.bin"; depth:22; nocase; http.host; content:"pronethellas.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.theertyuiergthjk.homes"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theertyuiergthjk.homes"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s8o3/"; depth:6; nocase; http.host; content:"www.theertyuiergthjk.homes"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262632; rev:1;) alert tcp $HOME_NET any -> [49.233.206.56] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263005/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91263005; rev:1;) alert tcp $HOME_NET any -> [95.217.210.118] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263004/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91263004; rev:1;) alert tcp $HOME_NET any -> [34.210.168.103] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263003/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91263003; rev:1;) alert tcp $HOME_NET any -> [147.78.103.182] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263002/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91263002; rev:1;) alert tcp $HOME_NET any -> [147.45.79.42] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263001/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91263001; rev:1;) alert tcp $HOME_NET any -> [51.15.249.226] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263000/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91263000; rev:1;) alert tcp $HOME_NET any -> [213.199.35.149] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262999/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"185.104.181.135"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262998; rev:1;) alert tcp $HOME_NET any -> [185.104.181.135] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262997; rev:1;) alert tcp $HOME_NET any -> [88.214.27.89] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262996; rev:1;) alert tcp $HOME_NET any -> [37.27.45.203] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262995; rev:1;) alert tcp $HOME_NET any -> [37.27.11.209] 8023 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"riptode.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oktes.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hypaton.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vances.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meday.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"woo2tech.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yestohe.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vtlintro.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262993; rev:1;) alert tcp $HOME_NET any -> [95.217.246.168] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262981; rev:1;) alert tcp $HOME_NET any -> [78.47.186.226] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262982; rev:1;) alert tcp $HOME_NET any -> [78.47.14.240] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262983; rev:1;) alert tcp $HOME_NET any -> [37.27.11.177] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262984; rev:1;) alert tcp $HOME_NET any -> [116.203.0.165] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262985; rev:1;) alert tcp $HOME_NET any -> [116.203.167.106] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vtlintro.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"yestohe.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"woo2tech.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"meday.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hypaton.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vances.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"oktes.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"riptode.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.0.165"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.27.11.177"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.14.240"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.246.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.186.226"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.167.106"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sol.ethvseos.nl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262965; rev:1;) alert tcp $HOME_NET any -> [185.196.9.172] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262963; rev:1;) alert tcp $HOME_NET any -> [185.196.9.172] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262964; rev:1;) alert tcp $HOME_NET any -> [159.89.124.149] 8085 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262962/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_26; classtype:trojan-activity; sid:91262962; rev:1;) alert tcp $HOME_NET any -> [159.89.124.149] 8084 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262961/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_26; classtype:trojan-activity; sid:91262961; rev:1;) alert tcp $HOME_NET any -> [94.232.45.77] 8085 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262960/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_26; classtype:trojan-activity; sid:91262960; rev:1;) alert tcp $HOME_NET any -> [212.46.38.250] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262959/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_26; classtype:trojan-activity; sid:91262959; rev:1;) alert tcp $HOME_NET any -> [51.195.211.231] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262958; rev:1;) alert tcp $HOME_NET any -> [149.88.82.88] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262957; rev:1;) alert tcp $HOME_NET any -> [137.175.77.94] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262956; rev:1;) alert tcp $HOME_NET any -> [38.180.25.208] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262955; rev:1;) alert tcp $HOME_NET any -> [202.47.118.167] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262954; rev:1;) alert tcp $HOME_NET any -> [191.82.222.55] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262953; rev:1;) alert tcp $HOME_NET any -> [177.102.67.107] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262952; rev:1;) alert tcp $HOME_NET any -> [175.137.217.128] 9876 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262951; rev:1;) alert tcp $HOME_NET any -> [187.135.138.133] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262947; rev:1;) alert tcp $HOME_NET any -> [187.135.138.133] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262948; rev:1;) alert tcp $HOME_NET any -> [187.135.138.133] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262949; rev:1;) alert tcp $HOME_NET any -> [187.135.138.133] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262950; rev:1;) alert tcp $HOME_NET any -> [187.135.138.133] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262944; rev:1;) alert tcp $HOME_NET any -> [187.135.138.133] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262945; rev:1;) alert tcp $HOME_NET any -> [187.135.138.133] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262946; rev:1;) alert tcp $HOME_NET any -> [141.11.93.161] 80 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262942; rev:1;) alert tcp $HOME_NET any -> [141.11.93.161] 443 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262943; rev:1;) alert tcp $HOME_NET any -> [91.132.49.90] 81 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262941; rev:1;) alert tcp $HOME_NET any -> [222.239.35.173] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262810; rev:1;) alert tcp $HOME_NET any -> [173.249.52.60] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262765; rev:1;) alert tcp $HOME_NET any -> [184.174.96.94] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262759; rev:1;) alert tcp $HOME_NET any -> [184.174.96.94] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262760; rev:1;) alert tcp $HOME_NET any -> [184.174.96.94] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262761; rev:1;) alert tcp $HOME_NET any -> [184.174.96.94] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262762; rev:1;) alert tcp $HOME_NET any -> [184.174.96.94] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262763; rev:1;) alert tcp $HOME_NET any -> [207.32.219.85] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262764; rev:1;) alert tcp $HOME_NET any -> [46.246.14.22] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262755; rev:1;) alert tcp $HOME_NET any -> [88.229.18.221] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262756; rev:1;) alert tcp $HOME_NET any -> [88.229.18.221] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262757; rev:1;) alert tcp $HOME_NET any -> [142.202.191.162] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262758; rev:1;) alert tcp $HOME_NET any -> [94.156.65.26] 6006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262753; rev:1;) alert tcp $HOME_NET any -> [94.156.65.26] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262754; rev:1;) alert tcp $HOME_NET any -> [94.154.172.83] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262752; rev:1;) alert tcp $HOME_NET any -> [45.15.156.173] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262751; rev:1;) alert tcp $HOME_NET any -> [116.196.82.90] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262750; rev:1;) alert tcp $HOME_NET any -> [18.232.156.244] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262748; rev:1;) alert tcp $HOME_NET any -> [44.221.39.41] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262749; rev:1;) alert tcp $HOME_NET any -> [54.145.84.81] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"3.86.13.34"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262746; rev:1;) alert tcp $HOME_NET any -> [3.86.13.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"154.201.83.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262744; rev:1;) alert tcp $HOME_NET any -> [154.201.83.203] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"154.12.23.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262742; rev:1;) alert tcp $HOME_NET any -> [154.12.23.153] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"www.nickelviper.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nickelviper.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262737; rev:1;) alert tcp $HOME_NET any -> [18.132.148.106] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"ns1.anonymouskids.uk"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srothanhlong.vn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.anonymouskids.uk"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262733; rev:1;) alert tcp $HOME_NET any -> [3.132.209.99] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262731; rev:1;) alert tcp $HOME_NET any -> [3.132.209.99] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/search/"; depth:12; nocase; http.host; content:"ao2gmabl4c.execute-api.us-east-1.amazonaws.com"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262730; rev:1;) alert tcp $HOME_NET any -> [3.9.188.172] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262729; rev:1;) alert tcp $HOME_NET any -> [3.0.50.245] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262728; rev:1;) alert tcp $HOME_NET any -> [104.214.168.71] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"mail.metadate.services"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.metadate.services"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262725; rev:1;) alert tcp $HOME_NET any -> [167.179.76.158] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"65.20.85.214"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262723; rev:1;) alert tcp $HOME_NET any -> [65.20.85.214] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262722; rev:1;) alert tcp $HOME_NET any -> [124.156.166.78] 7654 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.157.90.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262720; rev:1;) alert tcp $HOME_NET any -> [43.157.90.6] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"192.227.137.122"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262718; rev:1;) alert tcp $HOME_NET any -> [192.227.137.122] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262716; rev:1;) alert tcp $HOME_NET any -> [192.227.137.122] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262717; rev:1;) alert tcp $HOME_NET any -> [152.42.244.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oscp/"; depth:6; nocase; http.host; content:"134.209.27.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262714; rev:1;) alert tcp $HOME_NET any -> [134.209.27.35] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.236.28.67"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262712; rev:1;) alert tcp $HOME_NET any -> [47.236.28.67] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-qyygkf1k-1307679590.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-qyygkf1k-1307679590.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262709; rev:1;) alert tcp $HOME_NET any -> [1.94.66.120] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262708; rev:1;) alert tcp $HOME_NET any -> [1.94.52.236] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262707; rev:1;) alert tcp $HOME_NET any -> [123.57.172.34] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262706; rev:1;) alert tcp $HOME_NET any -> [47.120.17.76] 3306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"47.92.151.17"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262704; rev:1;) alert tcp $HOME_NET any -> [47.92.151.17] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262703; rev:1;) alert tcp $HOME_NET any -> [39.104.28.176] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262702; rev:1;) alert tcp $HOME_NET any -> [39.100.109.229] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262699; rev:1;) alert tcp $HOME_NET any -> [39.98.43.192] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262698; rev:1;) alert tcp $HOME_NET any -> [8.141.166.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262696; rev:1;) alert tcp $HOME_NET any -> [8.141.166.236] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262697; rev:1;) alert tcp $HOME_NET any -> [8.137.76.34] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262695; rev:1;) alert tcp $HOME_NET any -> [8.134.92.24] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262694; rev:1;) alert tcp $HOME_NET any -> [8.130.66.214] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.130.29.62"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262692; rev:1;) alert tcp $HOME_NET any -> [8.130.29.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262691; rev:1;) alert tcp $HOME_NET any -> [150.158.54.83] 7500 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262690; rev:1;) alert tcp $HOME_NET any -> [124.222.15.103] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262689; rev:1;) alert tcp $HOME_NET any -> [123.206.115.56] 6667 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"122.51.89.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262687; rev:1;) alert tcp $HOME_NET any -> [122.51.89.45] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"119.91.218.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262685; rev:1;) alert tcp $HOME_NET any -> [119.91.218.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262684; rev:1;) alert tcp $HOME_NET any -> [114.132.245.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262683; rev:1;) alert tcp $HOME_NET any -> [111.229.200.233] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262682; rev:1;) alert tcp $HOME_NET any -> [111.229.35.119] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262680; rev:1;) alert tcp $HOME_NET any -> [111.229.35.119] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262681; rev:1;) alert tcp $HOME_NET any -> [101.35.198.25] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.136.43.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262678; rev:1;) alert tcp $HOME_NET any -> [43.136.43.49] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.113.150.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"185.229.237.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"111.230.98.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.130.252.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"209.222.0.68"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"60.205.115.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"8.138.119.180"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.139.205.56"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"111.230.98.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262667; rev:1;) alert tcp $HOME_NET any -> [118.31.116.9] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"118.31.116.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262664; rev:1;) alert tcp $HOME_NET any -> [8.138.119.180] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"8.138.119.180"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262640; rev:1;) alert tcp $HOME_NET any -> [1.14.96.69] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"1.14.96.69"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262638; rev:1;) alert tcp $HOME_NET any -> [45.142.182.80] 5900 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262637; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 5654 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"craftedfollowing.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262607; rev:1;) alert tcp $HOME_NET any -> [46.246.86.14] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262580/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_26; classtype:trojan-activity; sid:91262580; rev:1;) alert tcp $HOME_NET any -> [172.94.9.228] 3980 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262605; rev:1;) alert tcp $HOME_NET any -> [5.253.40.118] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262604/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262604; rev:1;) alert tcp $HOME_NET any -> [64.227.140.244] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262603/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262603; rev:1;) alert tcp $HOME_NET any -> [93.127.202.69] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262602; rev:1;) alert tcp $HOME_NET any -> [14.178.208.233] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262601; rev:1;) alert tcp $HOME_NET any -> [18.159.103.213] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262600; rev:1;) alert tcp $HOME_NET any -> [77.91.70.104] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262599; rev:1;) alert tcp $HOME_NET any -> [54.202.238.187] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262598; rev:1;) alert tcp $HOME_NET any -> [45.207.36.33] 2088 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262597; rev:1;) alert tcp $HOME_NET any -> [45.207.36.50] 2088 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262596; rev:1;) alert tcp $HOME_NET any -> [190.70.119.188] 4859 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262595; rev:1;) alert tcp $HOME_NET any -> [45.141.84.135] 54183 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262594; rev:1;) alert tcp $HOME_NET any -> [35.192.76.216] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262593; rev:1;) alert tcp $HOME_NET any -> [193.227.134.120] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262592/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262592; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20037 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262591/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262591; rev:1;) alert tcp $HOME_NET any -> [45.95.174.253] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262590/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262590; rev:1;) alert tcp $HOME_NET any -> [45.95.174.39] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262589; rev:1;) alert tcp $HOME_NET any -> [149.28.25.144] 55556 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262588; rev:1;) alert tcp $HOME_NET any -> [149.28.25.144] 5432 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262587/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lt8e"; depth:5; nocase; http.host; content:"39.105.191.1"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262586/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_26; classtype:trojan-activity; sid:91262586; rev:1;) alert tcp $HOME_NET any -> [39.105.191.1] 18888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javascriptpollmultigeneratordatalife.php"; depth:41; nocase; http.host; content:"taketa.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262584; rev:1;) alert tcp $HOME_NET any -> [85.203.42.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"85.203.42.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~blog/"; depth:7; nocase; http.host; content:"45.77.223.48"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262581; rev:1;) alert tcp $HOME_NET any -> [5.42.92.179] 18418 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.70.154.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"103.116.245.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"175.178.54.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262576; rev:1;) alert tcp $HOME_NET any -> [44.194.227.114] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ms"; depth:3; nocase; http.host; content:"dct4jph3as9lp.cloudfront.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dct4jph3as9lp.cloudfront.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"85.203.42.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262571; rev:1;) alert tcp $HOME_NET any -> [85.203.42.194] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loginin.html"; depth:13; nocase; http.host; content:"23.94.169.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262569; rev:1;) alert tcp $HOME_NET any -> [23.94.169.124] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.134.11.7"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262567; rev:1;) alert tcp $HOME_NET any -> [8.134.11.7] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"flypadi.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262565/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262565; rev:1;) alert tcp $HOME_NET any -> [89.34.237.212] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262496/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cz24519.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"cbg.divineunveil.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"pgdm.my"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tangerang/wp-content/plugins/user-private-files/shared/"; depth:56; nocase; http.host; content:"tutycholid.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/model-2/wp-content/plugins/user-private-files/shared/"; depth:54; nocase; http.host; content:"vitrine.izaragency.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"taifateule.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"upr.lk"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"phs124168.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"phatthanhnghia.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"quotesparade.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ugandainarabic.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"thayhoicoffee.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ideosphere.in"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/plugins/user-private-files/shared/"; depth:49; nocase; http.host; content:"vegasnights.co.za"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"audio.daiphucminh.vn"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"seraphyaromatherapy.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chocolate/wp-content/plugins/user-private-files/shared/"; depth:56; nocase; http.host; content:"milkganache.com.br"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/projects/visioncrystal/wp-content/plugins/user-private-files/shared/"; depth:69; nocase; http.host; content:"www.websitedesigningindia.biz"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"www.pansy-dz.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ideanet.co.in"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"newsmedia247.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"reyadtours.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"bissecci.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"devaccrocs.allianceconsultants.net"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"manbaulhudaasia.aliyy.my"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"yahyacarpet.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/epicure-traiteur/wp-content/plugins/user-private-files/shared/"; depth:63; nocase; http.host; content:"vitrine.izaragency.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"antvietnam.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/site/wp-content/plugins/user-private-files/shared/"; depth:51; nocase; http.host; content:"direitopositivado.com.br"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"i.thietke.in"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"divifar.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/indigo/wp-content/plugins/user-private-files/shared/"; depth:53; nocase; http.host; content:"konsaltakuatorial.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/networkconnect/wp-content/plugins/user-private-files/shared/"; depth:61; nocase; http.host; content:"iswpcreator.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live"; depth:5; nocase; http.host; content:"grizmotras.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live"; depth:5; nocase; http.host; content:"pewwhranet.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"pgdm.my"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"cbg.divineunveil.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tangerang/wp-content/plugins/user-private-files/shared/"; depth:56; nocase; http.host; content:"tutycholid.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/model-2/wp-content/plugins/user-private-files/shared/"; depth:54; nocase; http.host; content:"vitrine.izaragency.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"taifateule.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"upr.lk"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"phs124168.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"phatthanhnghia.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"quotesparade.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ugandainarabic.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/plugins/user-private-files/shared/"; depth:49; nocase; http.host; content:"vegasnights.co.za"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"thayhoicoffee.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ideosphere.in"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"audio.daiphucminh.vn"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chocolate/wp-content/plugins/user-private-files/shared/"; depth:56; nocase; http.host; content:"milkganache.com.br"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"seraphyaromatherapy.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/projects/visioncrystal/wp-content/plugins/user-private-files/shared/"; depth:69; nocase; http.host; content:"www.websitedesigningindia.biz"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"www.pansy-dz.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ideanet.co.in"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"reyadtours.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"newsmedia247.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"bissecci.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"devaccrocs.allianceconsultants.net"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"manbaulhudaasia.aliyy.my"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"yahyacarpet.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/epicure-traiteur/wp-content/plugins/user-private-files/shared/"; depth:63; nocase; http.host; content:"vitrine.izaragency.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"antvietnam.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"i.thietke.in"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/site/wp-content/plugins/user-private-files/shared/"; depth:51; nocase; http.host; content:"direitopositivado.com.br"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"divifar.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/indigo/wp-content/plugins/user-private-files/shared/"; depth:53; nocase; http.host; content:"konsaltakuatorial.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/networkconnect/wp-content/plugins/user-private-files/shared/"; depth:61; nocase; http.host; content:"iswpcreator.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/security_check/"; depth:16; nocase; http.host; content:"nlqbgkl5.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ad.msi"; depth:7; nocase; http.host; content:"45.95.11.217"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"wrankaget.site"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"jarinamaers.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"svif-venezuela.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"svif-venezuela.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"94.131.101.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"svif-venezuela.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"33moneycshlazim33.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262461/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"moneycsasfasfh.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262462/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trembolone.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262460/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"moneycsffhgm7.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262464/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262464; rev:1;) alert tcp $HOME_NET any -> [91.92.240.43] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"moneymaskalandd.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262463/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minjuthecutest.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262465; rev:1;) alert tcp $HOME_NET any -> [91.92.240.43] 2006 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262489; rev:1;) alert tcp $HOME_NET any -> [91.92.243.102] 1990 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262490; rev:1;) alert tcp $HOME_NET any -> [89.185.30.66] 2006 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262491; rev:1;) alert tcp $HOME_NET any -> [45.88.90.46] 6969 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262492; rev:1;) alert tcp $HOME_NET any -> [54.36.113.159] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262488; rev:1;) alert tcp $HOME_NET any -> [185.125.50.198] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262487; rev:1;) alert tcp $HOME_NET any -> [109.120.177.48] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262486; rev:1;) alert tcp $HOME_NET any -> [120.46.59.252] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262485/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262485; rev:1;) alert tcp $HOME_NET any -> [45.63.124.134] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262484/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262484; rev:1;) alert tcp $HOME_NET any -> [52.26.153.104] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262483/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262483; rev:1;) alert tcp $HOME_NET any -> [43.139.113.158] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262482/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262482; rev:1;) alert tcp $HOME_NET any -> [147.78.103.197] 4443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262481/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262481; rev:1;) alert tcp $HOME_NET any -> [46.246.80.7] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262480/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262480; rev:1;) alert tcp $HOME_NET any -> [193.92.65.11] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262479/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262479; rev:1;) alert tcp $HOME_NET any -> [13.126.220.163] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262478/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262478; rev:1;) alert tcp $HOME_NET any -> [84.249.120.228] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262477/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262477; rev:1;) alert tcp $HOME_NET any -> [18.253.226.108] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262476/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262476; rev:1;) alert tcp $HOME_NET any -> [18.253.226.108] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262475; rev:1;) alert tcp $HOME_NET any -> [5.42.85.10] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262474; rev:1;) alert tcp $HOME_NET any -> [18.118.8.124] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262473/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262473; rev:1;) alert tcp $HOME_NET any -> [142.93.142.34] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262472; rev:1;) alert tcp $HOME_NET any -> [89.117.172.225] 58895 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"119.186.205.191"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262470/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262470; rev:1;) alert tcp $HOME_NET any -> [45.15.156.9] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262469/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"88.214.27.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262467; rev:1;) alert tcp $HOME_NET any -> [88.214.27.89] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262468; rev:1;) alert tcp $HOME_NET any -> [45.15.156.9] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/netsupport43.zip"; depth:23; nocase; http.host; content:"138.124.180.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/netsupport43.zip"; depth:23; nocase; http.host; content:"138.124.180.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/advancedipscanner.msix"; depth:29; nocase; http.host; content:"cdn43.space"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/netsupport43.zip"; depth:23; nocase; http.host; content:"cdn43.space"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn43.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262284; rev:1;) alert tcp $HOME_NET any -> [138.124.180.84] 80 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262285; rev:1;) alert tcp $HOME_NET any -> [138.124.180.84] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"byvlsa.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cdn-report.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"woocomnerce.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hollandtrees.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262291; rev:1;) alert tcp $HOME_NET any -> [89.185.30.66] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262292/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/advancedipscanner.msix"; depth:29; nocase; http.host; content:"138.124.180.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bot.qngxgw.eu.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262293/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262293; rev:1;) alert tcp $HOME_NET any -> [193.222.62.236] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/advancedipscanner.msix"; depth:29; nocase; http.host; content:"138.124.180.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262278; rev:1;) alert tcp $HOME_NET any -> [94.232.45.77] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262453/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_25; classtype:trojan-activity; sid:91262453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcxwq1.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262277; rev:1;) alert tcp $HOME_NET any -> [91.92.252.234] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262276/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-dduj2otc-1303958398.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"88.214.26.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262273; rev:1;) alert tcp $HOME_NET any -> [173.211.46.172] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"173.211.46.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"185.216.117.157"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262270; rev:1;) alert tcp $HOME_NET any -> [80.66.75.43] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"101.201.46.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"88.214.27.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"211.159.172.150"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chromeupdate/shellex/default.php"; depth:33; nocase; http.host; content:"8.134.80.227"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-dduj2otc-1303958398.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-dduj2otc-1303958398.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"www.stylejason.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.stylejason.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"mopelas.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262219/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"kambarca.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262220/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"yedekleregldk.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262221/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"karaklpak.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262222/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"1.gamithou.cyou"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"kuramaservices.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"78.40.116.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"91.92.254.165"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"158.220.106.37"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"51.38.70.1"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"89.117.151.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"57.129.16.213"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262252; rev:1;) alert tcp $HOME_NET any -> [46.246.4.2] 7045 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262251; rev:1;) alert tcp $HOME_NET any -> [185.172.128.6] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qax.gsldedie.sbs"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262248; rev:1;) alert tcp $HOME_NET any -> [170.106.169.138] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"qax.gsldedie.sbs"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262247; rev:1;) alert tcp $HOME_NET any -> [185.42.14.185] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dvbtools.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/documentid"; depth:11; nocase; http.host; content:"dvbtools.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.200.197.134"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262243; rev:1;) alert tcp $HOME_NET any -> [78.40.116.170] 8872 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"youlovemedontyou.bounceme.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262241; rev:1;) alert tcp $HOME_NET any -> [209.14.69.249] 666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nocrynetworking.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262239; rev:1;) alert tcp $HOME_NET any -> [45.95.169.113] 4190 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s.sushiking.world"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262237; rev:1;) alert tcp $HOME_NET any -> [139.59.156.81] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262231; rev:1;) alert tcp $HOME_NET any -> [159.203.9.75] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262232; rev:1;) alert tcp $HOME_NET any -> [159.223.220.220] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262233; rev:1;) alert tcp $HOME_NET any -> [161.35.210.154] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262234; rev:1;) alert tcp $HOME_NET any -> [174.138.51.159] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262235; rev:1;) alert tcp $HOME_NET any -> [174.138.51.232] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262236; rev:1;) alert tcp $HOME_NET any -> [64.23.232.47] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262223; rev:1;) alert tcp $HOME_NET any -> [64.23.251.7] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262224; rev:1;) alert tcp $HOME_NET any -> [64.23.251.20] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262225; rev:1;) alert tcp $HOME_NET any -> [64.225.17.60] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262226; rev:1;) alert tcp $HOME_NET any -> [64.226.124.214] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262227; rev:1;) alert tcp $HOME_NET any -> [68.183.48.122] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262228; rev:1;) alert tcp $HOME_NET any -> [138.197.90.26] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262229; rev:1;) alert tcp $HOME_NET any -> [139.59.41.182] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262230; rev:1;) alert tcp $HOME_NET any -> [128.199.180.45] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262215; rev:1;) alert tcp $HOME_NET any -> [138.68.97.101] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262216; rev:1;) alert tcp $HOME_NET any -> [138.68.97.171] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262217; rev:1;) alert tcp $HOME_NET any -> [146.190.135.213] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4track/testtrafficeternal/private3/secure7db/7private3/wordpresslocal/windows/cpuvoiddbtraffic/2base/providerexternalpipejavascriptupdatesqldbasynctemporary.php"; depth:161; nocase; http.host; content:"176.123.168.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1606aca9.php"; depth:13; nocase; http.host; content:"a0947291.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262213; rev:1;) alert tcp $HOME_NET any -> [45.95.169.113] 3190 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"118.31.118.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"118.31.118.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~blog/"; depth:7; nocase; http.host; content:"45.77.223.48"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lsagjogu8ztaueghasdjsdigh.cc"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hitler.su"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kz.hitler.su"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pve.rebirthltd.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rebirthltd.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scan.rebirthltd.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure-network-rebirthltd.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.secure-network-rebirthltd.ru"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rebirthltd.dev"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scan.rebirthltd.dev"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure-cyber-security-rebirthltd.su"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sex.secure-cyber-security-rebirthltd.su"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rebirth-network.su"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security.rebirth-network.su"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps.rebirth-network.su"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adolfhitler.su"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kz.adolfhitler.su"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure-core-rebirthltd.su"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security.secure-core-rebirthltd.su"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fuck-niggers.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262202; rev:1;) alert tcp $HOME_NET any -> [45.32.168.59] 6363 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262188/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262188; rev:1;) alert tcp $HOME_NET any -> [91.92.247.254] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262187/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262187; rev:1;) alert tcp $HOME_NET any -> [45.207.36.45] 2088 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262186/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262186; rev:1;) alert tcp $HOME_NET any -> [46.246.82.21] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262185/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262185; rev:1;) alert tcp $HOME_NET any -> [41.99.107.210] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262184; rev:1;) alert tcp $HOME_NET any -> [69.159.0.21] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262183; rev:1;) alert tcp $HOME_NET any -> [77.126.168.121] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262182/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262182; rev:1;) alert tcp $HOME_NET any -> [154.82.65.35] 8443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262181/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262181; rev:1;) alert tcp $HOME_NET any -> [64.23.159.147] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262180/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262180; rev:1;) alert tcp $HOME_NET any -> [209.151.148.194] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262179/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262179; rev:1;) alert tcp $HOME_NET any -> [51.8.90.242] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262178; rev:1;) alert tcp $HOME_NET any -> [3.250.35.163] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262177; rev:1;) alert tcp $HOME_NET any -> [3.250.35.163] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262176/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262176; rev:1;) alert tcp $HOME_NET any -> [86.60.160.90] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262175/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262175; rev:1;) alert tcp $HOME_NET any -> [31.42.185.190] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262174/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262174; rev:1;) alert tcp $HOME_NET any -> [164.92.80.224] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262173/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262173; rev:1;) alert tcp $HOME_NET any -> [80.87.206.160] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262172; rev:1;) alert tcp $HOME_NET any -> [50.114.37.38] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262171/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262171; rev:1;) alert tcp $HOME_NET any -> [129.226.154.137] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262170/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262170; rev:1;) alert tcp $HOME_NET any -> [91.92.253.249] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262169/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262169; rev:1;) alert tcp $HOME_NET any -> [91.92.253.249] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262168/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262168; rev:1;) alert tcp $HOME_NET any -> [91.92.253.249] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262167; rev:1;) alert tcp $HOME_NET any -> [172.160.240.225] 7654 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262166; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 12143 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262157/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262157; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 12143 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262158/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"107.172.157.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262148; rev:1;) alert tcp $HOME_NET any -> [91.149.202.222] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262162/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262162; rev:1;) alert tcp $HOME_NET any -> [159.253.120.176] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262163/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~blog/"; depth:7; nocase; http.host; content:"45.77.223.48"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262164; rev:1;) alert tcp $HOME_NET any -> [41.249.109.159] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262161; rev:1;) alert tcp $HOME_NET any -> [80.66.89.223] 38183 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"golovkcc.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.fiash.info"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262156; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 12143 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262155; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 12143 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262154; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 12143 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262153; rev:1;) alert tcp $HOME_NET any -> [45.148.120.189] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"45.148.120.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"193.32.179.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262149; rev:1;) alert tcp $HOME_NET any -> [193.32.179.234] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262150; rev:1;) alert tcp $HOME_NET any -> [95.169.196.22] 118 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262139; rev:1;) alert tcp $HOME_NET any -> [185.196.11.177] 45 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262140; rev:1;) alert tcp $HOME_NET any -> [212.70.149.10] 35342 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262141; rev:1;) alert tcp $HOME_NET any -> [94.156.79.77] 3966 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262142; rev:1;) alert tcp $HOME_NET any -> [2.58.95.123] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262143; rev:1;) alert tcp $HOME_NET any -> [94.156.79.155] 5958 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262144; rev:1;) alert tcp $HOME_NET any -> [66.187.4.175] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262145; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 12138 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262146/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91262146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/white-rock-progression/l3h0y5.php"; depth:52; nocase; http.host; content:"www.briccodeldente.it"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262110; rev:1;) alert tcp $HOME_NET any -> [82.205.72.17] 8080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262137/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91262137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aboft7e.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262138/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91262138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/0srbuw.php"; depth:45; nocase; http.host; content:"dreamerz.vn"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/msecgc.php"; depth:45; nocase; http.host; content:"www.savetheworldpodcast.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/vhpg2j.php"; depth:46; nocase; http.host; content:"retrobox.rocks"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/sb9ivy.php"; depth:45; nocase; http.host; content:"djibek.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wavebysudryez.fr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262105; rev:1;) alert tcp $HOME_NET any -> [93.123.39.16] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262103/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91262103; rev:1;) alert tcp $HOME_NET any -> [5.230.68.74] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262147/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91262147; rev:1;) alert tcp $HOME_NET any -> [45.88.186.159] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262135/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262135; rev:1;) alert tcp $HOME_NET any -> [45.88.186.159] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262136/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262136; rev:1;) alert tcp $HOME_NET any -> [89.208.105.144] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262134; rev:1;) alert tcp $HOME_NET any -> [20.67.206.46] 443 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262133; rev:1;) alert tcp $HOME_NET any -> [47.94.88.4] 8889 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262132/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262132; rev:1;) alert tcp $HOME_NET any -> [47.94.88.4] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262131; rev:1;) alert tcp $HOME_NET any -> [104.194.79.234] 8044 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262130; rev:1;) alert tcp $HOME_NET any -> [8.213.212.170] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262129; rev:1;) alert tcp $HOME_NET any -> [43.129.31.59] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262128/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262128; rev:1;) alert tcp $HOME_NET any -> [18.166.176.116] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262127/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262127; rev:1;) alert tcp $HOME_NET any -> [130.63.213.199] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262126/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262126; rev:1;) alert tcp $HOME_NET any -> [35.72.161.191] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262125/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262125; rev:1;) alert tcp $HOME_NET any -> [103.82.132.120] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262124/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262124; rev:1;) alert tcp $HOME_NET any -> [103.82.132.120] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262123/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262123; rev:1;) alert tcp $HOME_NET any -> [143.198.237.101] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262122/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262122; rev:1;) alert tcp $HOME_NET any -> [195.123.226.83] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262121/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262121; rev:1;) alert tcp $HOME_NET any -> [92.243.64.130] 28002 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262120/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262120; rev:1;) alert tcp $HOME_NET any -> [62.233.57.237] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262119/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262119; rev:1;) alert tcp $HOME_NET any -> [213.87.44.192] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262118/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262118; rev:1;) alert tcp $HOME_NET any -> [219.144.98.12] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262117/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262117; rev:1;) alert tcp $HOME_NET any -> [98.98.118.81] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262116/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262116; rev:1;) alert tcp $HOME_NET any -> [217.237.87.199] 3389 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262115/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providereternalprotectdbasync.php"; depth:34; nocase; http.host; content:"a0804818.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.138.73.164"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"152.136.100.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dttao.net"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262104; rev:1;) alert tcp $HOME_NET any -> [193.233.132.139] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"20.106.253.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262101; rev:1;) alert tcp $HOME_NET any -> [185.62.58.73] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262100; rev:1;) alert tcp $HOME_NET any -> [82.153.64.23] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262099; rev:1;) alert tcp $HOME_NET any -> [46.246.84.12] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262006; rev:1;) alert tcp $HOME_NET any -> [139.162.178.159] 2003 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261864; rev:1;) alert tcp $HOME_NET any -> [78.40.117.167] 4444 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261863; rev:1;) alert tcp $HOME_NET any -> [139.99.133.66] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261862/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91261862; rev:1;) alert tcp $HOME_NET any -> [139.99.133.66] 4444 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261861/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91261861; rev:1;) alert tcp $HOME_NET any -> [146.70.198.22] 60129 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261860; rev:1;) alert tcp $HOME_NET any -> [187.135.122.191] 2022 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"hearthingdirecwi.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.211.228.233"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"18.162.61.95"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261858; rev:1;) alert tcp $HOME_NET any -> [18.162.61.95] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"3.139.18.182"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261855; rev:1;) alert tcp $HOME_NET any -> [3.139.18.182] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261854; rev:1;) alert tcp $HOME_NET any -> [202.146.220.4] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261853; rev:1;) alert tcp $HOME_NET any -> [123.249.36.186] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"116.205.188.138"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261851; rev:1;) alert tcp $HOME_NET any -> [116.205.188.138] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"8.130.70.205"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261849; rev:1;) alert tcp $HOME_NET any -> [8.130.70.205] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261848; rev:1;) alert tcp $HOME_NET any -> [101.34.87.236] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"45.116.79.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261846; rev:1;) alert tcp $HOME_NET any -> [165.227.108.186] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"167.71.242.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"165.227.108.186"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"45.55.199.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/query/info"; depth:11; nocase; http.host; content:"47.92.131.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261840; rev:1;) alert tcp $HOME_NET any -> [47.92.131.203] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"1.94.13.86"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"107.150.47.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"154.3.1.252"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"172.247.44.182"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261835; rev:1;) alert tcp $HOME_NET any -> [173.211.46.172] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrew"; depth:5; nocase; http.host; content:"173.211.46.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261833; rev:1;) alert tcp $HOME_NET any -> [61.240.29.215] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"61.240.29.221"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"91.92.242.190"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"35.221.150.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/open/js/jweixin-1.4.0.js"; depth:25; nocase; http.host; content:"65.20.107.130"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"129.204.169.101"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-6qlmfr7s-1312562872.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-6qlmfr7s-1312562872.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.130.30.60"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/milu_image/"; depth:12; nocase; http.host; content:"18.166.113.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/logo.gif"; depth:9; nocase; http.host; content:"berita-timur.kumbaraan.biz.id"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"49.232.157.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"157.245.12.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261820; rev:1;) alert tcp $HOME_NET any -> [156.224.20.92] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"156.224.20.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"107.174.254.9"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.alipan.lol"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.alipan.lol"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"107.172.159.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"20.2.202.15"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"192.227.155.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"bliblyuvblfds.work.gd"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bliblyuvblfds.work.gd"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/onedrive"; depth:9; nocase; http.host; content:"keolisgroup.azureedge.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.212.71.0"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"60.204.222.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user/profile"; depth:13; nocase; http.host; content:"47.92.131.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js"; depth:41; nocase; http.host; content:"139.155.134.117"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-j78tszan-1319584009.sh.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/product"; depth:8; nocase; http.host; content:"service-j78tszan-1319584009.sh.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"175.178.50.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"129.204.169.101"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"23.102.7.180"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261799; rev:1;) alert tcp $HOME_NET any -> [23.102.7.180] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"berita-timur.kumbaraan.biz.id"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image"; depth:6; nocase; http.host; content:"berita-timur.kumbaraan.biz.id"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoftupdate/shellex/kb242742/default.aspx"; depth:46; nocase; http.host; content:"192.227.152.217"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/milu_image/"; depth:12; nocase; http.host; content:"www.614110.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261794; rev:1;) alert tcp $HOME_NET any -> [18.166.113.176] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261795; rev:1;) alert tcp $HOME_NET any -> [154.213.17.138] 90 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"154.213.17.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fiash.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.fiash.info"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"101.36.111.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261789; rev:1;) alert tcp $HOME_NET any -> [192.144.128.196] 1994 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"39.100.109.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"150.158.141.97"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complete/pr/h6tcqrwr"; depth:21; nocase; http.host; content:"107.174.235.118"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261784; rev:1;) alert tcp $HOME_NET any -> [120.46.91.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.46.91.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261782; rev:1;) alert tcp $HOME_NET any -> [39.100.79.87] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"39.100.79.87"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261780; rev:1;) alert tcp $HOME_NET any -> [39.100.109.229] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"www.huawei.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"karakalanda346.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261768/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_24; classtype:trojan-activity; sid:91261768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"karakafsafndan5.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261769/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_24; classtype:trojan-activity; sid:91261769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"karakalanfgdfg.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261770/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_24; classtype:trojan-activity; sid:91261770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"karakalaasdgtg.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261771/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_24; classtype:trojan-activity; sid:91261771; rev:1;) alert tcp $HOME_NET any -> [103.113.70.99] 2630 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.goelites.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261775; rev:1;) alert tcp $HOME_NET any -> [45.88.90.30] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261774/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91261774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"putin.zelenskyj.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zelenskyj.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"115.159.62.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261767; rev:1;) alert tcp $HOME_NET any -> [107.148.1.41] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"firmware-yrs-conflicts-favorites.trycloudflare.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"firmware-yrs-conflicts-favorites.trycloudflare.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261765; rev:1;) alert tcp $HOME_NET any -> [93.123.85.131] 1337 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ooguy.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xd.netsyn.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xd.nodefunction.vip"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eclp8oz0m8mxouv96hc9p7k2btydt3iv.click"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261759; rev:1;) alert tcp $HOME_NET any -> [45.88.90.30] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261755; rev:1;) alert tcp $HOME_NET any -> [45.88.90.17] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261756; rev:1;) alert tcp $HOME_NET any -> [89.169.55.166] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261757; rev:1;) alert tcp $HOME_NET any -> [91.92.240.43] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261758; rev:1;) alert tcp $HOME_NET any -> [5.42.66.10] 50505 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261754; rev:1;) alert tcp $HOME_NET any -> [45.150.64.135] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261753/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261753; rev:1;) alert tcp $HOME_NET any -> [95.179.190.134] 23954 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261752; rev:1;) alert tcp $HOME_NET any -> [96.70.92.177] 465 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261751; rev:1;) alert tcp $HOME_NET any -> [122.100.188.124] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261750; rev:1;) alert tcp $HOME_NET any -> [158.160.87.195] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261749; rev:1;) alert tcp $HOME_NET any -> [80.82.76.14] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261748; rev:1;) alert tcp $HOME_NET any -> [140.249.32.157] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261747; rev:1;) alert tcp $HOME_NET any -> [123.57.183.22] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261746; rev:1;) alert tcp $HOME_NET any -> [101.200.197.134] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261745; rev:1;) alert tcp $HOME_NET any -> [47.116.170.61] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261744; rev:1;) alert tcp $HOME_NET any -> [45.156.23.149] 80 (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261226/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261226; rev:1;) alert tcp $HOME_NET any -> [45.156.23.186] 80 (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261227/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261227; rev:1;) alert tcp $HOME_NET any -> [193.176.190.43] 80 (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261228/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261228; rev:1;) alert tcp $HOME_NET any -> [193.242.145.129] 80 (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261229/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261229; rev:1;) alert tcp $HOME_NET any -> [195.211.124.144] 80 (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261230/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261230; rev:1;) alert tcp $HOME_NET any -> [194.116.214.7] 80 (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261231/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261231; rev:1;) alert tcp $HOME_NET any -> [46.246.14.10] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261740/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91261740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nano.anygreaterways.tech"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91260928; rev:1;) alert tcp $HOME_NET any -> [3.6.98.232] 15030 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91260989; rev:1;) alert tcp $HOME_NET any -> [3.6.30.85] 15030 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91260990; rev:1;) alert tcp $HOME_NET any -> [3.6.122.107] 15030 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91260998; rev:1;) alert tcp $HOME_NET any -> [154.53.42.53] 8847 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261000; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 10651 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261006; rev:1;) alert tcp $HOME_NET any -> [3.6.98.232] 10651 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261007; rev:1;) alert tcp $HOME_NET any -> [3.6.122.107] 10651 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261008; rev:1;) alert tcp $HOME_NET any -> [3.6.30.85] 10651 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compare/sf/1g3fvhte94"; depth:22; nocase; http.host; content:"60.205.245.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261742; rev:1;) alert tcp $HOME_NET any -> [60.205.245.29] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.98.247.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261741; rev:1;) alert tcp $HOME_NET any -> [91.92.252.220] 1337 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261739; rev:1;) alert tcp $HOME_NET any -> [193.233.132.47] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/300e6d86f44da037.php"; depth:21; nocase; http.host; content:"89.105.198.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"115.159.62.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261005; rev:1;) alert tcp $HOME_NET any -> [45.144.3.139] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"45.144.3.139"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261003; rev:1;) alert tcp $HOME_NET any -> [60.205.245.29] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compare/sf/1g3fvhte94"; depth:22; nocase; http.host; content:"60.205.245.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"blockbeerman.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"fghjdtgujkjdgkdettygdbnbbn.000webhostapp.com"; depth:44; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6/api144/9wp/imagevmcpubigloaddefault.php"; depth:42; nocase; http.host; content:"45.130.42.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260996; rev:1;) alert tcp $HOME_NET any -> [193.37.69.112] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260994/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260994; rev:1;) alert tcp $HOME_NET any -> [193.168.143.19] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260995/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260995; rev:1;) alert tcp $HOME_NET any -> [45.129.199.246] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260993/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test2/get.php"; depth:14; nocase; http.host; content:"cajgtus.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test1/get.php"; depth:14; nocase; http.host; content:"cajgtus.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260991; rev:1;) alert tcp $HOME_NET any -> [62.60.130.8] 10000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/rili/gate.php"; depth:22; nocase; http.host; content:"smartoffice-eg.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260987; rev:1;) alert tcp $HOME_NET any -> [47.96.107.37] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260986; rev:1;) alert tcp $HOME_NET any -> [213.252.247.202] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260985; rev:1;) alert tcp $HOME_NET any -> [213.252.247.202] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260984; rev:1;) alert tcp $HOME_NET any -> [156.195.128.36] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260983; rev:1;) alert tcp $HOME_NET any -> [128.90.103.36] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260982; rev:1;) alert tcp $HOME_NET any -> [85.97.168.208] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6ef96e7190cc7acd.php"; depth:21; nocase; http.host; content:"185.161.248.78"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260980; rev:1;) alert tcp $HOME_NET any -> [185.229.237.201] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260979; rev:1;) alert tcp $HOME_NET any -> [94.156.68.3] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260978; rev:1;) alert tcp $HOME_NET any -> [94.156.68.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260977; rev:1;) alert tcp $HOME_NET any -> [172.247.44.182] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260975; rev:1;) alert tcp $HOME_NET any -> [154.198.194.220] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260976; rev:1;) alert tcp $HOME_NET any -> [117.72.39.83] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260974; rev:1;) alert tcp $HOME_NET any -> [117.72.65.27] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260973; rev:1;) alert tcp $HOME_NET any -> [148.135.46.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260971; rev:1;) alert tcp $HOME_NET any -> [148.135.46.9] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"symposiumos.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260970; rev:1;) alert tcp $HOME_NET any -> [170.130.55.123] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260969; rev:1;) alert tcp $HOME_NET any -> [103.146.141.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260967; rev:1;) alert tcp $HOME_NET any -> [154.92.18.140] 54321 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260968; rev:1;) alert tcp $HOME_NET any -> [114.116.50.214] 59527 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260966; rev:1;) alert tcp $HOME_NET any -> [118.193.62.169] 3036 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260965; rev:1;) alert tcp $HOME_NET any -> [101.36.117.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260964; rev:1;) alert tcp $HOME_NET any -> [18.144.30.84] 8848 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.614110.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260962; rev:1;) alert tcp $HOME_NET any -> [18.166.113.176] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260961; rev:1;) alert tcp $HOME_NET any -> [54.249.71.250] 8005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260960; rev:1;) alert tcp $HOME_NET any -> [185.216.70.211] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260959; rev:1;) alert tcp $HOME_NET any -> [104.214.168.71] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260958; rev:1;) alert tcp $HOME_NET any -> [139.84.234.159] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260957; rev:1;) alert tcp $HOME_NET any -> [176.44.95.96] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260956; rev:1;) alert tcp $HOME_NET any -> [85.107.24.39] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260955; rev:1;) alert tcp $HOME_NET any -> [122.248.198.64] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260954; rev:1;) alert tcp $HOME_NET any -> [178.128.22.83] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260953; rev:1;) alert tcp $HOME_NET any -> [66.135.9.239] 3232 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260952; rev:1;) alert tcp $HOME_NET any -> [62.210.188.78] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260951; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260950; rev:1;) alert tcp $HOME_NET any -> [144.208.127.115] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260949/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260949; rev:1;) alert tcp $HOME_NET any -> [144.208.127.115] 37821 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260948/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260948; rev:1;) alert tcp $HOME_NET any -> [20.2.202.15] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260947; rev:1;) alert tcp $HOME_NET any -> [43.130.252.161] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"img.creativemedia.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260945; rev:1;) alert tcp $HOME_NET any -> [107.175.115.199] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260944; rev:1;) alert tcp $HOME_NET any -> [23.94.133.100] 6001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"keolisgroup.azureedge.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260942/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260942; rev:1;) alert tcp $HOME_NET any -> [138.68.87.151] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260941; rev:1;) alert tcp $HOME_NET any -> [139.9.35.75] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260940; rev:1;) alert tcp $HOME_NET any -> [139.196.174.180] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260939; rev:1;) alert tcp $HOME_NET any -> [139.196.154.253] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260938; rev:1;) alert tcp $HOME_NET any -> [123.57.58.184] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260937; rev:1;) alert tcp $HOME_NET any -> [123.57.58.184] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260936; rev:1;) alert tcp $HOME_NET any -> [121.199.43.12] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260935; rev:1;) alert tcp $HOME_NET any -> [120.25.2.115] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260934; rev:1;) alert tcp $HOME_NET any -> [59.110.126.110] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260933; rev:1;) alert tcp $HOME_NET any -> [47.120.63.146] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260932; rev:1;) alert tcp $HOME_NET any -> [47.120.32.46] 10152 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260931; rev:1;) alert tcp $HOME_NET any -> [47.117.156.10] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260930; rev:1;) alert tcp $HOME_NET any -> [47.98.251.131] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"103.146.50.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"112.124.34.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"8.141.13.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.137.108.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.243.59.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.101.37.46"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.113.150.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"120.78.139.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/v5.6/zz1qb9mls"; depth:21; nocase; http.host; content:"106.54.236.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260918; rev:1;) alert tcp $HOME_NET any -> [43.153.202.176] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content"; depth:8; nocase; http.host; content:"api.rayob2.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.rayob2.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260916; rev:1;) alert tcp $HOME_NET any -> [8.137.93.215] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"8.210.236.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"117.50.188.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.147.132.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"157.245.12.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"42.193.117.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260908; rev:1;) alert tcp $HOME_NET any -> [42.193.117.162] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260909; rev:1;) alert tcp $HOME_NET any -> [43.136.176.207] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-ldzftvcf-1252123187.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-ldzftvcf-1252123187.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260906; rev:1;) alert tcp $HOME_NET any -> [193.112.85.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"193.112.85.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.98.247.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-ku7vp6lj-1253504731.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-ku7vp6lj-1253504731.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260901; rev:1;) alert tcp $HOME_NET any -> [119.45.171.159] 8889 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"10.31.16.216"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260898; rev:1;) alert tcp $HOME_NET any -> [8.134.113.161] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"62.234.223.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"156.224.25.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"81.19.136.252"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260894; rev:1;) alert tcp $HOME_NET any -> [80.66.75.9] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/0cmp4e8sk1rgrjhc2ncnqf2u"; depth:42; nocase; http.host; content:"facelove.life"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"facelove.life"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260892; rev:1;) alert tcp $HOME_NET any -> [101.201.54.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.76.153.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"8.130.118.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"121.43.33.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260886; rev:1;) alert tcp $HOME_NET any -> [119.45.171.159] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260885; rev:1;) alert tcp $HOME_NET any -> [101.33.192.242] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"43.141.50.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"111.51.156.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"117.187.245.242"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"43.141.11.12"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260880; rev:1;) alert tcp $HOME_NET any -> [139.144.33.158] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zomgapt"; depth:8; nocase; http.host; content:"38.107.146.158"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"39.104.28.176"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"120.55.36.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260875; rev:1;) alert tcp $HOME_NET any -> [120.55.36.136] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260876; rev:1;) alert tcp $HOME_NET any -> [119.45.171.159] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260874; rev:1;) alert tcp $HOME_NET any -> [43.136.38.59] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oa.dahuatec.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"oa.dahuatec.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260871; rev:1;) alert tcp $HOME_NET any -> [103.97.58.61] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"103.97.58.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.92.200.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"49.232.208.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260867; rev:1;) alert tcp $HOME_NET any -> [104.248.6.246] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"office365.homes"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"office365.homes"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260865; rev:1;) alert tcp $HOME_NET any -> [38.34.166.53] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.34.166.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"81.19.136.252"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-r3og53uv-1303913364.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-r3og53uv-1303913364.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"37.27.11.209"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"100.40.180.6"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260856; rev:1;) alert tcp $HOME_NET any -> [111.92.243.236] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"111.229.200.233"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dr-hoefler.de"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260853; rev:1;) alert tcp $HOME_NET any -> [46.101.137.168] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"dr-hoefler.de"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.76.219.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"45.207.38.71"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"114.132.62.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"124.156.166.78"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"193.112.85.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"8.137.108.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content"; depth:8; nocase; http.host; content:"8.222.176.223"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260845; rev:1;) alert tcp $HOME_NET any -> [124.222.218.72] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260844; rev:1;) alert tcp $HOME_NET any -> [5.188.86.28] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tab_shop_active"; depth:16; nocase; http.host; content:"zx.scsvcreg.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zx.scsvcreg.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"as.scsvcreg.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eo"; depth:3; nocase; http.host; content:"as.scsvcreg.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tab_shop_active"; depth:16; nocase; http.host; content:"qw.scsvcreg.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qw.scsvcreg.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"103.47.82.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"8.141.13.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"91.92.246.246"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"128.199.178.134"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"103.47.82.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260829; rev:1;) alert tcp $HOME_NET any -> [103.143.208.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.xahoithongtins.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.5.6.min.js"; depth:20; nocase; http.host; content:"www.xahoithongtins.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"192.168.183.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"114.134.188.22"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260824; rev:1;) alert tcp $HOME_NET any -> [123.206.126.95] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260822; rev:1;) alert tcp $HOME_NET any -> [119.45.171.159] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260821; rev:1;) alert tcp $HOME_NET any -> [118.89.72.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260820; rev:1;) alert tcp $HOME_NET any -> [115.159.62.32] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260819; rev:1;) alert tcp $HOME_NET any -> [101.42.1.218] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260818; rev:1;) alert tcp $HOME_NET any -> [101.34.70.89] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260817; rev:1;) alert tcp $HOME_NET any -> [81.70.236.105] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260816; rev:1;) alert tcp $HOME_NET any -> [81.70.236.105] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260815; rev:1;) alert tcp $HOME_NET any -> [49.235.187.155] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260814; rev:1;) alert tcp $HOME_NET any -> [49.233.211.19] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260813; rev:1;) alert tcp $HOME_NET any -> [49.233.211.19] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260811; rev:1;) alert tcp $HOME_NET any -> [49.233.211.19] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260812; rev:1;) alert tcp $HOME_NET any -> [43.136.109.223] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260810; rev:1;) alert tcp $HOME_NET any -> [43.136.109.223] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260809; rev:1;) alert tcp $HOME_NET any -> [1.13.19.92] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260808; rev:1;) alert tcp $HOME_NET any -> [103.254.73.249] 63305 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260807; rev:1;) alert tcp $HOME_NET any -> [103.254.73.248] 63305 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260806; rev:1;) alert tcp $HOME_NET any -> [94.156.8.44] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260802/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260802; rev:1;) alert tcp $HOME_NET any -> [94.156.8.44] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260801/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260801; rev:1;) alert tcp $HOME_NET any -> [94.156.10.12] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260800/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260800; rev:1;) alert tcp $HOME_NET any -> [94.156.10.12] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260799/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260799; rev:1;) alert tcp $HOME_NET any -> [94.156.79.77] 33966 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260559/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cnc.voidnet.click"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260560/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260560; rev:1;) alert tcp $HOME_NET any -> [217.15.168.60] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260579; rev:1;) alert tcp $HOME_NET any -> [158.51.96.17] 1025 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260574; rev:1;) alert tcp $HOME_NET any -> [185.102.172.136] 999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260575; rev:1;) alert tcp $HOME_NET any -> [188.212.100.60] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260576; rev:1;) alert tcp $HOME_NET any -> [193.187.174.244] 2052 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260577; rev:1;) alert tcp $HOME_NET any -> [209.141.44.84] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260578; rev:1;) alert tcp $HOME_NET any -> [45.128.232.210] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260567; rev:1;) alert tcp $HOME_NET any -> [45.131.64.78] 2052 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260568; rev:1;) alert tcp $HOME_NET any -> [82.165.230.58] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260569; rev:1;) alert tcp $HOME_NET any -> [91.92.252.74] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260570; rev:1;) alert tcp $HOME_NET any -> [94.156.79.33] 10000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260571; rev:1;) alert tcp $HOME_NET any -> [149.56.79.119] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260572; rev:1;) alert tcp $HOME_NET any -> [152.42.239.228] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260573; rev:1;) alert tcp $HOME_NET any -> [2.58.95.133] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260561; rev:1;) alert tcp $HOME_NET any -> [15.204.18.234] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260562; rev:1;) alert tcp $HOME_NET any -> [15.235.149.59] 666 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260563; rev:1;) alert tcp $HOME_NET any -> [15.235.149.123] 888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260564; rev:1;) alert tcp $HOME_NET any -> [37.114.56.22] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260565; rev:1;) alert tcp $HOME_NET any -> [45.128.232.12] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javascriptpacketupdateprotectdle.php"; depth:37; nocase; http.host; content:"212.109.196.215"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260558; rev:1;) alert tcp $HOME_NET any -> [65.191.34.123] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260518/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260518; rev:1;) alert tcp $HOME_NET any -> [188.49.116.130] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260528/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ipscanadvsf.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"notionso.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260530; rev:1;) alert tcp $HOME_NET any -> [65.21.119.50] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pdftoconvert.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"toppdfconverter.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zoomis.pro"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"faststaynow.duckdns.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260556; rev:1;) alert tcp $HOME_NET any -> [147.78.103.228] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neger.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"neger.icu"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"methbot-proxy.pro"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"89.116.236.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"209.141.60.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"195.181.164.244"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"74.91.116.85"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"135.148.57.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"51.81.104.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"93.123.85.84"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"2.58.95.81"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"93.123.85.48"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260544; rev:1;) alert tcp $HOME_NET any -> [45.136.15.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"45.136.15.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260542; rev:1;) alert tcp $HOME_NET any -> [101.42.228.86] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"101.42.228.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260540; rev:1;) alert tcp $HOME_NET any -> [148.135.72.115] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.109.106.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"148.135.72.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/localuniversal/3dumpprocessor/gamewordpresstrack6/eternal4/flower8testdump/longpolllongpoll/securehttpwplocal.php"; depth:114; nocase; http.host; content:"82.146.61.164"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elastsolek21.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260531; rev:1;) alert tcp $HOME_NET any -> [106.75.174.5] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"106.75.104.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260526; rev:1;) alert tcp $HOME_NET any -> [45.136.15.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"45.136.15.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260524; rev:1;) alert tcp $HOME_NET any -> [139.196.174.180] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"139.196.174.180"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"webpoint.micromoto.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260521; rev:1;) alert tcp $HOME_NET any -> [148.135.72.115] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"148.135.72.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260519; rev:1;) alert tcp $HOME_NET any -> [91.92.245.231] 64418 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260517; rev:1;) alert tcp $HOME_NET any -> [193.35.18.127] 19286 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260516/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"121.37.214.255"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260515; rev:1;) alert tcp $HOME_NET any -> [91.92.241.122] 39361 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260514; rev:1;) alert tcp $HOME_NET any -> [45.142.212.16] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260513; rev:1;) alert tcp $HOME_NET any -> [94.156.64.148] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260512; rev:1;) alert tcp $HOME_NET any -> [23.254.144.29] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260511/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260511; rev:1;) alert tcp $HOME_NET any -> [43.198.238.210] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260510; rev:1;) alert tcp $HOME_NET any -> [117.72.38.14] 8008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260509; rev:1;) alert tcp $HOME_NET any -> [104.214.168.52] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260508/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260508; rev:1;) alert tcp $HOME_NET any -> [117.72.64.94] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260507; rev:1;) alert tcp $HOME_NET any -> [124.221.56.114] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260506/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260506; rev:1;) alert tcp $HOME_NET any -> [46.246.84.12] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260505/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260505; rev:1;) alert tcp $HOME_NET any -> [151.30.238.53] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260504; rev:1;) alert tcp $HOME_NET any -> [189.175.199.252] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260503/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260503; rev:1;) alert tcp $HOME_NET any -> [103.215.80.54] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260502/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260502; rev:1;) alert tcp $HOME_NET any -> [3.76.124.183] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260501; rev:1;) alert tcp $HOME_NET any -> [45.55.38.40] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bimbro.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bohot.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karl3on.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neuengi.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ndearn.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"almatac.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kartogra.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aktayho.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aktayho.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redddog.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eralaunch.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soka101.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tenens.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kartogra.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"almatac.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ndearn.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"neuengi.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"karl3on.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bohot.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bimbro.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tenens.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"soka101.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eralaunch.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"redddog.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260476; rev:1;) alert tcp $HOME_NET any -> [116.203.7.96] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260473; rev:1;) alert tcp $HOME_NET any -> [95.217.9.149] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260474; rev:1;) alert tcp $HOME_NET any -> [95.217.240.166] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260467; rev:1;) alert tcp $HOME_NET any -> [95.217.244.99] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260468; rev:1;) alert tcp $HOME_NET any -> [95.217.244.99] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260469; rev:1;) alert tcp $HOME_NET any -> [49.13.224.6] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260470; rev:1;) alert tcp $HOME_NET any -> [65.109.241.217] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260471; rev:1;) alert tcp $HOME_NET any -> [116.202.177.31] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.9.149"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.7.96"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.177.31"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.224.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.244.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.244.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199677575543"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/snsb82"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260458; rev:1;) alert tcp $HOME_NET any -> [77.221.149.0] 5428 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/powershell/"; depth:21; nocase; http.host; content:"194.163.130.194"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260424; rev:1;) alert tcp $HOME_NET any -> [194.163.130.194] 443 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260426; rev:1;) alert tcp $HOME_NET any -> [5.42.65.96] 28380 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260430; rev:1;) alert tcp $HOME_NET any -> [46.246.6.20] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260431/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260431; rev:1;) alert tcp $HOME_NET any -> [41.200.95.182] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260452/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wscript.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260453/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260453; rev:1;) alert tcp $HOME_NET any -> [91.92.252.191] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260454/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260454; rev:1;) alert tcp $HOME_NET any -> [91.92.252.238] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260455/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260455; rev:1;) alert tcp $HOME_NET any -> [103.95.97.149] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vre"; depth:4; nocase; http.host; content:"vjwmaster.duckdns.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260451; rev:1;) alert tcp $HOME_NET any -> [91.92.250.88] 16964 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerjavascriptrequestupdate.php"; depth:36; nocase; http.host; content:"clientright.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/payment/54wa3c29/eblaghhh/confirm.php"; depth:54; nocase; http.host; content:"tech-1.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260446; rev:1;) alert tcp $HOME_NET any -> [185.11.145.254] 443 (msg:"ThreatFox IRATA botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260447; rev:1;) alert tcp $HOME_NET any -> [185.11.145.145] 443 (msg:"ThreatFox IRATA botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/"; depth:17; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/rat/"; depth:21; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/rat/140wa69z/"; depth:30; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/rat/140wa69z/sms.php"; depth:37; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/rat/140wa69z/id.txt"; depth:36; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/rat/140wa69z/requests.php"; depth:42; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/rat/140wa69z/contact.php"; depth:41; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tdinsuranceapply-a0guehftc6fzegca.a03.azurefd.net"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260436; rev:1;) alert tcp $HOME_NET any -> [4.206.184.179] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mms.html"; depth:9; nocase; http.host; content:"tdinsuranceapply-a0guehftc6fzegca.a03.azurefd.net"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mylibs.js"; depth:10; nocase; http.host; content:"23.94.169.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260433; rev:1;) alert tcp $HOME_NET any -> [23.94.169.124] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"121.37.214.255"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vgbashgdvgvbhkbjhqwrgrthyuj/hjqwretyuiopadshnjmklomfhbqaxinhgbfwrftgyujicn/iplkrtikfmjdnsbgatefv/yughghjbjgbjhsdgstgsdhysyryyrs/uhgbnte/five/fre.php"; depth:149; nocase; http.host; content:"91.92.253.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260429; rev:1;) alert tcp $HOME_NET any -> [91.188.254.6] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260428/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260428; rev:1;) alert tcp $HOME_NET any -> [181.214.147.25] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260427; rev:1;) alert tcp $HOME_NET any -> [77.221.151.32] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260425; rev:1;) alert tcp $HOME_NET any -> [120.46.39.241] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260423; rev:1;) alert tcp $HOME_NET any -> [60.204.232.46] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260422; rev:1;) alert tcp $HOME_NET any -> [123.207.16.205] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260421; rev:1;) alert tcp $HOME_NET any -> [47.113.219.67] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260420; rev:1;) alert tcp $HOME_NET any -> [85.99.83.235] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260419; rev:1;) alert tcp $HOME_NET any -> [157.20.182.102] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260418/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260418; rev:1;) alert tcp $HOME_NET any -> [45.87.155.112] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260417; rev:1;) alert tcp $HOME_NET any -> [77.232.143.114] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260416/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260416; rev:1;) alert tcp $HOME_NET any -> [165.22.72.160] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260415/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260415; rev:1;) alert tcp $HOME_NET any -> [43.154.80.163] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260414; rev:1;) alert tcp $HOME_NET any -> [109.123.252.6] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260413; rev:1;) alert tcp $HOME_NET any -> [109.120.178.98] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260412; rev:1;) alert tcp $HOME_NET any -> [45.79.123.66] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260411; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 2222 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260410; rev:1;) alert tcp $HOME_NET any -> [142.93.131.96] 43122 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129edec4272dc2c8.php"; depth:21; nocase; http.host; content:"94.156.79.164"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260408; rev:1;) alert tcp $HOME_NET any -> [107.175.229.136] 24775 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whatsappsecure.apk"; depth:19; nocase; http.host; content:"91.92.243.86"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260397; rev:1;) alert tcp $HOME_NET any -> [91.92.243.86] 8000 (msg:"ThreatFox SpyNote payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260398; rev:1;) alert tcp $HOME_NET any -> [91.92.246.165] 443 (msg:"ThreatFox SpyNote payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mypony.nl"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260401/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saat.apk"; depth:9; nocase; http.host; content:"91.92.246.165"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260396; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 35888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260125/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260125; rev:1;) alert tcp $HOME_NET any -> [175.178.160.155] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complete/pr/h6tcqrwr"; depth:21; nocase; http.host; content:"jxvtcm.cn"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complete/pr/h6tcqrwr"; depth:21; nocase; http.host; content:"175.178.160.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mylibs.js"; depth:10; nocase; http.host; content:"flashl.tw"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flashl.tw"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260403; rev:1;) alert tcp $HOME_NET any -> [193.233.132.169] 37732 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260395; rev:1;) alert tcp $HOME_NET any -> [211.194.139.155] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260394; rev:1;) alert tcp $HOME_NET any -> [46.246.84.12] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dist2118.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loki/five/fre.php"; depth:18; nocase; http.host; content:"mypony.nl"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260391; rev:1;) alert tcp $HOME_NET any -> [191.82.238.74] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260390; rev:1;) alert tcp $HOME_NET any -> [158.247.236.255] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260389; rev:1;) alert tcp $HOME_NET any -> [120.26.136.167] 8088 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260388; rev:1;) alert tcp $HOME_NET any -> [103.200.124.198] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260387; rev:1;) alert tcp $HOME_NET any -> [5.189.159.115] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260386; rev:1;) alert tcp $HOME_NET any -> [2.56.245.124] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webpoint.micromoto.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260384; rev:1;) alert tcp $HOME_NET any -> [64.227.107.166] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bbf"; depth:5; nocase; http.host; content:"www.stylejason.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260382/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260382; rev:1;) alert tcp $HOME_NET any -> [47.245.37.54] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260381; rev:1;) alert tcp $HOME_NET any -> [8.222.209.150] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260380; rev:1;) alert tcp $HOME_NET any -> [123.60.93.91] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hathawaya.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260378; rev:1;) alert tcp $HOME_NET any -> [47.104.213.26] 7001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260377; rev:1;) alert tcp $HOME_NET any -> [8.141.13.130] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260375; rev:1;) alert tcp $HOME_NET any -> [8.141.13.130] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260376; rev:1;) alert tcp $HOME_NET any -> [20.222.185.152] 25651 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260072; rev:1;) alert tcp $HOME_NET any -> [14.225.213.142] 73 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260073; rev:1;) alert tcp $HOME_NET any -> [94.228.168.60] 1337 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260074; rev:1;) alert tcp $HOME_NET any -> [206.189.49.14] 57899 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260123/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"spagetti.openproxylist.info"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260124/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260124; rev:1;) alert tcp $HOME_NET any -> [93.123.39.96] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260122/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260122; rev:1;) alert tcp $HOME_NET any -> [20.222.185.152] 9999 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260121; rev:1;) alert tcp $HOME_NET any -> [14.225.219.227] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260120; rev:1;) alert tcp $HOME_NET any -> [80.66.75.9] 44433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260119; rev:1;) alert tcp $HOME_NET any -> [109.205.213.98] 59087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260118; rev:1;) alert tcp $HOME_NET any -> [221.150.78.215] 59991 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260117/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260117; rev:1;) alert tcp $HOME_NET any -> [138.197.71.186] 38721 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260116/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260116; rev:1;) alert tcp $HOME_NET any -> [82.156.188.211] 41209 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260115/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260115; rev:1;) alert tcp $HOME_NET any -> [121.40.139.97] 15000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260114/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260114; rev:1;) alert tcp $HOME_NET any -> [124.220.212.252] 54321 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260113/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260113; rev:1;) alert tcp $HOME_NET any -> [80.66.75.52] 44433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260112/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260112; rev:1;) alert tcp $HOME_NET any -> [147.78.47.125] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260111/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260111; rev:1;) alert tcp $HOME_NET any -> [45.32.100.156] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260110/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260110; rev:1;) alert tcp $HOME_NET any -> [80.112.42.92] 88 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260109/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260109; rev:1;) alert tcp $HOME_NET any -> [2.58.56.99] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260108/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260108; rev:1;) alert tcp $HOME_NET any -> [94.156.64.149] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260107/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260107; rev:1;) alert tcp $HOME_NET any -> [94.156.64.152] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260106/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260106; rev:1;) alert tcp $HOME_NET any -> [123.127.192.55] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260105/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260105; rev:1;) alert tcp $HOME_NET any -> [103.26.77.213] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260104/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260104; rev:1;) alert tcp $HOME_NET any -> [213.1.229.142] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260103/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260103; rev:1;) alert tcp $HOME_NET any -> [193.142.146.101] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260102/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260102; rev:1;) alert tcp $HOME_NET any -> [197.119.238.232] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260101/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260101; rev:1;) alert tcp $HOME_NET any -> [95.165.149.124] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260100/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260100; rev:1;) alert tcp $HOME_NET any -> [77.221.151.21] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260099/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260099; rev:1;) alert tcp $HOME_NET any -> [116.203.15.80] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260098/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260098; rev:1;) alert tcp $HOME_NET any -> [77.105.162.97] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260097/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260097; rev:1;) alert tcp $HOME_NET any -> [193.222.96.234] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260096/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260096; rev:1;) alert tcp $HOME_NET any -> [45.85.117.76] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260095/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260095; rev:1;) alert tcp $HOME_NET any -> [38.180.142.98] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260094/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260094; rev:1;) alert tcp $HOME_NET any -> [5.182.210.52] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260093/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260093; rev:1;) alert tcp $HOME_NET any -> [93.123.85.91] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260092/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260092; rev:1;) alert tcp $HOME_NET any -> [5.42.92.89] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260091/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260091; rev:1;) alert tcp $HOME_NET any -> [94.98.233.242] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260090/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260090; rev:1;) alert tcp $HOME_NET any -> [94.98.235.90] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260089/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260089; rev:1;) alert tcp $HOME_NET any -> [41.46.230.155] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260088/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260088; rev:1;) alert tcp $HOME_NET any -> [172.111.139.205] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260087/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260087; rev:1;) alert tcp $HOME_NET any -> [24.24.236.97] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260086/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260086; rev:1;) alert tcp $HOME_NET any -> [172.111.139.88] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260085/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260085; rev:1;) alert tcp $HOME_NET any -> [172.111.159.146] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260084/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260084; rev:1;) alert tcp $HOME_NET any -> [103.125.189.138] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260083/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260083; rev:1;) alert tcp $HOME_NET any -> [72.202.37.223] 2181 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260082/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260082; rev:1;) alert tcp $HOME_NET any -> [139.162.49.139] 443 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260081/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260081; rev:1;) alert tcp $HOME_NET any -> [134.209.99.16] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260080/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260080; rev:1;) alert tcp $HOME_NET any -> [45.142.215.143] 3791 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260079/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260079; rev:1;) alert tcp $HOME_NET any -> [45.142.213.91] 3791 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260078/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260078; rev:1;) alert tcp $HOME_NET any -> [109.107.171.138] 3791 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260077/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260077; rev:1;) alert tcp $HOME_NET any -> [193.233.132.253] 9091 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260076/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260076; rev:1;) alert tcp $HOME_NET any -> [193.233.132.222] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260075/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"kh1.userjoy.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kh1.userjoy.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yamaxun.blog"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/originate/v4.01/qgqtnora"; depth:25; nocase; http.host; content:"yamaxun.blog"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260068; rev:1;) alert tcp $HOME_NET any -> [171.80.235.140] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260067/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260067; rev:1;) alert tcp $HOME_NET any -> [47.98.97.75] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260066/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260066; rev:1;) alert tcp $HOME_NET any -> [80.133.66.162] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260065/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260065; rev:1;) alert tcp $HOME_NET any -> [45.74.46.58] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260064/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260064; rev:1;) alert tcp $HOME_NET any -> [167.71.105.169] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260063/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260063; rev:1;) alert tcp $HOME_NET any -> [3.105.212.12] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260062/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260062; rev:1;) alert tcp $HOME_NET any -> [207.231.109.20] 808 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260061/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260061; rev:1;) alert tcp $HOME_NET any -> [45.137.155.47] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260060/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260060; rev:1;) alert tcp $HOME_NET any -> [78.161.0.177] 3001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260059/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260059; rev:1;) alert tcp $HOME_NET any -> [136.175.8.35] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260058/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260058; rev:1;) alert tcp $HOME_NET any -> [136.175.8.35] 444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260057/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260057; rev:1;) alert tcp $HOME_NET any -> [156.194.116.198] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260056/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sig.exe"; depth:8; nocase; http.host; content:"87.120.84.140"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260054; rev:1;) alert tcp $HOME_NET any -> [87.120.84.140] 80 (msg:"ThreatFox zgRAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260055; rev:1;) alert tcp $HOME_NET any -> [87.120.84.140] 7702 (msg:"ThreatFox zgRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cryptonrat.exe"; depth:15; nocase; http.host; content:"87.120.84.140"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yk.exe"; depth:7; nocase; http.host; content:"87.120.84.140"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260053; rev:1;) alert tcp $HOME_NET any -> [31.41.44.109] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3cd2b41cbde8fc9c.php"; depth:21; nocase; http.host; content:"185.172.128.76"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f993692117a3fda2.php"; depth:21; nocase; http.host; content:"185.172.128.111"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1227169762392674387/1231867622568493086/ikacvgbsewoudhywk67.bin"; depth:76; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cfekrthdtjivs63.bin"; depth:20; nocase; http.host; content:"172.93.222.219"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260044; rev:1;) alert tcp $HOME_NET any -> [172.93.222.219] 80 (msg:"ThreatFox Remcos payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260045; rev:1;) alert tcp $HOME_NET any -> [209.90.234.20] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260046/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/low70sql/updatecdn/lowtemporarypython/eternaluploads3geo/8/eternallinetracktemp.php"; depth:84; nocase; http.host; content:"185.221.198.248"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260043; rev:1;) alert tcp $HOME_NET any -> [45.141.87.215] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"1488.winstate.cc"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1488.winstate.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-k43f6rw9-1308954353.kr.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6b789950.sjys66.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6437cf8a.sjys66.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ccc.sjys6.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"idc.sjys66.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pay.sjys6.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sjys6.de"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.sjys6.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"744fbc05.sjys66.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sjys6.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.sjys6.sbs"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sjys6.sbs"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whcdn.sjys66.me"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ppa.sjys66.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbd9d414.sjys66.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2762da3f.sjys6.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/view.php"; depth:9; nocase; http.host; content:"radiotvcachay.cl"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/locals.txt"; depth:11; nocase; http.host; content:"kurkcu-dukkani.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/personalmessage.php"; depth:20; nocase; http.host; content:"professionalwonders.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2345703467245762476247.txt"; depth:27; nocase; http.host; content:"extendaloan.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260023; rev:1;) alert tcp $HOME_NET any -> [194.99.21.34] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260018; rev:1;) alert tcp $HOME_NET any -> [77.221.151.38] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260019; rev:1;) alert tcp $HOME_NET any -> [94.156.79.100] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260017; rev:1;) alert tcp $HOME_NET any -> [37.60.245.93] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260016; rev:1;) alert tcp $HOME_NET any -> [47.109.137.34] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260015; rev:1;) alert tcp $HOME_NET any -> [175.178.54.48] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260014; rev:1;) alert tcp $HOME_NET any -> [3.13.191.225] 16969 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260004/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260004; rev:1;) alert tcp $HOME_NET any -> [116.203.15.80] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260012; rev:1;) alert tcp $HOME_NET any -> [23.88.47.9] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"23.88.47.9"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260009; rev:1;) alert tcp $HOME_NET any -> [116.202.190.202] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260010; rev:1;) alert tcp $HOME_NET any -> [95.217.29.215] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.15.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.164.39"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.29.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.190.202"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260005; rev:1;) alert tcp $HOME_NET any -> [172.160.240.225] 8976 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260003; rev:1;) alert tcp $HOME_NET any -> [91.92.247.15] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260002; rev:1;) alert tcp $HOME_NET any -> [210.56.49.230] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260001; rev:1;) alert tcp $HOME_NET any -> [203.189.234.25] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260000; rev:1;) alert tcp $HOME_NET any -> [103.254.73.247] 63305 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259999; rev:1;) alert tcp $HOME_NET any -> [51.68.169.120] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259998; rev:1;) alert tcp $HOME_NET any -> [103.249.112.118] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259997/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91259997; rev:1;) alert tcp $HOME_NET any -> [94.131.9.239] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259996; rev:1;) alert tcp $HOME_NET any -> [31.129.98.188] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259995/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259995; rev:1;) alert tcp $HOME_NET any -> [2.58.56.113] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259994/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259994; rev:1;) alert tcp $HOME_NET any -> [185.216.70.189] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259993/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259993; rev:1;) alert tcp $HOME_NET any -> [23.94.66.43] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259992/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259992; rev:1;) alert tcp $HOME_NET any -> [8.212.183.234] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259991/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259991; rev:1;) alert tcp $HOME_NET any -> [20.240.192.104] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259990/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259990; rev:1;) alert tcp $HOME_NET any -> [199.192.192.93] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259989/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259989; rev:1;) alert tcp $HOME_NET any -> [175.10.46.187] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259988/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259988; rev:1;) alert tcp $HOME_NET any -> [69.159.0.152] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259987/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259987; rev:1;) alert tcp $HOME_NET any -> [45.137.155.52] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259986/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259986; rev:1;) alert tcp $HOME_NET any -> [146.190.60.217] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259985/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259985; rev:1;) alert tcp $HOME_NET any -> [80.71.149.154] 8686 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259984/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259984; rev:1;) alert tcp $HOME_NET any -> [94.6.155.2] 8443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259983/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259983; rev:1;) alert tcp $HOME_NET any -> [38.173.107.201] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259982/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259982; rev:1;) alert tcp $HOME_NET any -> [61.182.130.108] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259981/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259981; rev:1;) alert tcp $HOME_NET any -> [3.223.6.69] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259980; rev:1;) alert tcp $HOME_NET any -> [185.99.133.34] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259970; rev:1;) alert tcp $HOME_NET any -> [93.123.85.69] 9932 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259958; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 11720 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259968; rev:1;) alert tcp $HOME_NET any -> [185.99.133.5] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259969; rev:1;) alert tcp $HOME_NET any -> [185.99.133.18] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259971; rev:1;) alert tcp $HOME_NET any -> [185.99.133.173] 5667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cecilioisbetter.dyn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thisisnotabotnet.pirate"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259974; rev:1;) alert tcp $HOME_NET any -> [103.237.87.90] 999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259957; rev:1;) alert tcp $HOME_NET any -> [5.181.156.177] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259979; rev:1;) alert tcp $HOME_NET any -> [162.55.134.240] 9001 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0bettertraffic2/cdn8secure/temporaryapivoiddb5/8uploads2/private/vm/dumpcpuprivate/protecttest3/externalimagevmjs.php"; depth:118; nocase; http.host; content:"185.43.4.41"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259978; rev:1;) alert tcp $HOME_NET any -> [45.89.53.206] 4663 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259977; rev:1;) alert tcp $HOME_NET any -> [194.26.192.196] 1610 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tjmkdc/five/fre.php"; depth:20; nocase; http.host; content:"91.92.253.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.56.180.63"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mylibs.js"; depth:10; nocase; http.host; content:"23.94.169.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259966; rev:1;) alert tcp $HOME_NET any -> [111.229.214.58] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omp/api/micro_app/get_org_app"; depth:30; nocase; http.host; content:"61.170.44.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hrmregister/corptrial/get_permission"; depth:37; nocase; http.host; content:"59.80.47.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omp/api/micro_app/get_org_app"; depth:30; nocase; http.host; content:"111.6.56.138"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omp/api/micro_app/get_org_app"; depth:30; nocase; http.host; content:"183.232.189.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omp/api/get_page_config"; depth:24; nocase; http.host; content:"111.51.156.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129edec4272dc2c8.php"; depth:21; nocase; http.host; content:"89.105.201.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259956; rev:1;) alert tcp $HOME_NET any -> [185.112.249.40] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259955/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259955; rev:1;) alert tcp $HOME_NET any -> [202.61.85.167] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259858/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259858; rev:1;) alert tcp $HOME_NET any -> [202.61.85.57] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259857/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259857; rev:1;) alert tcp $HOME_NET any -> [87.120.84.220] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259856; rev:1;) alert tcp $HOME_NET any -> [45.77.177.125] 2053 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259855; rev:1;) alert tcp $HOME_NET any -> [172.104.102.237] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259854; rev:1;) alert tcp $HOME_NET any -> [61.128.153.112] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259853; rev:1;) alert tcp $HOME_NET any -> [3.27.90.144] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259852/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"svif-venezuela.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cuponerachilanga.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"architecture-interior.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"apieventemitter.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"arpsychotherapy.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vud.register.arpsychotherapy.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259842; rev:1;) alert tcp $HOME_NET any -> [85.204.116.161] 25561 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259839/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"register.arpsychotherapy.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259840; rev:1;) alert tcp $HOME_NET any -> [103.174.73.190] 2024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259837; rev:1;) alert tcp $HOME_NET any -> [5.181.190.250] 1475 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sonicglyder.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"illitluckygirl.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/underwars.rar"; depth:24; nocase; http.host; content:"under-wars.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259825; rev:1;) alert tcp $HOME_NET any -> [62.72.191.247] 777 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259836/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"under-wars.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259811; rev:1;) alert tcp $HOME_NET any -> [98.66.170.171] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"svif-venezuela.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ecurs.ro"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259757/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259757; rev:1;) alert tcp $HOME_NET any -> [195.20.16.134] 46690 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1231360292168929434/1231360436591399053/sonic-glyder.zip"; depth:69; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"beautyservicenearme.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"onesmartiptv.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"carlaweishale.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cv76387.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259850; rev:1;) alert tcp $HOME_NET any -> [5.53.20.184] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259835; rev:1;) alert tcp $HOME_NET any -> [54.224.170.33] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259833; rev:1;) alert tcp $HOME_NET any -> [106.53.162.128] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259834; rev:1;) alert tcp $HOME_NET any -> [42.118.144.192] 9000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259832; rev:1;) alert tcp $HOME_NET any -> [185.125.50.17] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259831; rev:1;) alert tcp $HOME_NET any -> [95.164.3.243] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259830; rev:1;) alert tcp $HOME_NET any -> [91.92.250.96] 6667 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259829; rev:1;) alert tcp $HOME_NET any -> [128.90.123.67] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259823; rev:1;) alert tcp $HOME_NET any -> [193.111.125.200] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259824; rev:1;) alert tcp $HOME_NET any -> [2.29.196.40] 9000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259815; rev:1;) alert tcp $HOME_NET any -> [45.88.186.62] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259816; rev:1;) alert tcp $HOME_NET any -> [45.141.215.159] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259817; rev:1;) alert tcp $HOME_NET any -> [46.246.80.15] 9004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259818; rev:1;) alert tcp $HOME_NET any -> [51.195.94.205] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259819; rev:1;) alert tcp $HOME_NET any -> [51.195.94.205] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259820; rev:1;) alert tcp $HOME_NET any -> [51.195.94.205] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259821; rev:1;) alert tcp $HOME_NET any -> [95.7.175.50] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259822; rev:1;) alert tcp $HOME_NET any -> [159.89.124.149] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259810/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_21; classtype:trojan-activity; sid:91259810; rev:1;) alert tcp $HOME_NET any -> [154.44.26.34] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259809; rev:1;) alert tcp $HOME_NET any -> [88.214.26.54] 40032 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259808; rev:1;) alert tcp $HOME_NET any -> [103.234.72.70] 7000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259807; rev:1;) alert tcp $HOME_NET any -> [103.195.6.60] 54230 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259806; rev:1;) alert tcp $HOME_NET any -> [89.187.28.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259805; rev:1;) alert tcp $HOME_NET any -> [107.150.47.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259804; rev:1;) alert tcp $HOME_NET any -> [54.169.155.216] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259803; rev:1;) alert tcp $HOME_NET any -> [185.216.117.38] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259802; rev:1;) alert tcp $HOME_NET any -> [23.133.216.223] 16993 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259801; rev:1;) alert tcp $HOME_NET any -> [154.29.149.248] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259800; rev:1;) alert tcp $HOME_NET any -> [144.34.170.237] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259799; rev:1;) alert tcp $HOME_NET any -> [156.242.40.198] 50005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259798; rev:1;) alert tcp $HOME_NET any -> [185.236.231.201] 52589 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259797; rev:1;) alert tcp $HOME_NET any -> [62.204.41.11] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259795; rev:1;) alert tcp $HOME_NET any -> [62.204.41.11] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259796; rev:1;) alert tcp $HOME_NET any -> [154.3.1.252] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259794; rev:1;) alert tcp $HOME_NET any -> [185.62.56.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259793; rev:1;) alert tcp $HOME_NET any -> [172.121.5.230] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259792; rev:1;) alert tcp $HOME_NET any -> [154.204.178.55] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259791; rev:1;) alert tcp $HOME_NET any -> [146.70.188.137] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stylejason.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/infected2.ps1"; depth:14; nocase; http.host; content:"156.247.14.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/infect.ps1"; depth:11; nocase; http.host; content:"156.247.14.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259787; rev:1;) alert tcp $HOME_NET any -> [156.247.14.253] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259785; rev:1;) alert tcp $HOME_NET any -> [156.247.14.253] 50038 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-hcy5bcw8-1317301829.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259784; rev:1;) alert tcp $HOME_NET any -> [154.205.138.72] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259783; rev:1;) alert tcp $HOME_NET any -> [206.166.251.32] 25568 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259782; rev:1;) alert tcp $HOME_NET any -> [156.242.42.194] 4396 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b.citriix.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259780; rev:1;) alert tcp $HOME_NET any -> [82.197.93.75] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259779; rev:1;) alert tcp $HOME_NET any -> [156.224.25.183] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259778; rev:1;) alert tcp $HOME_NET any -> [45.116.79.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259777; rev:1;) alert tcp $HOME_NET any -> [43.129.23.221] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259776; rev:1;) alert tcp $HOME_NET any -> [107.175.158.78] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259774; rev:1;) alert tcp $HOME_NET any -> [107.175.158.78] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259775; rev:1;) alert tcp $HOME_NET any -> [107.172.159.202] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259773; rev:1;) alert tcp $HOME_NET any -> [23.94.169.124] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259772; rev:1;) alert tcp $HOME_NET any -> [47.89.225.2] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259770; rev:1;) alert tcp $HOME_NET any -> [47.76.153.170] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259769; rev:1;) alert tcp $HOME_NET any -> [8.218.236.5] 8062 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259768; rev:1;) alert tcp $HOME_NET any -> [8.217.10.117] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259767; rev:1;) alert tcp $HOME_NET any -> [120.46.201.95] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259766; rev:1;) alert tcp $HOME_NET any -> [123.57.167.128] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259765; rev:1;) alert tcp $HOME_NET any -> [47.120.46.170] 50001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259764; rev:1;) alert tcp $HOME_NET any -> [47.97.29.241] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259763; rev:1;) alert tcp $HOME_NET any -> [47.96.72.192] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259762; rev:1;) alert tcp $HOME_NET any -> [47.92.221.188] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259761; rev:1;) alert tcp $HOME_NET any -> [8.137.114.210] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259760; rev:1;) alert tcp $HOME_NET any -> [150.158.13.117] 18888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259759; rev:1;) alert tcp $HOME_NET any -> [1.13.175.135] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.220.200.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259755; rev:1;) alert tcp $HOME_NET any -> [64.188.18.137] 1604 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259753/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259753; rev:1;) alert tcp $HOME_NET any -> [195.10.205.79] 30525 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"34844.clmonth.nyashteam.ru"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259751; rev:1;) alert tcp $HOME_NET any -> [47.116.33.203] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.116.33.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259749; rev:1;) alert tcp $HOME_NET any -> [38.147.171.36] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"38.147.171.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259747; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 32934 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259745/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quotes-nl.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259746/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259746; rev:1;) alert tcp $HOME_NET any -> [162.252.175.197] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259743; rev:1;) alert tcp $HOME_NET any -> [162.252.175.197] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259744; rev:1;) alert tcp $HOME_NET any -> [71.88.240.79] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259742; rev:1;) alert tcp $HOME_NET any -> [172.104.172.74] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259741; rev:1;) alert tcp $HOME_NET any -> [185.150.26.240] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259740; rev:1;) alert tcp $HOME_NET any -> [45.137.155.36] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259739; rev:1;) alert tcp $HOME_NET any -> [15.222.252.34] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259738; rev:1;) alert tcp $HOME_NET any -> [31.220.80.82] 1234 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259737; rev:1;) alert tcp $HOME_NET any -> [34.142.80.46] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259736/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259736; rev:1;) alert tcp $HOME_NET any -> [141.195.112.200] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259735/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259735; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 8085 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259734/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259734; rev:1;) alert tcp $HOME_NET any -> [85.204.116.161] 25565 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259733/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"other-tours.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259721/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259721; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 11720 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259540; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 58503 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259542/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"basic-values.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259543/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259543; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 32481 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259720/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259720; rev:1;) alert tcp $HOME_NET any -> [2.58.95.131] 65337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259727; rev:1;) alert tcp $HOME_NET any -> [34.159.237.198] 6667 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259728; rev:1;) alert tcp $HOME_NET any -> [51.81.85.213] 8888 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259729; rev:1;) alert tcp $HOME_NET any -> [91.92.245.231] 56648 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"116.203.13.134"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1259538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.27.87.155"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1259539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259539; rev:1;) alert tcp $HOME_NET any -> [146.70.40.235] 80 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complete/pr/h6tcqrwr"; depth:21; nocase; http.host; content:"175.178.160.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259732; rev:1;) alert tcp $HOME_NET any -> [186.102.167.18] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259731; rev:1;) alert tcp $HOME_NET any -> [87.251.67.92] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259726/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259726; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 19177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259725; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 19177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259724; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 19177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259723; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 19177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259722; rev:1;) alert tcp $HOME_NET any -> [45.66.248.122] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259718; rev:1;) alert tcp $HOME_NET any -> [45.66.248.122] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259719; rev:1;) alert tcp $HOME_NET any -> [91.151.95.157] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259717; rev:1;) alert tcp $HOME_NET any -> [87.120.84.167] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259716; rev:1;) alert tcp $HOME_NET any -> [3.34.122.177] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259715; rev:1;) alert tcp $HOME_NET any -> [109.120.177.43] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259714; rev:1;) alert tcp $HOME_NET any -> [120.77.11.79] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259713; rev:1;) alert tcp $HOME_NET any -> [1.13.175.135] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259712; rev:1;) alert tcp $HOME_NET any -> [16.163.148.219] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259711; rev:1;) alert tcp $HOME_NET any -> [179.13.4.37] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259710; rev:1;) alert tcp $HOME_NET any -> [142.11.201.10] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259709; rev:1;) alert tcp $HOME_NET any -> [4.227.63.81] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259708; rev:1;) alert tcp $HOME_NET any -> [210.3.101.68] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259707; rev:1;) alert tcp $HOME_NET any -> [45.9.148.192] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259706; rev:1;) alert tcp $HOME_NET any -> [45.9.148.206] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.204.193.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259704; rev:1;) alert tcp $HOME_NET any -> [45.9.168.238] 1984 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259544; rev:1;) alert tcp $HOME_NET any -> [83.196.78.85] 8080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259541; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 11720 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259536; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 11720 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259537; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 11720 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259535; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 11720 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259534; rev:1;) alert tcp $HOME_NET any -> [91.92.255.61] 9817 (msg:"ThreatFox PureLogs Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259532; rev:1;) alert tcp $HOME_NET any -> [194.187.251.115] 14645 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/logo2.jpg"; depth:14; nocase; http.host; content:"public-ftp.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/logo.jpg"; depth:13; nocase; http.host; content:"public-ftp.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"public-ftp.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/logo3.jpg"; depth:14; nocase; http.host; content:"public-ftp.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzv3"; depth:5; nocase; http.host; content:"118.89.125.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259531/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259531; rev:1;) alert tcp $HOME_NET any -> [118.89.125.171] 886 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/v5.6/zz1qb9mls"; depth:21; nocase; http.host; content:"106.54.236.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259528; rev:1;) alert tcp $HOME_NET any -> [106.54.236.42] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"harassretunrstiwo.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"productivelookewr.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tolerateilusidjukl.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shatterbreathepsw.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shortsvelventysjo.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"incredibleextedwj.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alcojoldwograpciw.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liabilitynighstjsko.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259501; rev:1;) alert tcp $HOME_NET any -> [193.222.96.128] 7287 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.hta"; depth:5; nocase; http.host; content:"193.222.96.128"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"demonstationfukewko.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15.bat"; depth:7; nocase; http.host; content:"193.222.96.128"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/security.apk"; depth:13; nocase; http.host; content:"193.222.96.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/securitypro.apk"; depth:16; nocase; http.host; content:"193.222.96.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259509; rev:1;) alert tcp $HOME_NET any -> [193.222.96.20] 7287 (msg:"ThreatFox SpyNote payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/securityvpro.apk"; depth:17; nocase; http.host; content:"193.222.96.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.hta"; depth:5; nocase; http.host; content:"193.222.96.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gogi.bat"; depth:9; nocase; http.host; content:"193.222.96.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259516; rev:1;) alert tcp $HOME_NET any -> [101.78.63.44] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259521; rev:1;) alert tcp $HOME_NET any -> [193.222.96.114] 7287 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259519; rev:1;) alert tcp $HOME_NET any -> [193.222.96.20] 7771 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uphqey"; depth:7; nocase; http.host; content:"101.78.63.44"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259520; rev:1;) alert tcp $HOME_NET any -> [193.222.96.20] 7772 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.collegeclubapparel.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259436/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"collegeclubapparel.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259437/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.blueberry-breeze.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259438/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blueberry-breeze.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259439/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259439; rev:1;) alert tcp $HOME_NET any -> [4.184.225.183] 30592 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259440; rev:1;) alert tcp $HOME_NET any -> [209.126.11.251] 31618 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bnz5/"; depth:6; nocase; http.host; content:"www.blueberry-breeze.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259435/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259435; rev:1;) alert tcp $HOME_NET any -> [203.159.80.211] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259443/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259443; rev:1;) alert tcp $HOME_NET any -> [46.246.12.3] 2552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259447/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259447; rev:1;) alert tcp $HOME_NET any -> [46.246.84.16] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259448/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259448; rev:1;) alert tcp $HOME_NET any -> [94.156.65.182] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259452/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259452; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 15422 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259449/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259449; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 15422 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259450/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259450; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 10543 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259457/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259457; rev:1;) alert tcp $HOME_NET any -> [204.76.203.103] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259453; rev:1;) alert tcp $HOME_NET any -> [204.76.203.223] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259454; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 10543 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259456/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259456; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 14390 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259458/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259458; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 14390 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.101.4.196"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.101.4.196"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259461; rev:1;) alert tcp $HOME_NET any -> [5.101.4.196] 3790 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"svif-venezuela.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bnz5/"; depth:6; nocase; http.host; content:"www.collegeclubapparel.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259434/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259434; rev:1;) alert tcp $HOME_NET any -> [94.156.8.161] 999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259412; rev:1;) alert tcp $HOME_NET any -> [185.196.8.31] 777 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259418; rev:1;) alert tcp $HOME_NET any -> [94.156.79.107] 33966 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259419; rev:1;) alert tcp $HOME_NET any -> [45.178.6.2] 8090 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259420; rev:1;) alert tcp $HOME_NET any -> [195.62.32.227] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"svif-venezuela.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"94.131.101.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"94.131.101.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"go8et.lol"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259165; rev:1;) alert tcp $HOME_NET any -> [94.131.101.153] 80 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259166; rev:1;) alert tcp $HOME_NET any -> [94.131.101.153] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"go8et.lol"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uf.tispy.me"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"demonstationfukewko.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"liabilitynighstjsko.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"alcojoldwograpciw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"incredibleextedwj.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"shortsvelventysjo.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"shatterbreathepsw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tolerateilusidjukl.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"productivelookewr.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"harassretunrstiwo.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259485; rev:1;) alert tcp $HOME_NET any -> [77.238.231.212] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259484/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259484; rev:1;) alert tcp $HOME_NET any -> [13.213.45.189] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259483/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259483; rev:1;) alert tcp $HOME_NET any -> [95.70.159.193] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259482/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259482; rev:1;) alert tcp $HOME_NET any -> [45.152.66.244] 58082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259481/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259481; rev:1;) alert tcp $HOME_NET any -> [117.72.74.16] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259480/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259480; rev:1;) alert tcp $HOME_NET any -> [45.32.111.233] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259479/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259479; rev:1;) alert tcp $HOME_NET any -> [46.246.80.2] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259478/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259478; rev:1;) alert tcp $HOME_NET any -> [49.1.239.101] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259477/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259477; rev:1;) alert tcp $HOME_NET any -> [5.15.236.59] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259476/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259476; rev:1;) alert tcp $HOME_NET any -> [187.213.203.252] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259475; rev:1;) alert tcp $HOME_NET any -> [64.225.31.29] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259474; rev:1;) alert tcp $HOME_NET any -> [185.64.247.78] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259473/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259473; rev:1;) alert tcp $HOME_NET any -> [31.220.80.82] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259472; rev:1;) alert tcp $HOME_NET any -> [43.143.170.206] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259471; rev:1;) alert tcp $HOME_NET any -> [45.76.190.37] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259470/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259470; rev:1;) alert tcp $HOME_NET any -> [109.120.178.253] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259469/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259469; rev:1;) alert tcp $HOME_NET any -> [3.33.182.244] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259468/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259468; rev:1;) alert tcp $HOME_NET any -> [3.146.206.142] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259467; rev:1;) alert tcp $HOME_NET any -> [54.145.56.118] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259466/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259466; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259465/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259465; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 8088 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259464/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259464; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 33547 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pipejavascriptwordpress.php"; depth:28; nocase; http.host; content:"betabag.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259455; rev:1;) alert tcp $HOME_NET any -> [147.45.47.112] 17752 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259451; rev:1;) alert tcp $HOME_NET any -> [116.203.6.63] 3306 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomthf/cvghx/five/fre.php"; depth:26; nocase; http.host; content:"94.156.65.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259445; rev:1;) alert tcp $HOME_NET any -> [41.142.212.85] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalvm_cpugamewindows.php"; depth:30; nocase; http.host; content:"109.107.182.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259441; rev:1;) alert tcp $HOME_NET any -> [173.44.141.234] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"173.44.141.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259432; rev:1;) alert tcp $HOME_NET any -> [106.54.236.42] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/v5.6/zz1qb9mls"; depth:21; nocase; http.host; content:"106.54.236.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259430; rev:1;) alert tcp $HOME_NET any -> [106.54.236.42] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/v5.6/zz1qb9mls"; depth:21; nocase; http.host; content:"172.247.189.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"zj.court.cn.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zj.court.cn.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"109.120.178.253"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259424; rev:1;) alert tcp $HOME_NET any -> [109.120.178.253] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259425; rev:1;) alert tcp $HOME_NET any -> [175.178.160.155] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complete/pr/h6tcqrwr"; depth:21; nocase; http.host; content:"jxvtcm.cn"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jxvtcm.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259422; rev:1;) alert tcp $HOME_NET any -> [64.227.147.74] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259415/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259415; rev:1;) alert tcp $HOME_NET any -> [146.19.143.84] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259416/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259416; rev:1;) alert tcp $HOME_NET any -> [91.149.219.102] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259417/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259417; rev:1;) alert tcp $HOME_NET any -> [66.63.188.141] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259413/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259413; rev:1;) alert tcp $HOME_NET any -> [185.112.249.13] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259414/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e609f91d.php"; depth:13; nocase; http.host; content:"a0938829.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259409; rev:1;) alert tcp $HOME_NET any -> [95.164.117.2] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259408/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259408; rev:1;) alert tcp $HOME_NET any -> [139.99.64.79] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259407; rev:1;) alert tcp $HOME_NET any -> [157.230.222.248] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259406; rev:1;) alert tcp $HOME_NET any -> [64.23.216.132] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259405/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259405; rev:1;) alert tcp $HOME_NET any -> [97.74.89.69] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259404/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259404; rev:1;) alert tcp $HOME_NET any -> [46.246.80.2] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259403/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259403; rev:1;) alert tcp $HOME_NET any -> [187.170.75.34] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259402/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259402; rev:1;) alert tcp $HOME_NET any -> [151.48.149.0] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259401; rev:1;) alert tcp $HOME_NET any -> [41.97.160.21] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259400; rev:1;) alert tcp $HOME_NET any -> [77.126.182.204] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259399; rev:1;) alert tcp $HOME_NET any -> [34.92.143.66] 8443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259398; rev:1;) alert tcp $HOME_NET any -> [91.225.218.38] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259397; rev:1;) alert tcp $HOME_NET any -> [45.153.229.132] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259396; rev:1;) alert tcp $HOME_NET any -> [101.43.211.59] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259395; rev:1;) alert tcp $HOME_NET any -> [54.66.9.58] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259394/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259394; rev:1;) alert tcp $HOME_NET any -> [45.121.50.136] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259393; rev:1;) alert tcp $HOME_NET any -> [62.169.23.231] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259392; rev:1;) alert tcp $HOME_NET any -> [138.68.189.254] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259391; rev:1;) alert tcp $HOME_NET any -> [45.33.116.110] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259390; rev:1;) alert tcp $HOME_NET any -> [193.36.119.250] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259389/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259389; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 8081 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259388/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"co29474.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gs3p"; depth:5; nocase; http.host; content:"47.120.39.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259172/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.120.39.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259171/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259171; rev:1;) alert tcp $HOME_NET any -> [47.120.39.182] 63306 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259170; rev:1;) alert tcp $HOME_NET any -> [185.73.124.164] 25 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259041/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259041; rev:1;) alert tcp $HOME_NET any -> [185.73.124.164] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259039/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259039; rev:1;) alert tcp $HOME_NET any -> [185.73.124.164] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259040/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"cuponerachilanga.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"go8et.lol"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"cuponerachilanga.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259019; rev:1;) alert tcp $HOME_NET any -> [185.73.124.164] 2525 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259042/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259042; rev:1;) alert tcp $HOME_NET any -> [185.73.124.164] 993 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259043/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259043; rev:1;) alert tcp $HOME_NET any -> [185.73.124.164] 3389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259044/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gnbc/"; depth:6; nocase; http.host; content:"www.oyoing.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259118/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259118; rev:1;) alert tcp $HOME_NET any -> [184.49.69.41] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259045/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.tyaer.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259120/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gnbc/"; depth:6; nocase; http.host; content:"www.megabet303.lol"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259116/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gnbc/"; depth:6; nocase; http.host; content:"www.tyaer.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259117/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.megabet303.lol"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259119/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.oyoing.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259121/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"megabet303.lol"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259122/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tyaer.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259123/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"oyoing.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259124/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"jemyy.theworkpc.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1259158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jemyy.theworkpc.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.71.108"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1259161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259161; rev:1;) alert tcp $HOME_NET any -> [94.156.71.108] 1604 (msg:"ThreatFox Houdini botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259160; rev:1;) alert tcp $HOME_NET any -> [109.248.151.106] 5401 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259162; rev:1;) alert tcp $HOME_NET any -> [206.237.6.174] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259157; rev:1;) alert tcp $HOME_NET any -> [193.222.96.128] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259156; rev:1;) alert tcp $HOME_NET any -> [193.222.96.114] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259155; rev:1;) alert tcp $HOME_NET any -> [171.249.233.153] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259152; rev:1;) alert tcp $HOME_NET any -> [171.249.233.153] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259153; rev:1;) alert tcp $HOME_NET any -> [171.249.233.153] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259154; rev:1;) alert tcp $HOME_NET any -> [112.65.51.10] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259149; rev:1;) alert tcp $HOME_NET any -> [121.36.248.151] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259150; rev:1;) alert tcp $HOME_NET any -> [121.40.222.45] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259151; rev:1;) alert tcp $HOME_NET any -> [47.95.158.44] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259147; rev:1;) alert tcp $HOME_NET any -> [101.42.51.12] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259148; rev:1;) alert tcp $HOME_NET any -> [45.152.64.31] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259146; rev:1;) alert tcp $HOME_NET any -> [177.102.67.47] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259145; rev:1;) alert tcp $HOME_NET any -> [108.46.243.201] 8000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259144; rev:1;) alert tcp $HOME_NET any -> [187.135.117.121] 1688 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259139; rev:1;) alert tcp $HOME_NET any -> [187.135.117.121] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259140; rev:1;) alert tcp $HOME_NET any -> [187.135.117.121] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259141; rev:1;) alert tcp $HOME_NET any -> [187.135.117.121] 2061 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259142; rev:1;) alert tcp $HOME_NET any -> [187.135.117.121] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259143; rev:1;) alert tcp $HOME_NET any -> [187.135.93.204] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259138; rev:1;) alert tcp $HOME_NET any -> [187.135.91.233] 1933 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259134; rev:1;) alert tcp $HOME_NET any -> [187.135.91.233] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259135; rev:1;) alert tcp $HOME_NET any -> [187.135.91.233] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259136; rev:1;) alert tcp $HOME_NET any -> [187.135.91.233] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259137; rev:1;) alert tcp $HOME_NET any -> [81.136.90.1] 1339 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259133; rev:1;) alert tcp $HOME_NET any -> [196.74.150.120] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259132; rev:1;) alert tcp $HOME_NET any -> [198.23.227.175] 8881 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259131; rev:1;) alert tcp $HOME_NET any -> [172.111.169.67] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259130; rev:1;) alert tcp $HOME_NET any -> [172.111.148.95] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259129; rev:1;) alert tcp $HOME_NET any -> [148.163.101.182] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259128; rev:1;) alert tcp $HOME_NET any -> [128.90.103.12] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259127; rev:1;) alert tcp $HOME_NET any -> [87.121.105.252] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259126; rev:1;) alert tcp $HOME_NET any -> [46.246.80.12] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259125; rev:1;) alert tcp $HOME_NET any -> [45.88.90.224] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259115; rev:1;) alert tcp $HOME_NET any -> [91.92.255.248] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gardeniasupplies.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259113; rev:1;) alert tcp $HOME_NET any -> [79.132.128.96] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259111; rev:1;) alert tcp $HOME_NET any -> [79.132.128.96] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259112; rev:1;) alert tcp $HOME_NET any -> [77.221.151.31] 4444 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259110; rev:1;) alert tcp $HOME_NET any -> [83.97.73.157] 2082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259108; rev:1;) alert tcp $HOME_NET any -> [83.97.73.157] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259109; rev:1;) alert tcp $HOME_NET any -> [206.188.197.218] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259107; rev:1;) alert tcp $HOME_NET any -> [18.217.214.178] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259106; rev:1;) alert tcp $HOME_NET any -> [13.40.36.157] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259105; rev:1;) alert tcp $HOME_NET any -> [3.71.70.1] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259104; rev:1;) alert tcp $HOME_NET any -> [89.251.22.32] 14791 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259103; rev:1;) alert tcp $HOME_NET any -> [209.222.0.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259102; rev:1;) alert tcp $HOME_NET any -> [45.76.178.151] 47889 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259101; rev:1;) alert tcp $HOME_NET any -> [20.68.131.221] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259100; rev:1;) alert tcp $HOME_NET any -> [4.191.74.1] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259098; rev:1;) alert tcp $HOME_NET any -> [4.191.74.1] 3306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259099; rev:1;) alert tcp $HOME_NET any -> [47.237.26.206] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259095; rev:1;) alert tcp $HOME_NET any -> [47.242.4.42] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259096; rev:1;) alert tcp $HOME_NET any -> [147.139.7.182] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259097; rev:1;) alert tcp $HOME_NET any -> [8.210.32.15] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259092; rev:1;) alert tcp $HOME_NET any -> [8.218.8.26] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259093; rev:1;) alert tcp $HOME_NET any -> [8.218.21.190] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259094; rev:1;) alert tcp $HOME_NET any -> [168.76.120.120] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259085; rev:1;) alert tcp $HOME_NET any -> [168.76.120.121] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259086; rev:1;) alert tcp $HOME_NET any -> [168.76.120.122] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259087; rev:1;) alert tcp $HOME_NET any -> [168.76.120.123] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259088; rev:1;) alert tcp $HOME_NET any -> [168.76.120.124] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259089; rev:1;) alert tcp $HOME_NET any -> [168.76.120.125] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259090; rev:1;) alert tcp $HOME_NET any -> [168.76.120.126] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259091; rev:1;) alert tcp $HOME_NET any -> [168.76.120.85] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259077; rev:1;) alert tcp $HOME_NET any -> [168.76.120.86] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259078; rev:1;) alert tcp $HOME_NET any -> [168.76.120.114] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259079; rev:1;) alert tcp $HOME_NET any -> [168.76.120.115] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259080; rev:1;) alert tcp $HOME_NET any -> [168.76.120.116] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259081; rev:1;) alert tcp $HOME_NET any -> [168.76.120.117] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259082; rev:1;) alert tcp $HOME_NET any -> [168.76.120.118] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259083; rev:1;) alert tcp $HOME_NET any -> [168.76.120.119] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259084; rev:1;) alert tcp $HOME_NET any -> [168.76.120.82] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259074; rev:1;) alert tcp $HOME_NET any -> [168.76.120.83] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259075; rev:1;) alert tcp $HOME_NET any -> [168.76.120.84] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259076; rev:1;) alert tcp $HOME_NET any -> [168.76.255.27] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259073; rev:1;) alert tcp $HOME_NET any -> [168.76.120.123] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259069; rev:1;) alert tcp $HOME_NET any -> [168.76.120.124] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259070; rev:1;) alert tcp $HOME_NET any -> [168.76.120.125] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259071; rev:1;) alert tcp $HOME_NET any -> [168.76.120.126] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259072; rev:1;) alert tcp $HOME_NET any -> [168.76.120.121] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259067; rev:1;) alert tcp $HOME_NET any -> [168.76.120.122] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259068; rev:1;) alert tcp $HOME_NET any -> [168.76.120.115] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259062; rev:1;) alert tcp $HOME_NET any -> [168.76.120.116] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259063; rev:1;) alert tcp $HOME_NET any -> [168.76.120.118] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259064; rev:1;) alert tcp $HOME_NET any -> [168.76.120.119] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259065; rev:1;) alert tcp $HOME_NET any -> [168.76.120.120] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259066; rev:1;) alert tcp $HOME_NET any -> [168.76.120.82] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259056; rev:1;) alert tcp $HOME_NET any -> [168.76.120.83] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259057; rev:1;) alert tcp $HOME_NET any -> [168.76.120.84] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259058; rev:1;) alert tcp $HOME_NET any -> [168.76.120.85] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259059; rev:1;) alert tcp $HOME_NET any -> [168.76.120.86] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259060; rev:1;) alert tcp $HOME_NET any -> [168.76.120.114] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259061; rev:1;) alert tcp $HOME_NET any -> [157.230.254.3] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259055; rev:1;) alert tcp $HOME_NET any -> [128.199.207.8] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259054; rev:1;) alert tcp $HOME_NET any -> [121.37.41.201] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259053; rev:1;) alert tcp $HOME_NET any -> [121.40.67.130] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259052; rev:1;) alert tcp $HOME_NET any -> [143.244.162.41] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259051; rev:1;) alert tcp $HOME_NET any -> [120.24.171.139] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259050; rev:1;) alert tcp $HOME_NET any -> [101.37.13.119] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259049; rev:1;) alert tcp $HOME_NET any -> [47.120.12.228] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259048; rev:1;) alert tcp $HOME_NET any -> [47.120.10.216] 5000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259047; rev:1;) alert tcp $HOME_NET any -> [47.113.194.22] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259046; rev:1;) alert tcp $HOME_NET any -> [47.113.104.226] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259038; rev:1;) alert tcp $HOME_NET any -> [47.101.37.46] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259037; rev:1;) alert tcp $HOME_NET any -> [47.100.244.166] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259036; rev:1;) alert tcp $HOME_NET any -> [39.108.234.47] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sign.mpeg"; depth:10; nocase; http.host; content:"easthoolbook.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259034/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259034; rev:1;) alert tcp $HOME_NET any -> [211.159.172.150] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259033; rev:1;) alert tcp $HOME_NET any -> [159.75.111.243] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-33y2vp0r-1303081427.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259031; rev:1;) alert tcp $HOME_NET any -> [150.158.107.49] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259029; rev:1;) alert tcp $HOME_NET any -> [150.158.107.49] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259030; rev:1;) alert tcp $HOME_NET any -> [129.204.169.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259028; rev:1;) alert tcp $HOME_NET any -> [124.221.95.96] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"94.156.71.108"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259026; rev:1;) alert tcp $HOME_NET any -> [122.51.81.205] 60050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259025; rev:1;) alert tcp $HOME_NET any -> [43.142.170.25] 5901 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259023; rev:1;) alert tcp $HOME_NET any -> [43.142.170.25] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259024; rev:1;) alert tcp $HOME_NET any -> [43.136.220.38] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsbhn.js"; depth:9; nocase; http.host; content:"23.94.169.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.202.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.120.176.38"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.120.178.115"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.197.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"37.221.93.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"svma.arcovip.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"it13.intelvpn.site"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"ftp.huboftest.ir"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.202.60.sslip.io"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"mahdi.intelvpn.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"sam.coinmarketcap-tm.ru"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259008; rev:1;) alert tcp $HOME_NET any -> [78.142.18.109] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259006/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_19; classtype:trojan-activity; sid:91259006; rev:1;) alert tcp $HOME_NET any -> [116.203.164.39] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259005/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_19; classtype:trojan-activity; sid:91259005; rev:1;) alert tcp $HOME_NET any -> [116.203.164.39] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259004/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_19; classtype:trojan-activity; sid:91259004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/voiddbproviderserver6/auth/uploads/centralcentralline/7eternal/2_/temp/toupdategameflowertemporary.php"; depth:103; nocase; http.host; content:"minecrafthyipixel.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259003; rev:1;) alert tcp $HOME_NET any -> [103.174.73.85] 29989 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259002/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259002; rev:1;) alert tcp $HOME_NET any -> [52.37.96.65] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.installbootstrap.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"www.installbootstrap.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258999; rev:1;) alert tcp $HOME_NET any -> [149.104.24.217] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.7.0.min.js"; depth:20; nocase; http.host; content:"149.104.24.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258997; rev:1;) alert tcp $HOME_NET any -> [8.130.34.85] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"8.130.34.85"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsbhn.js"; depth:9; nocase; http.host; content:"23.94.169.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"120.46.91.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258993; rev:1;) alert tcp $HOME_NET any -> [204.12.199.30] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258992/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258992; rev:1;) alert tcp $HOME_NET any -> [204.12.199.30] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258991/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258991; rev:1;) alert tcp $HOME_NET any -> [204.12.199.30] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.ravec2.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"visit.startfinishthis.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killler.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proxy.heleh.vn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.vptmedia.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.paintmc.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yeuemvcl.cltxhot.fun"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xd.ubnutu.cyou"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lon.vani.ovh"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loz.vani.ovh"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258982; rev:1;) alert tcp $HOME_NET any -> [93.123.85.170] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258979/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killler.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aomacamada.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258977; rev:1;) alert tcp $HOME_NET any -> [57.128.155.22] 8895 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258969; rev:1;) alert tcp $HOME_NET any -> [194.48.251.9] 8896 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258970; rev:1;) alert tcp $HOME_NET any -> [194.48.251.9] 8895 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258971; rev:1;) alert tcp $HOME_NET any -> [194.48.251.9] 8890 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rootme.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rooty.shop"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"43.138.222.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258964; rev:1;) alert tcp $HOME_NET any -> [43.138.222.123] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"8.218.236.5"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258963/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g88sks2sam/index.php"; depth:21; nocase; http.host; content:"91.202.233.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258962; rev:1;) alert tcp $HOME_NET any -> [94.131.107.85] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258961; rev:1;) alert tcp $HOME_NET any -> [94.156.79.50] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258960; rev:1;) alert tcp $HOME_NET any -> [188.166.138.176] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258959; rev:1;) alert tcp $HOME_NET any -> [178.128.196.190] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258958; rev:1;) alert tcp $HOME_NET any -> [146.56.237.36] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258957; rev:1;) alert tcp $HOME_NET any -> [93.95.231.17] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258956; rev:1;) alert tcp $HOME_NET any -> [46.246.12.2] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258955; rev:1;) alert tcp $HOME_NET any -> [41.96.151.123] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258954; rev:1;) alert tcp $HOME_NET any -> [137.184.61.218] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258953; rev:1;) alert tcp $HOME_NET any -> [35.89.154.15] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258952/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258952; rev:1;) alert tcp $HOME_NET any -> [194.87.106.163] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258951; rev:1;) alert tcp $HOME_NET any -> [178.128.134.221] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258950; rev:1;) alert tcp $HOME_NET any -> [138.197.134.200] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258949/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258949; rev:1;) alert tcp $HOME_NET any -> [20.186.89.88] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258948/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258948; rev:1;) alert tcp $HOME_NET any -> [151.236.16.48] 47163 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258947/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258947; rev:1;) alert tcp $HOME_NET any -> [194.87.252.12] 4443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258946/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258946; rev:1;) alert tcp $HOME_NET any -> [121.43.94.2] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258945/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258945; rev:1;) alert tcp $HOME_NET any -> [43.140.251.2] 9999 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258944/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258944; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 17393 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258937/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258937; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 17393 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258938/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258938; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 17393 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258939/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258939; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 15296 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258940/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258940; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 15296 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258941/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258941; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 15296 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258942/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0945069.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"esdjasd.maxkrnldc.online"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquerys-6.3.5.max.js"; depth:21; nocase; http.host; content:"43.143.168.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/panel/five/fre.php"; depth:57; nocase; http.host; content:"tequilacofradiamx.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258934/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/panel/five/fre.php"; depth:57; nocase; http.host; content:"tequilacofradiamx.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258933; rev:1;) alert tcp $HOME_NET any -> [103.186.117.171] 1188 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258932; rev:1;) alert tcp $HOME_NET any -> [134.122.109.15] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258931; rev:1;) alert tcp $HOME_NET any -> [168.76.120.116] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258930; rev:1;) alert tcp $HOME_NET any -> [168.76.120.124] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258929; rev:1;) alert tcp $HOME_NET any -> [114.55.100.165] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258928; rev:1;) alert tcp $HOME_NET any -> [122.51.79.87] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258927; rev:1;) alert tcp $HOME_NET any -> [94.156.10.208] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258926; rev:1;) alert tcp $HOME_NET any -> [188.48.107.177] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258925; rev:1;) alert tcp $HOME_NET any -> [41.129.161.179] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258924/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258924; rev:1;) alert tcp $HOME_NET any -> [8.137.171.164] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258923; rev:1;) alert tcp $HOME_NET any -> [185.140.12.198] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258922/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258922; rev:1;) alert tcp $HOME_NET any -> [191.96.1.195] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258921/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258921; rev:1;) alert tcp $HOME_NET any -> [162.252.175.170] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258920/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258920; rev:1;) alert tcp $HOME_NET any -> [203.96.177.103] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258919/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258919; rev:1;) alert tcp $HOME_NET any -> [89.175.170.211] 1720 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258918/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258918; rev:1;) alert tcp $HOME_NET any -> [39.173.112.177] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258917/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258917; rev:1;) alert tcp $HOME_NET any -> [185.170.144.142] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258916/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258916; rev:1;) alert tcp $HOME_NET any -> [159.100.6.45] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258915/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258915; rev:1;) alert tcp $HOME_NET any -> [31.129.57.189] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258914/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258914; rev:1;) alert tcp $HOME_NET any -> [172.104.110.118] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258913/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258913; rev:1;) alert tcp $HOME_NET any -> [174.138.179.149] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258912/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258912; rev:1;) alert tcp $HOME_NET any -> [151.115.72.13] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258911/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258911; rev:1;) alert tcp $HOME_NET any -> [151.115.72.13] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258910/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258910; rev:1;) alert tcp $HOME_NET any -> [188.208.197.140] 5906 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theatergenerationju.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258697; rev:1;) alert tcp $HOME_NET any -> [103.79.76.40] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258698/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258698; rev:1;) alert tcp $HOME_NET any -> [103.201.130.11] 8443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258699/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258699; rev:1;) alert tcp $HOME_NET any -> [37.27.87.155] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258694; rev:1;) alert tcp $HOME_NET any -> [23.88.47.9] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"23.88.47.9"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.27.87.155"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 25%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkbfjbvzspkeqfs/hachgecttvyetqz.php"; depth:36; nocase; http.host; content:"38.180.94.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258656/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 25%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkbfjbvzspkeqfs/hachgecttvyetqz.php"; depth:36; nocase; http.host; content:"15731.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258657/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258657; rev:1;) alert tcp $HOME_NET any -> [38.180.94.120] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 25%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258658/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 25%)"; dns_query; content:"15731.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258659/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 25%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.slationo.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258660/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 25%)"; dns_query; content:"www.slationo.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258661/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 25%)"; dns_query; content:"slationo.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258662/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258662; rev:1;) alert tcp $HOME_NET any -> [194.110.172.149] 7705 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258686; rev:1;) alert tcp $HOME_NET any -> [183.238.22.22] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258691/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258691; rev:1;) alert tcp $HOME_NET any -> [124.71.37.149] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258689/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258689; rev:1;) alert tcp $HOME_NET any -> [45.129.199.161] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258688/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258688; rev:1;) alert tcp $HOME_NET any -> [178.208.87.204] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258687/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_18; classtype:trojan-activity; sid:91258687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"87.120.84.22"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1258684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.250.45.130"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"172.214.98.73"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1258683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.128.96.116"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1258681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.222.96.186"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"20.55.63.136"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1258680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"79.133.51.234"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1258679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"3.79.194.172"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1258678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"35.246.183.49"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1258676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"194.48.251.136"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"134.122.109.15"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.202.233.174"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"107.173.140.104"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1258674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"103.216.51.35"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1258672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.8.125"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1258670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"154.61.80.57"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1258671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.216.70.211"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.105.146.185"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.233.255.105"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1258667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"194.33.191.105"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.216.70.210"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.233.254.16"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"147.78.103.174"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"121.41.50.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258655; rev:1;) alert tcp $HOME_NET any -> [121.41.50.152] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"121.41.50.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258653; rev:1;) alert tcp $HOME_NET any -> [123.207.50.191] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258652; rev:1;) alert tcp $HOME_NET any -> [146.70.86.229] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258651/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258651; rev:1;) alert tcp $HOME_NET any -> [146.70.86.229] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258650/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chotsolo2nhay.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258623/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"countdownx.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258624/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dfyaudiobookprofits.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258625/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"difik.info"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258626/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"exchangezone.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258627/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fins.info"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258628/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gcoat.info"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258629/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"glowchamps.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258630/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"impressionzone.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258631/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"islandbooking.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"istanbook.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lightmecha.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258634/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"maramoja.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258635/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mesdemarches.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258636/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mezcallero.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258637/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mlmcompensationplanpdf.info"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258638/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"monambulanceprivee.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258639/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"njnlcompany.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258640/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"oradifitness.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258641/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"progastrin.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258642/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"szekrekedes.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258643/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"techhooks.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258644/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"transystem.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258645/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vetownedhomeinspections.info"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258646/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wobilya.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258647/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"womansmedia.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258648/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yellowbooks.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258649/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cabobao3.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"durete.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"fuwer.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gyjyhyo8.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hofaty.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"intellipowerinc.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"jurofye.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lyzupoy.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"labljas.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mebumau.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mimerou.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258603/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nevujo.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258604/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pubmass.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258605/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pucak.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258606/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"qeqady.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258607/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"riwesi.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258608/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"simanay.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258609/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"suzabyu.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258610/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sytukoe8.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258611/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vajosoo.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258612/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vizewye.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258613/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vopytei.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258614/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vpdpkli.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258615/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xirygiy.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258616/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xmgpsmi.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258617/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xuhyjoe5.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258618/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zefos.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258619/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qtuc"; depth:5; nocase; http.host; content:"195.181.245.38"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258622/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"195.181.245.38"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258621/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258621; rev:1;) alert tcp $HOME_NET any -> [195.181.245.38] 7966 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bezizeo9.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258558/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cemiwyi7.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258559/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cuxu.org"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258560/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"deqytuu9.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258561/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fazadoe.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258562/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fokeqi.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258563/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gejyg.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258564/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gihibml.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258565/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gmsmwil.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258566/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hejoweo.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258567/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jesebyy.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258568/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lmfpbpm.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258569/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"luhuhu.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258570/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mmqsrsl.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258571/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mmtixmm.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258572/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mnsmsla.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258573/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"moxiroo.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258574/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nurunia.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258575/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pisuxy.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258576/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"poxof.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258577/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ppmpqii.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258578/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pydypu.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258580/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pubonao.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258579/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qazoryy.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258581/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qogmjlm.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258582/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qoroh.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258583/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sobopnm.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258584/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sumuta.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258585/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tapyjya.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258586/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"usprivatemoneylender.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258587/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vlbmqpm.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258588/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vnfmnmo.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258589/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wireoneinternet.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258590/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wpmlvii.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258591/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zixirml.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258592/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dead-cheap-doma.in"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vl.php"; depth:7; nocase; http.host; content:"gihibml.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gihibml.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/hot-random-image/index.html"; depth:47; nocase; http.host; content:"prominencedigiworld.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/hot-random-image/index.html"; depth:47; nocase; http.host; content:"akshayascientifics.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/hot-random-image/index.html"; depth:47; nocase; http.host; content:"iespppomabamba.edu.pe"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/hot-random-image/index.html"; depth:47; nocase; http.host; content:"www.mlmigration.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/hot-random-image/index.html"; depth:47; nocase; http.host; content:"www.prottahobarta.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/hot-random-image/index.html"; depth:47; nocase; http.host; content:"rummyking24.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wzm.exe"; depth:8; nocase; http.host; content:"speedy34.myvnc.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258548; rev:1;) alert tcp $HOME_NET any -> [43.138.222.123] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.138.222.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258546; rev:1;) alert tcp $HOME_NET any -> [168.76.131.64] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update"; depth:7; nocase; http.host; content:"136.244.98.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258538; rev:1;) alert tcp $HOME_NET any -> [94.156.8.57] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258539/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run"; depth:4; nocase; http.host; content:"136.244.98.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; nocase; http.host; content:"136.244.98.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; nocase; http.host; content:"136.244.98.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; nocase; http.host; content:"136.244.98.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258543; rev:1;) alert tcp $HOME_NET any -> [198.23.227.230] 7777 (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jswl.bzwl888.sbs"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bzwl888.sbs"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258537; rev:1;) alert tcp $HOME_NET any -> [85.239.55.70] 515 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258535/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258535; rev:1;) alert tcp $HOME_NET any -> [92.249.48.17] 666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258517/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258517; rev:1;) alert tcp $HOME_NET any -> [103.167.88.226] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258533; rev:1;) alert tcp $HOME_NET any -> [204.76.203.101] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"owo.p3pr00t.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hi.p3pr00t.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p3pr00t.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doxbin.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kayomirai.kro.kr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cnc.atlasapi.co"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.atlasapi.co"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"superdomain.africa"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vivki.epiddserica.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epiddserica.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"santc.epiddserica.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ust.cx"; depth:6; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet2.vani.ovh"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"graph.vani.ovh"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirai.vani.ovh"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258521; rev:1;) alert tcp $HOME_NET any -> [45.59.170.27] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258516/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258516; rev:1;) alert tcp $HOME_NET any -> [45.59.170.27] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258515/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258515; rev:1;) alert tcp $HOME_NET any -> [185.216.70.210] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258514/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258514; rev:1;) alert tcp $HOME_NET any -> [168.76.120.86] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258513; rev:1;) alert tcp $HOME_NET any -> [168.76.120.121] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258512; rev:1;) alert tcp $HOME_NET any -> [168.76.120.119] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258511/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258511; rev:1;) alert tcp $HOME_NET any -> [168.76.120.117] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258510; rev:1;) alert tcp $HOME_NET any -> [150.158.139.136] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258509; rev:1;) alert tcp $HOME_NET any -> [168.76.120.126] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258508/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258508; rev:1;) alert tcp $HOME_NET any -> [119.91.141.31] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258507; rev:1;) alert tcp $HOME_NET any -> [168.76.120.118] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258506/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258506; rev:1;) alert tcp $HOME_NET any -> [1.92.114.234] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258505/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258505; rev:1;) alert tcp $HOME_NET any -> [77.124.180.80] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258504; rev:1;) alert tcp $HOME_NET any -> [197.83.246.191] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258503/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258503; rev:1;) alert tcp $HOME_NET any -> [149.109.240.100] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258502/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258502; rev:1;) alert tcp $HOME_NET any -> [103.249.112.118] 8181 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258501; rev:1;) alert tcp $HOME_NET any -> [185.196.11.251] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258500; rev:1;) alert tcp $HOME_NET any -> [80.78.22.18] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258499; rev:1;) alert tcp $HOME_NET any -> [103.82.36.91] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258498; rev:1;) alert tcp $HOME_NET any -> [49.13.214.35] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258497; rev:1;) alert tcp $HOME_NET any -> [74.208.123.12] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258496; rev:1;) alert tcp $HOME_NET any -> [221.211.234.138] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258495; rev:1;) alert tcp $HOME_NET any -> [3.0.250.71] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258494; rev:1;) alert tcp $HOME_NET any -> [217.160.117.52] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258493; rev:1;) alert tcp $HOME_NET any -> [89.147.111.163] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.130.189.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258491; rev:1;) alert tcp $HOME_NET any -> [79.137.202.152] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258490/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258490; rev:1;) alert tcp $HOME_NET any -> [94.130.189.25] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258489/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258489; rev:1;) alert tcp $HOME_NET any -> [94.130.189.25] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258488/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"tecklardagasda2.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258476/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"maraksatandas13.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258477/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"teckmarakbads2.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258478/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kovey.mezo-api.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258479/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258479; rev:1;) alert tcp $HOME_NET any -> [46.246.14.17] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258486/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"4.245.224.165"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258474; rev:1;) alert tcp $HOME_NET any -> [45.131.111.219] 33966 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258475; rev:1;) alert tcp $HOME_NET any -> [4.245.224.165] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"124.222.173.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258487; rev:1;) alert tcp $HOME_NET any -> [94.156.79.116] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258485/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258485; rev:1;) alert tcp $HOME_NET any -> [94.156.79.116] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258484/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bjnddcoa3/index.php"; depth:21; nocase; http.host; content:"topgamecheats.dev"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258483; rev:1;) alert tcp $HOME_NET any -> [70.34.253.108] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"european.pornvideo.mynetav.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"european.pornvideo.mynetav.org"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258480; rev:1;) alert tcp $HOME_NET any -> [194.87.39.98] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258472/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258472; rev:1;) alert tcp $HOME_NET any -> [104.129.20.14] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258471/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javascriptpollupdategamebigloaddbbaseasynclocal.php"; depth:52; nocase; http.host; content:"91.240.84.178"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258470; rev:1;) alert tcp $HOME_NET any -> [154.61.80.57] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258469/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258469; rev:1;) alert tcp $HOME_NET any -> [168.76.120.122] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258468/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258468; rev:1;) alert tcp $HOME_NET any -> [168.76.120.115] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258467; rev:1;) alert tcp $HOME_NET any -> [168.76.120.123] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258466/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258466; rev:1;) alert tcp $HOME_NET any -> [168.76.120.114] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258465/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258465; rev:1;) alert tcp $HOME_NET any -> [168.76.120.84] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258464/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258464; rev:1;) alert tcp $HOME_NET any -> [168.76.120.82] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258463/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258463; rev:1;) alert tcp $HOME_NET any -> [168.76.120.83] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258462/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258462; rev:1;) alert tcp $HOME_NET any -> [168.76.120.120] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258461/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258461; rev:1;) alert tcp $HOME_NET any -> [168.76.120.85] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258460/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258460; rev:1;) alert tcp $HOME_NET any -> [168.76.120.125] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258459/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258459; rev:1;) alert tcp $HOME_NET any -> [188.54.117.185] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258458/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258458; rev:1;) alert tcp $HOME_NET any -> [41.98.14.133] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258457/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258457; rev:1;) alert tcp $HOME_NET any -> [178.163.140.51] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258456/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258456; rev:1;) alert tcp $HOME_NET any -> [159.100.14.172] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258455/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258455; rev:1;) alert tcp $HOME_NET any -> [74.208.123.12] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258454; rev:1;) alert tcp $HOME_NET any -> [172.105.81.73] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258453; rev:1;) alert tcp $HOME_NET any -> [124.220.235.28] 1003 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258452; rev:1;) alert tcp $HOME_NET any -> [167.86.85.34] 80 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258451; rev:1;) alert tcp $HOME_NET any -> [103.134.144.226] 29903 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258450; rev:1;) alert tcp $HOME_NET any -> [103.134.144.225] 29903 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258449; rev:1;) alert tcp $HOME_NET any -> [173.242.156.181] 448 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258448; rev:1;) alert tcp $HOME_NET any -> [119.96.137.30] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258447; rev:1;) alert tcp $HOME_NET any -> [5.181.156.104] 7777 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258446; rev:1;) alert tcp $HOME_NET any -> [93.123.39.100] 8763 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dzn.ddns.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258188/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258188; rev:1;) alert tcp $HOME_NET any -> [45.77.154.40] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258189/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/gateway"; depth:12; nocase; http.host; content:"85.239.53.219"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258205/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/g"; depth:6; nocase; http.host; content:"85.239.53.219"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258206/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258206; rev:1;) alert tcp $HOME_NET any -> [85.239.53.219] 80 (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258207/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258207; rev:1;) alert tcp $HOME_NET any -> [193.233.132.168] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"architecture-interior.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"architecture-interior.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"119.179.217.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquerys-6.3.5.max.js"; depth:21; nocase; http.host; content:"service-o62eztd3-1259321672.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-o62eztd3-1259321672.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cncboatnetonlvu.apimomo.pro"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"npcodaas.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnettajima.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.verminteam.link"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"legendsworld.in"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1063894486901587979/1229768405582741570/1_npp.8.6.3.portable.x64.zip"; depth:81; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eft-edi-customer"; depth:17; nocase; http.host; content:"pankerfan.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/accessinformation"; depth:18; nocase; http.host; content:"pankerfan.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/white-rock-progression/l3h0y5.php"; depth:52; nocase; http.host; content:"www.briccodeldente.it"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/0srbuw.php"; depth:45; nocase; http.host; content:"dreamerz.vn"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/vhpg2j.php"; depth:46; nocase; http.host; content:"retrobox.rocks"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/msecgc.php"; depth:45; nocase; http.host; content:"www.savetheworldpodcast.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/sb9ivy.php"; depth:45; nocase; http.host; content:"djibek.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258238; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 23403 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerpipephp_httplowupdateprotectdbpublic.php"; depth:49; nocase; http.host; content:"579050cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258236; rev:1;) alert tcp $HOME_NET any -> [103.195.236.62] 6789 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258235; rev:1;) alert tcp $HOME_NET any -> [94.156.10.31] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258234; rev:1;) alert tcp $HOME_NET any -> [8.217.14.132] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258233; rev:1;) alert tcp $HOME_NET any -> [103.244.226.133] 8086 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258232; rev:1;) alert tcp $HOME_NET any -> [13.43.245.50] 3306 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258231; rev:1;) alert tcp $HOME_NET any -> [5.44.196.220] 9999 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258230; rev:1;) alert tcp $HOME_NET any -> [119.28.159.21] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258229; rev:1;) alert tcp $HOME_NET any -> [192.227.152.217] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258228; rev:1;) alert tcp $HOME_NET any -> [47.238.201.54] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258227; rev:1;) alert tcp $HOME_NET any -> [8.219.146.174] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258226; rev:1;) alert tcp $HOME_NET any -> [8.219.15.69] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258225; rev:1;) alert tcp $HOME_NET any -> [137.184.117.57] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258224; rev:1;) alert tcp $HOME_NET any -> [123.249.100.205] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258223; rev:1;) alert tcp $HOME_NET any -> [120.46.91.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258222; rev:1;) alert tcp $HOME_NET any -> [47.104.20.195] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258221; rev:1;) alert tcp $HOME_NET any -> [47.108.197.14] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258220; rev:1;) alert tcp $HOME_NET any -> [139.196.78.46] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nextoneup.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258218; rev:1;) alert tcp $HOME_NET any -> [37.44.238.78] 65001 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258216; rev:1;) alert tcp $HOME_NET any -> [37.44.238.94] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258217; rev:1;) alert tcp $HOME_NET any -> [175.178.50.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258215; rev:1;) alert tcp $HOME_NET any -> [122.51.85.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258214; rev:1;) alert tcp $HOME_NET any -> [121.4.97.220] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258213; rev:1;) alert tcp $HOME_NET any -> [49.232.157.82] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258212; rev:1;) alert tcp $HOME_NET any -> [116.203.13.134] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258210; rev:1;) alert tcp $HOME_NET any -> [65.109.242.73] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.13.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258208; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258200; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258201; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258202; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258203; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258204; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258195; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258196; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258197; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258198; rev:1;) alert tcp $HOME_NET any -> [187.135.117.203] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258199; rev:1;) alert tcp $HOME_NET any -> [94.156.65.156] 4433 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258194; rev:1;) alert tcp $HOME_NET any -> [91.92.253.159] 11423 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258193; rev:1;) alert tcp $HOME_NET any -> [91.92.242.61] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258191; rev:1;) alert tcp $HOME_NET any -> [91.92.242.61] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258192; rev:1;) alert tcp $HOME_NET any -> [213.195.126.87] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258190; rev:1;) alert tcp $HOME_NET any -> [179.13.4.37] 8010 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258187; rev:1;) alert tcp $HOME_NET any -> [179.13.4.37] 8082 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258186; rev:1;) alert tcp $HOME_NET any -> [178.73.218.8] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258184; rev:1;) alert tcp $HOME_NET any -> [192.210.236.212] 15111 (msg:"ThreatFox NetWire RC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258183; rev:1;) alert tcp $HOME_NET any -> [5.249.165.126] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258182; rev:1;) alert tcp $HOME_NET any -> [79.132.128.95] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258181; rev:1;) alert tcp $HOME_NET any -> [146.190.207.195] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"onesmartiptv.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"beautyservicenearme.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"onesmartiptv.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"afterksmelipandmahdiimadss.ddns.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lendenclub.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258172/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_17; classtype:trojan-activity; sid:91258172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.adarch.de"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258173/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_17; classtype:trojan-activity; sid:91258173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"netedu.ir"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258174/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_17; classtype:trojan-activity; sid:91258174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.althaus-innenausbau.de"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258175/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_17; classtype:trojan-activity; sid:91258175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258176; rev:1;) alert tcp $HOME_NET any -> [49.13.149.95] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258170/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_17; classtype:trojan-activity; sid:91258170; rev:1;) alert tcp $HOME_NET any -> [94.156.79.69] 3770 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258169; rev:1;) alert tcp $HOME_NET any -> [66.248.207.29] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258168; rev:1;) alert tcp $HOME_NET any -> [51.254.53.24] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258167/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mark1234567.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xiaokkk.02maill.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ss.02maill.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cve.02maill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258165; rev:1;) alert tcp $HOME_NET any -> [209.141.41.148] 9009 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mi341/index.php"; depth:16; nocase; http.host; content:"ccrhs.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main/assets/js/bootbox.js"; depth:26; nocase; http.host; content:"1.92.85.139"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258160; rev:1;) alert tcp $HOME_NET any -> [159.203.166.179] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utilityreport.azureedge.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ms-settings"; depth:12; nocase; http.host; content:"utilityreport.azureedge.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258157; rev:1;) alert tcp $HOME_NET any -> [101.99.94.224] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258156; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 29750 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258144/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"require-spa.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258145/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258145; rev:1;) alert tcp $HOME_NET any -> [5.230.76.134] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258146/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258146; rev:1;) alert tcp $HOME_NET any -> [45.129.199.86] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258147/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258147; rev:1;) alert tcp $HOME_NET any -> [66.63.189.8] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258148/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258148; rev:1;) alert tcp $HOME_NET any -> [77.72.85.78] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258149/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258149; rev:1;) alert tcp $HOME_NET any -> [91.149.253.77] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258150/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258150; rev:1;) alert tcp $HOME_NET any -> [94.232.45.58] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258151/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258151; rev:1;) alert tcp $HOME_NET any -> [193.168.143.179] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258152/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258152; rev:1;) alert tcp $HOME_NET any -> [193.168.143.182] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258153/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258153; rev:1;) alert tcp $HOME_NET any -> [45.88.90.110] 3050 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4-hitler.publicvm.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258154; rev:1;) alert tcp $HOME_NET any -> [192.159.99.43] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258139; rev:1;) alert tcp $HOME_NET any -> [207.32.219.92] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258140; rev:1;) alert tcp $HOME_NET any -> [35.233.238.201] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258141; rev:1;) alert tcp $HOME_NET any -> [45.94.31.103] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258142; rev:1;) alert tcp $HOME_NET any -> [192.3.109.131] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258143; rev:1;) alert tcp $HOME_NET any -> [87.120.84.91] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258134; rev:1;) alert tcp $HOME_NET any -> [147.124.213.188] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258135; rev:1;) alert tcp $HOME_NET any -> [212.23.222.206] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258136; rev:1;) alert tcp $HOME_NET any -> [51.195.94.201] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258137; rev:1;) alert tcp $HOME_NET any -> [207.244.249.35] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258138; rev:1;) alert tcp $HOME_NET any -> [85.239.237.148] 2005 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258132; rev:1;) alert tcp $HOME_NET any -> [209.145.56.0] 7788 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258133; rev:1;) alert tcp $HOME_NET any -> [77.238.235.75] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258131; rev:1;) alert tcp $HOME_NET any -> [46.246.6.6] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258130; rev:1;) alert tcp $HOME_NET any -> [85.192.63.194] 7777 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258129; rev:1;) alert tcp $HOME_NET any -> [41.99.193.128] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258128/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258128; rev:1;) alert tcp $HOME_NET any -> [154.246.248.213] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258127/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258127; rev:1;) alert tcp $HOME_NET any -> [51.15.225.131] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258126/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258126; rev:1;) alert tcp $HOME_NET any -> [18.206.197.222] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258125/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258125; rev:1;) alert tcp $HOME_NET any -> [119.45.176.135] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258124/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258124; rev:1;) alert tcp $HOME_NET any -> [62.169.25.187] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258123/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258123; rev:1;) alert tcp $HOME_NET any -> [94.156.65.156] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258121/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258121; rev:1;) alert tcp $HOME_NET any -> [94.156.65.156] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258122/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258122; rev:1;) alert tcp $HOME_NET any -> [45.121.147.117] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258120/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258120; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20022 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258119/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258119; rev:1;) alert tcp $HOME_NET any -> [221.130.195.172] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258118/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258118; rev:1;) alert tcp $HOME_NET any -> [95.217.29.187] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258116; rev:1;) alert tcp $HOME_NET any -> [65.109.240.63] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.240.63"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.29.187"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258114; rev:1;) alert tcp $HOME_NET any -> [137.184.39.229] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258113/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emv1.ib-comm-gateway.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spotslfy.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258110; rev:1;) alert tcp $HOME_NET any -> [192.253.251.132] 1780 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wnwa"; depth:5; nocase; http.host; content:"139.196.73.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258108/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258108; rev:1;) alert tcp $HOME_NET any -> [139.196.73.80] 9902 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f993692117a3fda2.php"; depth:21; nocase; http.host; content:"185.172.128.23"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258106; rev:1;) alert tcp $HOME_NET any -> [94.228.162.82] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258104/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258104; rev:1;) alert tcp $HOME_NET any -> [94.228.162.82] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258105/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258105; rev:1;) alert tcp $HOME_NET any -> [94.228.162.82] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258103/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258103; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 29545 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258099/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cars-fraction.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258100/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258100; rev:1;) alert tcp $HOME_NET any -> [3.14.182.203] 19044 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258081/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258081; rev:1;) alert tcp $HOME_NET any -> [3.13.191.225] 19044 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258082/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258082; rev:1;) alert tcp $HOME_NET any -> [91.92.253.228] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258096/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pnauco5.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backupssupport.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258077; rev:1;) alert tcp $HOME_NET any -> [3.134.125.175] 19044 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258080/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258080; rev:1;) alert tcp $HOME_NET any -> [3.6.115.64] 15030 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258072; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 15030 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258073; rev:1;) alert tcp $HOME_NET any -> [193.106.175.140] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0942660.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalvideotestdatalifeuploads.php"; depth:37; nocase; http.host; content:"porpabor.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/08409289280180"; depth:25; nocase; http.host; content:"136.244.109.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258098; rev:1;) alert tcp $HOME_NET any -> [45.128.96.103] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/1748937"; depth:18; nocase; http.host; content:"136.244.109.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258095; rev:1;) alert tcp $HOME_NET any -> [185.172.128.65] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258094/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_17; classtype:trojan-activity; sid:91258094; rev:1;) alert tcp $HOME_NET any -> [193.233.132.72] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258093/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_17; classtype:trojan-activity; sid:91258093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/690877741063"; depth:23; nocase; http.host; content:"136.244.109.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258092; rev:1;) alert tcp $HOME_NET any -> [45.128.96.103] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-e1idmqlj-1259321672.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-e1idmqlj-1259321672.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258090; rev:1;) alert tcp $HOME_NET any -> [77.91.122.210] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demonstrate/v3.76/t35i67njako"; depth:30; nocase; http.host; content:"77.91.122.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258087; rev:1;) alert tcp $HOME_NET any -> [175.27.133.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jp"; depth:3; nocase; http.host; content:"154.8.187.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jp"; depth:3; nocase; http.host; content:"192.144.195.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release"; depth:8; nocase; http.host; content:"154.8.187.177"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258083; rev:1;) alert tcp $HOME_NET any -> [193.168.143.185] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258079/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91258079; rev:1;) alert tcp $HOME_NET any -> [66.63.189.105] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258078/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91258078; rev:1;) alert tcp $HOME_NET any -> [45.128.96.204] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258076; rev:1;) alert tcp $HOME_NET any -> [172.111.216.199] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258075; rev:1;) alert tcp $HOME_NET any -> [185.172.128.9] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258071/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_16; classtype:trojan-activity; sid:91258071; rev:1;) alert tcp $HOME_NET any -> [185.172.128.9] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258070/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_16; classtype:trojan-activity; sid:91258070; rev:1;) alert tcp $HOME_NET any -> [185.172.128.23] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258069/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_16; classtype:trojan-activity; sid:91258069; rev:1;) alert tcp $HOME_NET any -> [185.172.128.23] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258068/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_16; classtype:trojan-activity; sid:91258068; rev:1;) alert tcp $HOME_NET any -> [193.233.132.47] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258067/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_16; classtype:trojan-activity; sid:91258067; rev:1;) alert tcp $HOME_NET any -> [213.109.202.229] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258066; rev:1;) alert tcp $HOME_NET any -> [77.232.40.96] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258065/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258065; rev:1;) alert tcp $HOME_NET any -> [103.207.68.53] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258064; rev:1;) alert tcp $HOME_NET any -> [43.135.5.150] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258063; rev:1;) alert tcp $HOME_NET any -> [39.40.172.160] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258062; rev:1;) alert tcp $HOME_NET any -> [89.148.151.61] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258061; rev:1;) alert tcp $HOME_NET any -> [88.229.77.223] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258060; rev:1;) alert tcp $HOME_NET any -> [83.136.248.250] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258059; rev:1;) alert tcp $HOME_NET any -> [103.82.36.91] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258058; rev:1;) alert tcp $HOME_NET any -> [182.140.130.101] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258057; rev:1;) alert tcp $HOME_NET any -> [149.28.144.85] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"45.55.199.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"167.71.242.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"165.227.108.186"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258052; rev:1;) alert tcp $HOME_NET any -> [185.196.220.194] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258050; rev:1;) alert tcp $HOME_NET any -> [103.155.93.148] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258049; rev:1;) alert tcp $HOME_NET any -> [194.48.251.169] 7287 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.hta"; depth:5; nocase; http.host; content:"194.48.251.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.hta"; depth:6; nocase; http.host; content:"194.48.251.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3.hta"; depth:6; nocase; http.host; content:"194.48.251.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gogis.bat"; depth:10; nocase; http.host; content:"194.48.251.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258047; rev:1;) alert tcp $HOME_NET any -> [66.66.146.74] 9511 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"kingofdolomites.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"camps.topgunnbaseball.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258042; rev:1;) alert tcp $HOME_NET any -> [109.107.181.83] 15666 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258040; rev:1;) alert tcp $HOME_NET any -> [216.9.225.194] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258039; rev:1;) alert tcp $HOME_NET any -> [191.82.251.201] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258038; rev:1;) alert tcp $HOME_NET any -> [194.105.5.194] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258037; rev:1;) alert tcp $HOME_NET any -> [104.234.204.57] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258036; rev:1;) alert tcp $HOME_NET any -> [103.47.147.18] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258035; rev:1;) alert tcp $HOME_NET any -> [94.156.67.112] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258034; rev:1;) alert tcp $HOME_NET any -> [80.112.42.92] 22 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258026; rev:1;) alert tcp $HOME_NET any -> [43.156.80.75] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257786; rev:1;) alert tcp $HOME_NET any -> [43.135.11.76] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257785; rev:1;) alert tcp $HOME_NET any -> [107.172.196.210] 58000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257784; rev:1;) alert tcp $HOME_NET any -> [103.151.123.225] 5000 (msg:"ThreatFox AdWind botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257783; rev:1;) alert tcp $HOME_NET any -> [23.94.66.43] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257782; rev:1;) alert tcp $HOME_NET any -> [47.236.8.228] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0941979.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257780; rev:1;) alert tcp $HOME_NET any -> [8.218.149.242] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"zgjatj.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257778; rev:1;) alert tcp $HOME_NET any -> [159.65.56.30] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257777; rev:1;) alert tcp $HOME_NET any -> [124.70.102.46] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257776; rev:1;) alert tcp $HOME_NET any -> [1.92.85.139] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257775; rev:1;) alert tcp $HOME_NET any -> [1.92.82.206] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257774; rev:1;) alert tcp $HOME_NET any -> [139.224.49.34] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257773; rev:1;) alert tcp $HOME_NET any -> [120.78.139.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257772; rev:1;) alert tcp $HOME_NET any -> [115.29.202.65] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257771; rev:1;) alert tcp $HOME_NET any -> [54.91.135.60] 333 (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257770/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257770; rev:1;) alert tcp $HOME_NET any -> [101.200.86.176] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257769; rev:1;) alert tcp $HOME_NET any -> [59.110.91.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257768; rev:1;) alert tcp $HOME_NET any -> [47.115.215.30] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257767; rev:1;) alert tcp $HOME_NET any -> [47.108.130.112] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257766; rev:1;) alert tcp $HOME_NET any -> [47.92.206.180] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/0672554332862"; depth:24; nocase; http.host; content:"24.199.107.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257764/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257764; rev:1;) alert tcp $HOME_NET any -> [39.96.116.85] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257763; rev:1;) alert tcp $HOME_NET any -> [8.137.11.219] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257762; rev:1;) alert tcp $HOME_NET any -> [8.134.102.18] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257761; rev:1;) alert tcp $HOME_NET any -> [175.178.160.155] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257760; rev:1;) alert tcp $HOME_NET any -> [124.222.147.8] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257759; rev:1;) alert tcp $HOME_NET any -> [43.143.168.206] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257758; rev:1;) alert tcp $HOME_NET any -> [43.139.67.72] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"b.doxbin.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257756/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257756; rev:1;) alert tcp $HOME_NET any -> [107.175.229.141] 36832 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257755/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257755; rev:1;) alert tcp $HOME_NET any -> [94.156.66.16] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257735; rev:1;) alert tcp $HOME_NET any -> [64.95.13.160] 10000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257734; rev:1;) alert tcp $HOME_NET any -> [51.89.30.114] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257733; rev:1;) alert tcp $HOME_NET any -> [51.81.0.240] 666 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257732; rev:1;) alert tcp $HOME_NET any -> [51.38.67.91] 888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257731; rev:1;) alert tcp $HOME_NET any -> [45.133.74.121] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257730; rev:1;) alert tcp $HOME_NET any -> [45.128.232.219] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257729; rev:1;) alert tcp $HOME_NET any -> [45.128.232.185] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257728; rev:1;) alert tcp $HOME_NET any -> [23.160.193.106] 1225 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257726; rev:1;) alert tcp $HOME_NET any -> [23.160.194.10] 1225 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257727; rev:1;) alert tcp $HOME_NET any -> [15.235.149.123] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257725; rev:1;) alert tcp $HOME_NET any -> [15.204.12.150] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257724; rev:1;) alert tcp $HOME_NET any -> [5.181.80.35] 999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257723; rev:1;) alert tcp $HOME_NET any -> [94.156.66.184] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257736; rev:1;) alert tcp $HOME_NET any -> [94.156.66.225] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257737; rev:1;) alert tcp $HOME_NET any -> [94.156.67.43] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257738; rev:1;) alert tcp $HOME_NET any -> [94.156.67.74] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257739; rev:1;) alert tcp $HOME_NET any -> [94.228.168.28] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257740; rev:1;) alert tcp $HOME_NET any -> [103.174.73.85] 9900 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257741; rev:1;) alert tcp $HOME_NET any -> [141.98.7.53] 999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257742; rev:1;) alert tcp $HOME_NET any -> [141.98.7.237] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257743; rev:1;) alert tcp $HOME_NET any -> [158.51.96.17] 1225 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257744; rev:1;) alert tcp $HOME_NET any -> [162.214.103.215] 2052 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257745; rev:1;) alert tcp $HOME_NET any -> [162.214.103.216] 2052 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257746; rev:1;) alert tcp $HOME_NET any -> [172.65.152.34] 22 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257747; rev:1;) alert tcp $HOME_NET any -> [185.196.8.230] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257748; rev:1;) alert tcp $HOME_NET any -> [193.34.69.249] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257749; rev:1;) alert tcp $HOME_NET any -> [209.141.50.91] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257750; rev:1;) alert tcp $HOME_NET any -> [209.141.59.146] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257751; rev:1;) alert tcp $HOME_NET any -> [209.141.62.176] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"returns-vary.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257754/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257754; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 26628 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257753/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257753; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 29058 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257719/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tue-jake.gl.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257720/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257720; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 28329 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257721/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"report-dust.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257722/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"87.120.84.22"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1257717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"87.120.84.22"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1257718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257718; rev:1;) alert tcp $HOME_NET any -> [173.44.141.234] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"173.44.141.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-lj3klqg6-1308639534.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257712; rev:1;) alert tcp $HOME_NET any -> [111.230.25.167] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-lj3klqg6-1308639534.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257711; rev:1;) alert tcp $HOME_NET any -> [101.99.75.132] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft-net.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ki"; depth:3; nocase; http.host; content:"microsoft-net.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257708; rev:1;) alert tcp $HOME_NET any -> [89.190.156.34] 33335 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257707; rev:1;) alert tcp $HOME_NET any -> [185.216.70.88] 6281 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"18.166.113.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"167.71.91.12"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257640/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"122.10.10.100"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"34.81.83.87"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"172.245.81.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"142.171.62.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"35.198.215.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"111.92.243.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257646/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"103.163.208.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257647/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"123.1.189.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257648/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"47.242.8.254"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257649/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"222.112.93.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257650/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"43.249.8.99"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257651/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"106.75.66.128"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257652/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"172.245.91.21"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257653/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"18.166.113.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"202.61.141.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"116.204.123.237"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"202.61.141.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"139.199.2.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"43.143.112.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"124.220.0.201"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"172.245.134.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"101.34.243.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257629/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"202.61.141.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"122.10.10.115"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"122.10.10.115"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"43.128.177.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257626/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"107.172.157.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257625/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"111.223.247.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257624/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.128.177.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257623/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.172.157.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257622/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"86.38.247.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257621/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"149.129.131.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257620/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"103.74.192.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257619/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"150.109.241.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257618/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"49.235.117.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257617/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"107.172.209.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257616/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"121.36.61.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257615/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"47.242.4.42"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257614/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"43.249.193.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257613/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"47.242.4.42"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257612/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.172.209.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257611/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"43.132.193.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257610/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.249.193.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257609/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257609; rev:1;) alert tcp $HOME_NET any -> [38.45.100.58] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257500; rev:1;) alert tcp $HOME_NET any -> [41.216.182.208] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257501; rev:1;) alert tcp $HOME_NET any -> [45.90.12.124] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257502; rev:1;) alert tcp $HOME_NET any -> [45.128.232.185] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257503; rev:1;) alert tcp $HOME_NET any -> [45.128.232.219] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257504; rev:1;) alert tcp $HOME_NET any -> [45.133.74.121] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257505; rev:1;) alert tcp $HOME_NET any -> [51.83.180.205] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257506; rev:1;) alert tcp $HOME_NET any -> [51.222.204.13] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257507; rev:1;) alert tcp $HOME_NET any -> [86.104.194.180] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257508; rev:1;) alert tcp $HOME_NET any -> [89.208.103.203] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257509; rev:1;) alert tcp $HOME_NET any -> [91.92.254.109] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257510; rev:1;) alert tcp $HOME_NET any -> [91.103.253.34] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257511; rev:1;) alert tcp $HOME_NET any -> [92.249.48.147] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257512; rev:1;) alert tcp $HOME_NET any -> [94.131.99.113] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257513; rev:1;) alert tcp $HOME_NET any -> [94.156.8.32] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257514; rev:1;) alert tcp $HOME_NET any -> [94.156.66.16] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257515; rev:1;) alert tcp $HOME_NET any -> [94.156.66.225] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257516; rev:1;) alert tcp $HOME_NET any -> [94.156.67.74] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257517; rev:1;) alert tcp $HOME_NET any -> [94.228.168.28] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257518; rev:1;) alert tcp $HOME_NET any -> [141.98.7.218] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257519; rev:1;) alert tcp $HOME_NET any -> [141.98.7.237] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257520; rev:1;) alert tcp $HOME_NET any -> [159.253.120.116] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257521; rev:1;) alert tcp $HOME_NET any -> [185.102.172.115] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257522; rev:1;) alert tcp $HOME_NET any -> [185.196.8.230] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257523; rev:1;) alert tcp $HOME_NET any -> [193.34.69.249] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257524; rev:1;) alert tcp $HOME_NET any -> [193.35.18.35] 88 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257525; rev:1;) alert tcp $HOME_NET any -> [193.35.18.98] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257526; rev:1;) alert tcp $HOME_NET any -> [198.27.107.169] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257527; rev:1;) alert tcp $HOME_NET any -> [199.195.251.103] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257528; rev:1;) alert tcp $HOME_NET any -> [205.185.119.42] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257529; rev:1;) alert tcp $HOME_NET any -> [209.141.44.84] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257530; rev:1;) alert tcp $HOME_NET any -> [209.141.62.176] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pickthecotton.xyz"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1257556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"zopz-api.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"15.204.244.125"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1257558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.187.28.15"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1257560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257560; rev:1;) alert tcp $HOME_NET any -> [164.92.166.129] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257573/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257573; rev:1;) alert tcp $HOME_NET any -> [51.81.38.137] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257574/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257574; rev:1;) alert tcp $HOME_NET any -> [64.227.166.207] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257575; rev:1;) alert tcp $HOME_NET any -> [188.119.103.198] 17691 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257601; rev:1;) alert tcp $HOME_NET any -> [66.187.4.175] 17691 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257602; rev:1;) alert tcp $HOME_NET any -> [66.187.4.175] 55650 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257603; rev:1;) alert tcp $HOME_NET any -> [166.88.61.185] 10020 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257608; rev:1;) alert tcp $HOME_NET any -> [5.181.190.250] 8008 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257607; rev:1;) alert tcp $HOME_NET any -> [193.233.132.117] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257606; rev:1;) alert tcp $HOME_NET any -> [93.123.85.103] 33966 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"139.198.174.173"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257604; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 17455 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257664/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"artist-composed.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257665/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257665; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 28632 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257663/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tequilacofradiamx.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257662/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257662; rev:1;) alert tcp $HOME_NET any -> [91.92.254.199] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257661/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xxx.bat"; depth:8; nocase; http.host; content:"193.222.96.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.hta"; depth:5; nocase; http.host; content:"193.222.96.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boatnet.dogzsec.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257655; rev:1;) alert tcp $HOME_NET any -> [193.222.96.41] 7287 (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"green-morrison.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257666/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257666; rev:1;) alert tcp $HOME_NET any -> [87.121.105.175] 14845 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257667; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 10869 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257671/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257671; rev:1;) alert tcp $HOME_NET any -> [2.58.95.131] 65480 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257683/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257683; rev:1;) alert tcp $HOME_NET any -> [91.92.243.252] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257703; rev:1;) alert tcp $HOME_NET any -> [116.202.185.144] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257704; rev:1;) alert tcp $HOME_NET any -> [95.217.28.230] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.185.144"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/irfail"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199673019888"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257700; rev:1;) alert tcp $HOME_NET any -> [82.146.62.51] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257699; rev:1;) alert tcp $HOME_NET any -> [185.173.38.173] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257698; rev:1;) alert tcp $HOME_NET any -> [101.37.13.119] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257697; rev:1;) alert tcp $HOME_NET any -> [46.246.80.8] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257696; rev:1;) alert tcp $HOME_NET any -> [178.73.192.14] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257695/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257695; rev:1;) alert tcp $HOME_NET any -> [189.152.21.67] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257694/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257694; rev:1;) alert tcp $HOME_NET any -> [190.134.50.121] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257693/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257693; rev:1;) alert tcp $HOME_NET any -> [77.126.165.31] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257692/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257692; rev:1;) alert tcp $HOME_NET any -> [147.45.136.226] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257691/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257691; rev:1;) alert tcp $HOME_NET any -> [192.162.68.201] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257690/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257690; rev:1;) alert tcp $HOME_NET any -> [128.14.237.229] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257689/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257689; rev:1;) alert tcp $HOME_NET any -> [77.106.68.26] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257688/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257688; rev:1;) alert tcp $HOME_NET any -> [185.222.58.87] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"101.133.156.69"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"154.201.89.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"116.62.34.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.92.147.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"106.54.209.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"106.55.181.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0942630.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257672; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 10869 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257670; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 10869 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257669; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 10869 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jinjfg/panel/five/fre.php"; depth:26; nocase; http.host; content:"tequilacofradiamx.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257660/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jinjfg/panel/five/fre.php"; depth:26; nocase; http.host; content:"tequilacofradiamx.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257656; rev:1;) alert tcp $HOME_NET any -> [135.125.21.74] 4545 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257600; rev:1;) alert tcp $HOME_NET any -> [77.134.63.213] 1122 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257599; rev:1;) alert tcp $HOME_NET any -> [171.232.6.144] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257597; rev:1;) alert tcp $HOME_NET any -> [171.232.6.144] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257598; rev:1;) alert tcp $HOME_NET any -> [111.173.116.82] 2312 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257596; rev:1;) alert tcp $HOME_NET any -> [89.88.69.115] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257595; rev:1;) alert tcp $HOME_NET any -> [91.92.247.34] 6667 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257594; rev:1;) alert tcp $HOME_NET any -> [91.92.244.76] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257593; rev:1;) alert tcp $HOME_NET any -> [8.210.250.14] 6603 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257591; rev:1;) alert tcp $HOME_NET any -> [37.235.56.182] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257592; rev:1;) alert tcp $HOME_NET any -> [223.26.61.23] 5121 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257590; rev:1;) alert tcp $HOME_NET any -> [91.92.251.216] 7000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257589; rev:1;) alert tcp $HOME_NET any -> [187.135.177.247] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257588; rev:1;) alert tcp $HOME_NET any -> [200.9.154.160] 10000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257587; rev:1;) alert tcp $HOME_NET any -> [104.250.169.165] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257581; rev:1;) alert tcp $HOME_NET any -> [128.90.122.129] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257582; rev:1;) alert tcp $HOME_NET any -> [156.195.84.201] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257583; rev:1;) alert tcp $HOME_NET any -> [156.195.143.153] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257584; rev:1;) alert tcp $HOME_NET any -> [172.111.148.205] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257585; rev:1;) alert tcp $HOME_NET any -> [181.214.223.125] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257586; rev:1;) alert tcp $HOME_NET any -> [20.2.223.28] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257576; rev:1;) alert tcp $HOME_NET any -> [94.156.67.103] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257577; rev:1;) alert tcp $HOME_NET any -> [94.156.67.103] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257578; rev:1;) alert tcp $HOME_NET any -> [94.156.67.103] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257579; rev:1;) alert tcp $HOME_NET any -> [103.47.147.23] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257580; rev:1;) alert tcp $HOME_NET any -> [35.221.150.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257572; rev:1;) alert tcp $HOME_NET any -> [35.229.251.245] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257571; rev:1;) alert tcp $HOME_NET any -> [88.214.27.80] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257569; rev:1;) alert tcp $HOME_NET any -> [88.214.27.80] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257570; rev:1;) alert tcp $HOME_NET any -> [81.19.138.60] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257567; rev:1;) alert tcp $HOME_NET any -> [81.19.138.60] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257568; rev:1;) alert tcp $HOME_NET any -> [81.19.136.252] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257565; rev:1;) alert tcp $HOME_NET any -> [81.19.136.252] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257566; rev:1;) alert tcp $HOME_NET any -> [210.56.49.167] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257564; rev:1;) alert tcp $HOME_NET any -> [38.180.120.2] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257563/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257563; rev:1;) alert tcp $HOME_NET any -> [106.75.162.14] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257562/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257562; rev:1;) alert tcp $HOME_NET any -> [149.88.78.227] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257561/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257561; rev:1;) alert tcp $HOME_NET any -> [43.131.5.229] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257559/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257559; rev:1;) alert tcp $HOME_NET any -> [46.246.80.8] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257555/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257555; rev:1;) alert tcp $HOME_NET any -> [88.234.159.168] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257554/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257554; rev:1;) alert tcp $HOME_NET any -> [78.69.198.113] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257553/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257553; rev:1;) alert tcp $HOME_NET any -> [151.64.244.139] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257552/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257552; rev:1;) alert tcp $HOME_NET any -> [158.140.128.55] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257551/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257551; rev:1;) alert tcp $HOME_NET any -> [172.233.120.154] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257550/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257550; rev:1;) alert tcp $HOME_NET any -> [54.37.226.59] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257549; rev:1;) alert tcp $HOME_NET any -> [103.136.150.94] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257548; rev:1;) alert tcp $HOME_NET any -> [151.236.26.171] 12041 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257547/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257547; rev:1;) alert tcp $HOME_NET any -> [118.212.140.132] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257546; rev:1;) alert tcp $HOME_NET any -> [35.189.178.127] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257545/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257545; rev:1;) alert tcp $HOME_NET any -> [38.60.217.106] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257544/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257544; rev:1;) alert tcp $HOME_NET any -> [159.203.125.55] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257543/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257543; rev:1;) alert tcp $HOME_NET any -> [159.203.125.55] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257542/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257542; rev:1;) alert tcp $HOME_NET any -> [103.149.90.58] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257541; rev:1;) alert tcp $HOME_NET any -> [45.77.37.190] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257540; rev:1;) alert tcp $HOME_NET any -> [103.146.159.165] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257539; rev:1;) alert tcp $HOME_NET any -> [20.189.79.97] 43552 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257538; rev:1;) alert tcp $HOME_NET any -> [43.132.184.81] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257537; rev:1;) alert tcp $HOME_NET any -> [107.175.91.204] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257536; rev:1;) alert tcp $HOME_NET any -> [164.92.249.209] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257534; rev:1;) alert tcp $HOME_NET any -> [164.92.249.209] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257535; rev:1;) alert tcp $HOME_NET any -> [159.89.16.208] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257533; rev:1;) alert tcp $HOME_NET any -> [185.196.11.252] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257532/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257532; rev:1;) alert tcp $HOME_NET any -> [59.174.112.119] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257499/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257499; rev:1;) alert tcp $HOME_NET any -> [176.135.229.160] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257498/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257498; rev:1;) alert tcp $HOME_NET any -> [63.41.157.163] 502 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257497/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257497; rev:1;) alert tcp $HOME_NET any -> [42.157.163.42] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257496/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a80d985c.php"; depth:13; nocase; http.host; content:"a0943092.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257495; rev:1;) alert tcp $HOME_NET any -> [152.42.139.235] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257494; rev:1;) alert tcp $HOME_NET any -> [8.130.69.96] 8001 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257493; rev:1;) alert tcp $HOME_NET any -> [172.207.236.31] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257492/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257492; rev:1;) alert tcp $HOME_NET any -> [44.222.74.172] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257491/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257491; rev:1;) alert tcp $HOME_NET any -> [103.249.112.105] 8181 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257490/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257490; rev:1;) alert tcp $HOME_NET any -> [13.82.179.86] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257489/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257489; rev:1;) alert tcp $HOME_NET any -> [89.190.156.227] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257203/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257203; rev:1;) alert tcp $HOME_NET any -> [45.125.66.100] 61192 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257459; rev:1;) alert tcp $HOME_NET any -> [204.76.203.2] 1883 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257460; rev:1;) alert tcp $HOME_NET any -> [204.76.203.3] 1883 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257461; rev:1;) alert tcp $HOME_NET any -> [62.72.185.14] 17912 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257483; rev:1;) alert tcp $HOME_NET any -> [47.245.94.124] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257488; rev:1;) alert tcp $HOME_NET any -> [47.236.172.59] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257487; rev:1;) alert tcp $HOME_NET any -> [47.236.96.178] 5055 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257486; rev:1;) alert tcp $HOME_NET any -> [47.76.92.216] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257485; rev:1;) alert tcp $HOME_NET any -> [8.219.228.10] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257484; rev:1;) alert tcp $HOME_NET any -> [124.71.69.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257481; rev:1;) alert tcp $HOME_NET any -> [124.71.69.101] 22222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257482; rev:1;) alert tcp $HOME_NET any -> [117.78.11.237] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257480; rev:1;) alert tcp $HOME_NET any -> [60.204.151.207] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257479; rev:1;) alert tcp $HOME_NET any -> [123.56.235.29] 9876 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257217; rev:1;) alert tcp $HOME_NET any -> [118.178.195.229] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257216; rev:1;) alert tcp $HOME_NET any -> [101.201.70.137] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257215; rev:1;) alert tcp $HOME_NET any -> [47.120.41.137] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257214; rev:1;) alert tcp $HOME_NET any -> [47.113.150.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257213; rev:1;) alert tcp $HOME_NET any -> [39.100.120.237] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257212; rev:1;) alert tcp $HOME_NET any -> [8.137.108.208] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257210; rev:1;) alert tcp $HOME_NET any -> [8.137.108.208] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257211; rev:1;) alert tcp $HOME_NET any -> [8.134.80.227] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257209; rev:1;) alert tcp $HOME_NET any -> [8.130.30.60] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257208; rev:1;) alert tcp $HOME_NET any -> [47.120.58.214] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257206; rev:1;) alert tcp $HOME_NET any -> [59.110.18.123] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257207; rev:1;) alert tcp $HOME_NET any -> [1.94.120.249] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257204; rev:1;) alert tcp $HOME_NET any -> [8.130.24.188] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257205; rev:1;) alert tcp $HOME_NET any -> [193.112.85.116] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sonic-gif.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sonic-gif3332.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257199; rev:1;) alert tcp $HOME_NET any -> [185.73.125.50] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 70%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257201/; target:src_ip; metadata: confidence_level 70, first_seen 2024_04_15; classtype:trojan-activity; sid:91257201; rev:1;) alert tcp $HOME_NET any -> [193.112.85.116] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257200; rev:1;) alert tcp $HOME_NET any -> [175.178.232.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257197; rev:1;) alert tcp $HOME_NET any -> [175.27.133.246] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257196; rev:1;) alert tcp $HOME_NET any -> [93.123.85.103] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257191; rev:1;) alert tcp $HOME_NET any -> [152.136.43.210] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257194; rev:1;) alert tcp $HOME_NET any -> [152.136.43.210] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257195; rev:1;) alert tcp $HOME_NET any -> [111.230.12.198] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257193; rev:1;) alert tcp $HOME_NET any -> [81.70.91.34] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"carlaweishale.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"carlaweishale.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df/tt"; depth:6; nocase; http.host; content:"rtattack.baqebei1.online"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.220.200.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"124.71.136.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257186; rev:1;) alert tcp $HOME_NET any -> [205.185.121.20] 5386 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257084/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"2.58.95.100"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257174/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"74.91.116.85"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257175/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"93.123.85.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257176/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"93.123.85.48"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257178; rev:1;) alert tcp $HOME_NET any -> [93.123.85.53] 999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257179; rev:1;) alert tcp $HOME_NET any -> [89.116.236.8] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257182; rev:1;) alert tcp $HOME_NET any -> [93.123.85.48] 1 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257180; rev:1;) alert tcp $HOME_NET any -> [167.114.127.89] 5214 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257181; rev:1;) alert tcp $HOME_NET any -> [2.58.95.100] 999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257183; rev:1;) alert tcp $HOME_NET any -> [74.91.116.85] 999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257184; rev:1;) alert tcp $HOME_NET any -> [209.141.60.189] 666 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"167.114.127.89"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"89.116.236.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257173/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"209.141.60.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257177; rev:1;) alert tcp $HOME_NET any -> [85.204.116.22] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257071; rev:1;) alert tcp $HOME_NET any -> [45.125.66.100] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257072; rev:1;) alert tcp $HOME_NET any -> [5.181.80.60] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257073; rev:1;) alert tcp $HOME_NET any -> [85.204.116.206] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257074; rev:1;) alert tcp $HOME_NET any -> [5.181.80.140] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257075; rev:1;) alert tcp $HOME_NET any -> [5.181.80.61] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257076; rev:1;) alert tcp $HOME_NET any -> [5.181.80.189] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257077; rev:1;) alert tcp $HOME_NET any -> [62.72.185.15] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257078; rev:1;) alert tcp $HOME_NET any -> [62.72.185.38] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257079; rev:1;) alert tcp $HOME_NET any -> [62.72.185.90] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257080; rev:1;) alert tcp $HOME_NET any -> [62.72.185.42] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257081; rev:1;) alert tcp $HOME_NET any -> [85.204.116.21] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257082; rev:1;) alert tcp $HOME_NET any -> [99.195.249.124] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257083; rev:1;) alert tcp $HOME_NET any -> [103.35.191.158] 586 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"23.95.254.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257068; rev:1;) alert tcp $HOME_NET any -> [23.95.254.136] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257069; rev:1;) alert tcp $HOME_NET any -> [104.219.239.56] 1989 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257067/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257067; rev:1;) alert tcp $HOME_NET any -> [104.219.239.56] 3956 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257066; rev:1;) alert tcp $HOME_NET any -> [103.35.191.158] 4414 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257065; rev:1;) alert tcp $HOME_NET any -> [98.66.160.134] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257064; rev:1;) alert tcp $HOME_NET any -> [45.63.56.64] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257063; rev:1;) alert tcp $HOME_NET any -> [172.207.236.31] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257062; rev:1;) alert tcp $HOME_NET any -> [151.48.171.11] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257061; rev:1;) alert tcp $HOME_NET any -> [87.110.49.55] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257060; rev:1;) alert tcp $HOME_NET any -> [16.163.57.246] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257059; rev:1;) alert tcp $HOME_NET any -> [172.104.25.254] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257058; rev:1;) alert tcp $HOME_NET any -> [163.181.130.93] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257057; rev:1;) alert tcp $HOME_NET any -> [34.16.198.174] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257056; rev:1;) alert tcp $HOME_NET any -> [61.162.223.117] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257055/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257055; rev:1;) alert tcp $HOME_NET any -> [95.216.176.5] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257054; rev:1;) alert tcp $HOME_NET any -> [65.109.140.8] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257050; rev:1;) alert tcp $HOME_NET any -> [116.202.185.144] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257051; rev:1;) alert tcp $HOME_NET any -> [95.217.28.230] 5342 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257052; rev:1;) alert tcp $HOME_NET any -> [95.216.176.100] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.26.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257048; rev:1;) alert tcp $HOME_NET any -> [157.90.25.39] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.176.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.176.100"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.185.144"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.140.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"157.90.25.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/0699921091"; depth:21; nocase; http.host; content:"24.199.107.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257041; rev:1;) alert tcp $HOME_NET any -> [173.211.46.114] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257040/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257040; rev:1;) alert tcp $HOME_NET any -> [173.211.46.114] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257039/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257039; rev:1;) alert tcp $HOME_NET any -> [173.211.46.114] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257038/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bordersoarmanusjuw.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"entitlementappwo.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"economicscreateojsu.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pushjellysingeywus.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"suitcaseacanehalk.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"absentconvicsjawun.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mealplayerpreceodsju.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"wifeplasterbakewis.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bordersoarmanusjuw.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"entitlementappwo.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"economicscreateojsu.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pushjellysingeywus.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"absentconvicsjawun.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suitcaseacanehalk.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mealplayerpreceodsju.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257014; rev:1;) alert tcp $HOME_NET any -> [35.198.149.52] 33966 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257026; rev:1;) alert tcp $HOME_NET any -> [198.12.124.76] 21425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257028; rev:1;) alert tcp $HOME_NET any -> [104.168.45.11] 21425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257029; rev:1;) alert tcp $HOME_NET any -> [185.216.70.168] 21425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257027; rev:1;) alert tcp $HOME_NET any -> [172.245.119.70] 21425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257030; rev:1;) alert tcp $HOME_NET any -> [45.86.86.60] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wifeplasterbakewis.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257015; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 17170 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257016/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257016; rev:1;) alert tcp $HOME_NET any -> [93.123.85.167] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257017; rev:1;) alert tcp $HOME_NET any -> [203.145.46.240] 2023 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257024; rev:1;) alert tcp $HOME_NET any -> [172.245.119.63] 21425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257031; rev:1;) alert tcp $HOME_NET any -> [172.67.156.11] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257035/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257035; rev:1;) alert tcp $HOME_NET any -> [5.39.43.50] 8096 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257037/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toprocessordlelocalprivate.php"; depth:31; nocase; http.host; content:"276261cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_local.php"; depth:11; nocase; http.host; content:"967183cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/720637"; depth:17; nocase; http.host; content:"24.199.107.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257033; rev:1;) alert tcp $HOME_NET any -> [94.130.130.51] 1919 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_pollpacketmultitesttrackdletemporary.php"; depth:42; nocase; http.host; content:"330745cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/01525576.php"; depth:13; nocase; http.host; content:"a0940040.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91257022; rev:1;) alert tcp $HOME_NET any -> [164.155.128.124] 2000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91257021; rev:1;) alert tcp $HOME_NET any -> [41.248.119.194] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91257020; rev:1;) alert tcp $HOME_NET any -> [165.232.123.138] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91257019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"165.232.123.138"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91257018; rev:1;) alert tcp $HOME_NET any -> [206.189.246.137] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256999/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256999; rev:1;) alert tcp $HOME_NET any -> [170.64.197.231] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256998; rev:1;) alert tcp $HOME_NET any -> [167.179.109.82] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256997/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256997; rev:1;) alert tcp $HOME_NET any -> [96.237.16.249] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256996; rev:1;) alert tcp $HOME_NET any -> [207.180.230.175] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256995/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256995; rev:1;) alert tcp $HOME_NET any -> [101.99.94.224] 4433 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256994/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256994; rev:1;) alert tcp $HOME_NET any -> [163.181.142.96] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256993/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256993; rev:1;) alert tcp $HOME_NET any -> [18.181.61.11] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256992/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256992; rev:1;) alert tcp $HOME_NET any -> [193.233.132.217] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256745/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_14; classtype:trojan-activity; sid:91256745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"42.51.37.127"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256744; rev:1;) alert tcp $HOME_NET any -> [186.102.175.129] 1114 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256743; rev:1;) alert tcp $HOME_NET any -> [94.228.162.55] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256742; rev:1;) alert tcp $HOME_NET any -> [103.237.86.195] 2024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256737; rev:1;) alert tcp $HOME_NET any -> [93.123.39.73] 400 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256740; rev:1;) alert tcp $HOME_NET any -> [87.246.7.66] 52154 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256738; rev:1;) alert tcp $HOME_NET any -> [203.145.46.240] 2024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/requestcpu/generatorgame/datalife02/processorserver/proton/9/centraltemp/pythontrafficvideo/4sqlserver/dbcentral7/6privatepython/1dle1/wpdle1track/62wordpress/datalife/externalexternalvoiddb/video53base/uploadsdatalife1pipe/requestlongpollflower/php_requestapiprotectwindowsasyncdatalife.php"; depth:292; nocase; http.host; content:"79.174.94.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256741; rev:1;) alert tcp $HOME_NET any -> [23.227.196.15] 23461 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"salaamt.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256727/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mzile.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256724/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"inspirestudiosteam.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256723/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"neweatz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256725/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"purpleflowers.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256726/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sam.coffin-jazzed.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256728/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sam.coinmarketcap-tm.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256729/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tunel.oracle-panel.online"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256733/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"svma.arcovip.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256732/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"elated-black.45-141-215-173.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256720/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"infallible-lichterman.45-141-215-173.plesk.page"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256722/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"great-golick.45-141-215-173.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256721/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"carte-vitale-assurance.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256719/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256719; rev:1;) alert tcp $HOME_NET any -> [192.53.123.224] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256712/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"al.salaamt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256716/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ams-k-node1.vleo.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256717/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bnd-servers.komakhazine.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256718/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sharp-hugle.45-141-215-173.plesk.page"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256730/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stupefied-germain.45-141-215-173.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256731/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.elated-black.45-141-215-173.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256734/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.infallible-lichterman.45-141-215-173.plesk.page"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256735/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"42.194.199.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256715/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256715; rev:1;) alert tcp $HOME_NET any -> [94.130.130.51] 77 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.35.19.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256713; rev:1;) alert tcp $HOME_NET any -> [185.173.38.38] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256711; rev:1;) alert tcp $HOME_NET any -> [46.101.4.16] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256710; rev:1;) alert tcp $HOME_NET any -> [46.246.82.6] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256709; rev:1;) alert tcp $HOME_NET any -> [108.34.181.65] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256708; rev:1;) alert tcp $HOME_NET any -> [119.96.91.140] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256707; rev:1;) alert tcp $HOME_NET any -> [125.73.208.34] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256706; rev:1;) alert tcp $HOME_NET any -> [82.197.65.180] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256705; rev:1;) alert tcp $HOME_NET any -> [39.145.65.102] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256704; rev:1;) alert tcp $HOME_NET any -> [212.113.106.100] 31774 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256703; rev:1;) alert tcp $HOME_NET any -> [185.196.8.31] 76 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256702/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unotree.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256655; rev:1;) alert tcp $HOME_NET any -> [198.46.177.144] 666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256676/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256676; rev:1;) alert tcp $HOME_NET any -> [176.123.1.215] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256674/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256674; rev:1;) alert tcp $HOME_NET any -> [91.92.251.238] 5366 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256675/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256675; rev:1;) alert tcp $HOME_NET any -> [85.195.79.166] 9981 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256677/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256677; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 17231 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256692/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256692; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 17231 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256693/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tcp.eu.ngrok.io"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256695/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256695; rev:1;) alert tcp $HOME_NET any -> [94.156.10.76] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rsx.nextoneup.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256690/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256690; rev:1;) alert tcp $HOME_NET any -> [176.123.1.215] 7777 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256682; rev:1;) alert tcp $HOME_NET any -> [45.88.90.185] 118 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256686; rev:1;) alert tcp $HOME_NET any -> [37.44.238.94] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256689/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256689; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 15640 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256694/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256694; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 15019 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256696/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256696; rev:1;) alert tcp $HOME_NET any -> [46.147.123.30] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256697/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256697; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 14095 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256700/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256700; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 14095 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256701/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256701; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 14095 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256699; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 14095 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256698; rev:1;) alert tcp $HOME_NET any -> [41.249.48.248] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0917747.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/30257e4c371b49a4.php"; depth:21; nocase; http.host; content:"192.121.87.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256687; rev:1;) alert tcp $HOME_NET any -> [147.45.47.102] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256684/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_14; classtype:trojan-activity; sid:91256684; rev:1;) alert tcp $HOME_NET any -> [147.45.47.101] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256683/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_14; classtype:trojan-activity; sid:91256683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2betterpacket/proton/7voiddbcpu2/longpoll5/5testjsmulti/packet/pollprivate.php"; depth:79; nocase; http.host; content:"109.107.182.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256681; rev:1;) alert tcp $HOME_NET any -> [164.155.128.124] 8098 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.23.87.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerlongpollservermultidbwp.php"; depth:36; nocase; http.host; content:"89.23.98.225"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256678; rev:1;) alert tcp $HOME_NET any -> [34.88.143.155] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256673; rev:1;) alert tcp $HOME_NET any -> [188.120.240.143] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256672/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256672; rev:1;) alert tcp $HOME_NET any -> [94.156.8.227] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256671; rev:1;) alert tcp $HOME_NET any -> [47.242.4.42] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256670; rev:1;) alert tcp $HOME_NET any -> [122.114.26.5] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256669/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256669; rev:1;) alert tcp $HOME_NET any -> [52.185.161.226] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256668/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256668; rev:1;) alert tcp $HOME_NET any -> [78.189.79.252] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256667; rev:1;) alert tcp $HOME_NET any -> [130.43.60.51] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256666; rev:1;) alert tcp $HOME_NET any -> [143.198.137.33] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256665; rev:1;) alert tcp $HOME_NET any -> [4.236.52.255] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256664; rev:1;) alert tcp $HOME_NET any -> [195.35.16.247] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256663; rev:1;) alert tcp $HOME_NET any -> [167.114.90.243] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256662; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20010 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256661/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256661; rev:1;) alert tcp $HOME_NET any -> [89.22.182.206] 1720 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256660/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256660; rev:1;) alert tcp $HOME_NET any -> [198.90.21.114] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256659/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256659; rev:1;) alert tcp $HOME_NET any -> [94.198.54.202] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256658/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256658; rev:1;) alert tcp $HOME_NET any -> [172.111.137.180] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.220.148.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256656/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256656; rev:1;) alert tcp $HOME_NET any -> [94.156.79.32] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256654/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256654; rev:1;) alert tcp $HOME_NET any -> [94.156.79.32] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256653/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"43.142.183.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerddos.x3322.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ua.tispy.me"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tispy.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytnjmdbmotvintc3/"; depth:18; nocase; http.host; content:"boloneser.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256467/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytnjmdbmotvintc3/"; depth:18; nocase; http.host; content:"mulaktix.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256468/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytnjmdbmotvintc3/"; depth:18; nocase; http.host; content:"munison.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256469/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytnjmdbmotvintc3/"; depth:18; nocase; http.host; content:"udefano.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256470/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brb.3dtuts.by"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3dtuts.by"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256472; rev:1;) alert tcp $HOME_NET any -> [2.58.113.208] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256476/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256476; rev:1;) alert tcp $HOME_NET any -> [93.123.39.73] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256475/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256475; rev:1;) alert tcp $HOME_NET any -> [41.249.108.177] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagejshttpgeocpugamebigloadsqlwp.php"; depth:38; nocase; http.host; content:"77.221.158.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256473; rev:1;) alert tcp $HOME_NET any -> [136.243.179.5] 1414 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256466; rev:1;) alert tcp $HOME_NET any -> [94.156.64.237] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256465/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256465; rev:1;) alert tcp $HOME_NET any -> [159.69.26.61] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256464/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256464; rev:1;) alert tcp $HOME_NET any -> [159.69.26.61] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256463/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256463; rev:1;) alert tcp $HOME_NET any -> [13.232.156.210] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256462/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256462; rev:1;) alert tcp $HOME_NET any -> [162.33.178.156] 3122 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256459; rev:1;) alert tcp $HOME_NET any -> [27.25.156.47] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256458; rev:1;) alert tcp $HOME_NET any -> [147.45.47.93] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256457/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"165.232.75.251"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256455; rev:1;) alert tcp $HOME_NET any -> [147.45.47.93] 58709 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256454; rev:1;) alert tcp $HOME_NET any -> [128.199.178.134] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256452; rev:1;) alert tcp $HOME_NET any -> [165.232.75.251] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256453; rev:1;) alert tcp $HOME_NET any -> [8.137.84.140] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256450; rev:1;) alert tcp $HOME_NET any -> [1.94.120.249] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256451; rev:1;) alert tcp $HOME_NET any -> [1.117.60.10] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256447; rev:1;) alert tcp $HOME_NET any -> [101.35.173.226] 12306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256448; rev:1;) alert tcp $HOME_NET any -> [8.130.52.13] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256449; rev:1;) alert tcp $HOME_NET any -> [110.42.102.204] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256439; rev:1;) alert tcp $HOME_NET any -> [177.255.88.116] 8020 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256440; rev:1;) alert tcp $HOME_NET any -> [207.32.217.79] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256441; rev:1;) alert tcp $HOME_NET any -> [187.135.85.223] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256442; rev:1;) alert tcp $HOME_NET any -> [187.135.85.223] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256443; rev:1;) alert tcp $HOME_NET any -> [187.135.85.223] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256444; rev:1;) alert tcp $HOME_NET any -> [193.233.132.101] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qingfengddos.x3322.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256445; rev:1;) alert tcp $HOME_NET any -> [89.23.102.165] 158 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256438/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256438; rev:1;) alert tcp $HOME_NET any -> [118.194.233.185] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mcnodes.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256351/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gemak.mk"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256354/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_13; classtype:trojan-activity; sid:91256354; rev:1;) alert tcp $HOME_NET any -> [45.88.90.185] 57899 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256350/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"shodo.cosavostra.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256352/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_13; classtype:trojan-activity; sid:91256352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"themetorrent.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256353/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_13; classtype:trojan-activity; sid:91256353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wct-witcom.nl"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256355/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_13; classtype:trojan-activity; sid:91256355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samsunguniverse.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256434; rev:1;) alert tcp $HOME_NET any -> [46.246.14.8] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256416/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256416; rev:1;) alert tcp $HOME_NET any -> [193.176.190.43] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256400/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"auyametemplanza.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256210/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256210; rev:1;) alert tcp $HOME_NET any -> [193.233.132.101] 58709 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256435; rev:1;) alert tcp $HOME_NET any -> [77.221.149.184] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256432/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256432; rev:1;) alert tcp $HOME_NET any -> [77.221.149.184] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256433/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256433; rev:1;) alert tcp $HOME_NET any -> [116.255.216.145] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256431/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256431; rev:1;) alert tcp $HOME_NET any -> [38.45.126.99] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256430/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256430; rev:1;) alert tcp $HOME_NET any -> [43.249.193.129] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256429/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256429; rev:1;) alert tcp $HOME_NET any -> [38.45.126.102] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256428/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256428; rev:1;) alert tcp $HOME_NET any -> [38.45.126.100] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256427; rev:1;) alert tcp $HOME_NET any -> [49.235.117.134] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256426/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256426; rev:1;) alert tcp $HOME_NET any -> [38.45.126.98] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256425; rev:1;) alert tcp $HOME_NET any -> [46.246.86.18] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256424/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256424; rev:1;) alert tcp $HOME_NET any -> [189.140.26.156] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256423; rev:1;) alert tcp $HOME_NET any -> [143.198.137.33] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256422; rev:1;) alert tcp $HOME_NET any -> [66.78.40.230] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256421; rev:1;) alert tcp $HOME_NET any -> [157.230.66.27] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256420; rev:1;) alert tcp $HOME_NET any -> [163.181.142.111] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256419; rev:1;) alert tcp $HOME_NET any -> [116.203.6.63] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256418; rev:1;) alert tcp $HOME_NET any -> [185.222.57.134] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256417; rev:1;) alert tcp $HOME_NET any -> [47.100.180.123] 56616 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256415/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256415; rev:1;) alert tcp $HOME_NET any -> [124.89.53.26] 1010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256414/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256414; rev:1;) alert tcp $HOME_NET any -> [187.135.146.203] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256413/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256413; rev:1;) alert tcp $HOME_NET any -> [187.135.146.203] 2047 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256412/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256412; rev:1;) alert tcp $HOME_NET any -> [187.135.146.203] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256411/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256411; rev:1;) alert tcp $HOME_NET any -> [187.135.146.203] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256410/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256410; rev:1;) alert tcp $HOME_NET any -> [94.156.67.130] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256409/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256409; rev:1;) alert tcp $HOME_NET any -> [43.138.0.70] 10002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256408/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256408; rev:1;) alert tcp $HOME_NET any -> [77.221.151.12] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256407/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256407; rev:1;) alert tcp $HOME_NET any -> [5.181.156.17] 80 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256406/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256406; rev:1;) alert tcp $HOME_NET any -> [193.233.232.6] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256405/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256405; rev:1;) alert tcp $HOME_NET any -> [178.33.57.150] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256404/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256404; rev:1;) alert tcp $HOME_NET any -> [171.232.6.144] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256403/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256403; rev:1;) alert tcp $HOME_NET any -> [98.181.129.31] 443 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256402/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256402; rev:1;) alert tcp $HOME_NET any -> [185.241.208.113] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256401/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_12; classtype:trojan-activity; sid:91256401; rev:1;) alert tcp $HOME_NET any -> [212.52.1.40] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256399/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256399; rev:1;) alert tcp $HOME_NET any -> [212.52.1.40] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256398/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256398; rev:1;) alert tcp $HOME_NET any -> [142.202.189.77] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256397; rev:1;) alert tcp $HOME_NET any -> [103.74.192.103] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256396; rev:1;) alert tcp $HOME_NET any -> [38.45.126.101] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256395; rev:1;) alert tcp $HOME_NET any -> [52.185.161.226] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256394/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256394; rev:1;) alert tcp $HOME_NET any -> [162.33.178.99] 4567 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256393; rev:1;) alert tcp $HOME_NET any -> [46.246.14.2] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256392; rev:1;) alert tcp $HOME_NET any -> [92.251.131.147] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256391; rev:1;) alert tcp $HOME_NET any -> [23.93.176.11] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256390; rev:1;) alert tcp $HOME_NET any -> [41.99.19.206] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256389/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256389; rev:1;) alert tcp $HOME_NET any -> [213.175.37.212] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256388/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256388; rev:1;) alert tcp $HOME_NET any -> [67.207.68.224] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256387/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256387; rev:1;) alert tcp $HOME_NET any -> [104.131.187.5] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256386/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256386; rev:1;) alert tcp $HOME_NET any -> [141.98.7.77] 1337 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256385/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256385; rev:1;) alert tcp $HOME_NET any -> [47.93.222.174] 27000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256384/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256384; rev:1;) alert tcp $HOME_NET any -> [45.63.120.203] 57483 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256383/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256383; rev:1;) alert tcp $HOME_NET any -> [120.78.83.129] 30050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256382/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256382; rev:1;) alert tcp $HOME_NET any -> [107.172.133.197] 16696 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256381/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256381; rev:1;) alert tcp $HOME_NET any -> [103.164.49.176] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256380/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256380; rev:1;) alert tcp $HOME_NET any -> [116.204.42.20] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256379/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256379; rev:1;) alert tcp $HOME_NET any -> [202.79.168.65] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256378/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256378; rev:1;) alert tcp $HOME_NET any -> [187.135.145.47] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256377/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256377; rev:1;) alert tcp $HOME_NET any -> [194.48.251.136] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256376/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256376; rev:1;) alert tcp $HOME_NET any -> [185.185.71.5] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256375/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256375; rev:1;) alert tcp $HOME_NET any -> [38.181.78.247] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256374/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256374; rev:1;) alert tcp $HOME_NET any -> [42.51.37.127] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256373/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256373; rev:1;) alert tcp $HOME_NET any -> [42.51.37.127] 8087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256372/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256372; rev:1;) alert tcp $HOME_NET any -> [47.97.113.146] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256371/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256371; rev:1;) alert tcp $HOME_NET any -> [2.58.56.221] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256370/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256370; rev:1;) alert tcp $HOME_NET any -> [77.221.151.10] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256369/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256369; rev:1;) alert tcp $HOME_NET any -> [217.195.207.156] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256368/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256368; rev:1;) alert tcp $HOME_NET any -> [185.141.61.74] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256367/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256367; rev:1;) alert tcp $HOME_NET any -> [178.20.45.159] 7777 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256366/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256366; rev:1;) alert tcp $HOME_NET any -> [173.44.50.82] 4433 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256365/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256365; rev:1;) alert tcp $HOME_NET any -> [46.226.162.32] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256364/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256364; rev:1;) alert tcp $HOME_NET any -> [94.158.245.206] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256363/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256363; rev:1;) alert tcp $HOME_NET any -> [45.15.158.144] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256362/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256362; rev:1;) alert tcp $HOME_NET any -> [49.13.125.250] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256361/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256361; rev:1;) alert tcp $HOME_NET any -> [116.202.186.227] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256360/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256360; rev:1;) alert tcp $HOME_NET any -> [116.203.15.18] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256359/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256359; rev:1;) alert tcp $HOME_NET any -> [116.202.188.155] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256358/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256358; rev:1;) alert tcp $HOME_NET any -> [3.21.170.65] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256357/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256357; rev:1;) alert tcp $HOME_NET any -> [147.189.168.81] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256356/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.188.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.32.146"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256348; rev:1;) alert tcp $HOME_NET any -> [49.13.32.146] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256346; rev:1;) alert tcp $HOME_NET any -> [116.202.188.155] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256347; rev:1;) alert tcp $HOME_NET any -> [94.156.64.193] 10110 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256204; rev:1;) alert tcp $HOME_NET any -> [206.166.251.28] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256205; rev:1;) alert tcp $HOME_NET any -> [171.250.188.12] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256206; rev:1;) alert tcp $HOME_NET any -> [171.250.188.12] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256207; rev:1;) alert tcp $HOME_NET any -> [185.216.70.75] 7771 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256209; rev:1;) alert tcp $HOME_NET any -> [45.128.96.169] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256201; rev:1;) alert tcp $HOME_NET any -> [45.134.225.246] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256202; rev:1;) alert tcp $HOME_NET any -> [45.134.225.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yourserenahelpcustom.uk"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256190; rev:1;) alert tcp $HOME_NET any -> [149.248.79.62] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256191; rev:1;) alert tcp $HOME_NET any -> [84.247.179.77] 587 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256192; rev:1;) alert tcp $HOME_NET any -> [84.247.179.77] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256193; rev:1;) alert tcp $HOME_NET any -> [118.161.124.220] 17814 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256194; rev:1;) alert tcp $HOME_NET any -> [118.161.124.220] 34820 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256195; rev:1;) alert tcp $HOME_NET any -> [118.161.124.220] 49078 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256196; rev:1;) alert tcp $HOME_NET any -> [118.161.124.220] 6004 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256197; rev:1;) alert tcp $HOME_NET any -> [177.60.18.92] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256198; rev:1;) alert tcp $HOME_NET any -> [191.82.205.54] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256199; rev:1;) alert tcp $HOME_NET any -> [191.82.213.14] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"149.248.79.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"149.248.79.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"yourserenahelpcustom.uk"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"yourserenahelpcustom.uk"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256189; rev:1;) alert tcp $HOME_NET any -> [41.108.11.112] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256151; rev:1;) alert tcp $HOME_NET any -> [105.97.37.105] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256152; rev:1;) alert tcp $HOME_NET any -> [176.31.220.92] 1744 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256153; rev:1;) alert tcp $HOME_NET any -> [187.135.86.1] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256154; rev:1;) alert tcp $HOME_NET any -> [187.135.86.1] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256155; rev:1;) alert tcp $HOME_NET any -> [187.135.86.1] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256156; rev:1;) alert tcp $HOME_NET any -> [187.135.122.206] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256157; rev:1;) alert tcp $HOME_NET any -> [187.135.122.206] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256158; rev:1;) alert tcp $HOME_NET any -> [187.135.130.189] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256159; rev:1;) alert tcp $HOME_NET any -> [187.135.130.189] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256160; rev:1;) alert tcp $HOME_NET any -> [187.135.130.189] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256161; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256163; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256162; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256164; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256165; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256166; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256167; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256168; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256169; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256170; rev:1;) alert tcp $HOME_NET any -> [187.135.145.47] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256173; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256171; rev:1;) alert tcp $HOME_NET any -> [187.135.139.240] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256172; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256174; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256175; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256176; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256177; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256178; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 1757 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256179; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256180; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256181; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256182; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256183; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256184; rev:1;) alert tcp $HOME_NET any -> [187.135.235.218] 1736 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sigortamsaglik.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256083/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cosplayboobies.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256084/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"arkamaya-grhatama.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256085/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"pdfkutub.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256086/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"naghsheshahr.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256087/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"theceostory.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256088/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"thll.org.tw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256090/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sparo1.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256089/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.estedavivere.it"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256091/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"freshysites.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256092/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.delcas.com.br"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256093/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wahlshausen.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256094/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ticketneedlellc.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256095/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"thevarsity.ca"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256096/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.dawinmeckel.de"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256100/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"etisalangy.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256097/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"alldaily.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256099/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"karmanima.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256098/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"vicbros.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256101/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cbseguides.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256102/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"venousmode.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256103/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"slimmerverdienen.nl"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256104/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"teachersbadi.in"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256105/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"eaalim.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256106/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"heshamsaad.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256107/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"giantif.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256108/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"web-e-reputation.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256109/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"javtape.net"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256110/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"arabfish.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256112/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"itigic.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256111/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"digibaru.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256113/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sindipetropb.com.br"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256114/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"swiatyerby.pl"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256115/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dailysonardesh.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256116/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.bokenasetsadra.se"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256117/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lakedistrictbikes.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256118/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"servicesksa.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256120/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.balkanyemekleri.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256119/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"openaps.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256121/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bookmeacookie.pl"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256122/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"m-melody.jp"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256124/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"measuremarketing.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256123/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ctoasaservice.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256125/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cocbases.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256126/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256126; rev:1;) alert tcp $HOME_NET any -> [31.124.151.205] 9000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/xmlrpc.php"; depth:16; nocase; http.host; content:"www.cmorgan.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256127/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256127; rev:1;) alert tcp $HOME_NET any -> [34.88.143.155] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256129; rev:1;) alert tcp $HOME_NET any -> [45.138.16.235] 2003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256130; rev:1;) alert tcp $HOME_NET any -> [46.246.84.8] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256131; rev:1;) alert tcp $HOME_NET any -> [51.116.96.182] 3000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256132; rev:1;) alert tcp $HOME_NET any -> [52.185.161.226] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256133; rev:1;) alert tcp $HOME_NET any -> [94.156.65.9] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256134; rev:1;) alert tcp $HOME_NET any -> [94.156.65.9] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256135; rev:1;) alert tcp $HOME_NET any -> [94.156.65.9] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256136; rev:1;) alert tcp $HOME_NET any -> [94.156.65.217] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256137; rev:1;) alert tcp $HOME_NET any -> [94.156.65.217] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256138; rev:1;) alert tcp $HOME_NET any -> [94.156.65.217] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256139; rev:1;) alert tcp $HOME_NET any -> [157.254.223.38] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256141; rev:1;) alert tcp $HOME_NET any -> [157.254.223.38] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256140; rev:1;) alert tcp $HOME_NET any -> [163.172.59.233] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256142; rev:1;) alert tcp $HOME_NET any -> [167.88.168.110] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256143; rev:1;) alert tcp $HOME_NET any -> [172.111.137.179] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256144; rev:1;) alert tcp $HOME_NET any -> [178.73.218.12] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256145; rev:1;) alert tcp $HOME_NET any -> [179.13.3.18] 8020 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256146; rev:1;) alert tcp $HOME_NET any -> [213.195.121.48] 4001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256147; rev:1;) alert tcp $HOME_NET any -> [213.195.121.48] 4002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256148; rev:1;) alert tcp $HOME_NET any -> [213.195.121.48] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256149; rev:1;) alert tcp $HOME_NET any -> [213.195.121.48] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256150; rev:1;) alert tcp $HOME_NET any -> [45.152.64.31] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256074; rev:1;) alert tcp $HOME_NET any -> [38.207.178.198] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256075; rev:1;) alert tcp $HOME_NET any -> [38.207.178.198] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256076; rev:1;) alert tcp $HOME_NET any -> [45.133.238.227] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256077; rev:1;) alert tcp $HOME_NET any -> [198.244.135.238] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256078; rev:1;) alert tcp $HOME_NET any -> [198.244.135.238] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256079; rev:1;) alert tcp $HOME_NET any -> [58.185.25.6] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256080; rev:1;) alert tcp $HOME_NET any -> [185.239.226.11] 7899 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256081; rev:1;) alert tcp $HOME_NET any -> [209.58.183.85] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256082; rev:1;) alert tcp $HOME_NET any -> [103.146.50.218] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256067; rev:1;) alert tcp $HOME_NET any -> [149.28.23.34] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256068; rev:1;) alert tcp $HOME_NET any -> [111.92.243.44] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256069; rev:1;) alert tcp $HOME_NET any -> [170.130.55.121] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nebraska-lawyers.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256071; rev:1;) alert tcp $HOME_NET any -> [23.224.61.93] 40000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256072; rev:1;) alert tcp $HOME_NET any -> [91.92.246.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256073; rev:1;) alert tcp $HOME_NET any -> [117.50.162.108] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256066; rev:1;) alert tcp $HOME_NET any -> [159.75.92.156] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256036; rev:1;) alert tcp $HOME_NET any -> [175.27.166.185] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256038; rev:1;) alert tcp $HOME_NET any -> [159.75.103.67] 12123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256037; rev:1;) alert tcp $HOME_NET any -> [8.134.14.140] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256039; rev:1;) alert tcp $HOME_NET any -> [8.138.100.71] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256040; rev:1;) alert tcp $HOME_NET any -> [8.138.120.114] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256041; rev:1;) alert tcp $HOME_NET any -> [47.99.56.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256042; rev:1;) alert tcp $HOME_NET any -> [114.55.113.146] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256047; rev:1;) alert tcp $HOME_NET any -> [114.55.115.0] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256048; rev:1;) alert tcp $HOME_NET any -> [118.31.115.178] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256049; rev:1;) alert tcp $HOME_NET any -> [120.26.169.185] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256050; rev:1;) alert tcp $HOME_NET any -> [142.93.140.24] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256052; rev:1;) alert tcp $HOME_NET any -> [104.236.69.99] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256051; rev:1;) alert tcp $HOME_NET any -> [142.93.140.24] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256053; rev:1;) alert tcp $HOME_NET any -> [143.198.70.94] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256054; rev:1;) alert tcp $HOME_NET any -> [157.245.12.65] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256055; rev:1;) alert tcp $HOME_NET any -> [165.232.123.138] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256056; rev:1;) alert tcp $HOME_NET any -> [47.242.249.91] 2443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256057; rev:1;) alert tcp $HOME_NET any -> [47.243.59.237] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256058; rev:1;) alert tcp $HOME_NET any -> [43.129.201.38] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antfinancial.tech"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256060; rev:1;) alert tcp $HOME_NET any -> [43.128.3.197] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256061; rev:1;) alert tcp $HOME_NET any -> [43.128.40.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256062; rev:1;) alert tcp $HOME_NET any -> [23.95.47.68] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256064; rev:1;) alert tcp $HOME_NET any -> [23.95.47.68] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256063; rev:1;) alert tcp $HOME_NET any -> [20.27.144.160] 9002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fabricate/state/rh3kw9xu"; depth:25; nocase; http.host; content:"43.138.208.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256045; rev:1;) alert tcp $HOME_NET any -> [43.138.208.188] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256046; rev:1;) alert tcp $HOME_NET any -> [172.234.250.226] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"172.234.250.226"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.arton-bv.nl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256034/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"textis.ru"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256035/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256035; rev:1;) alert tcp $HOME_NET any -> [193.124.113.33] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256033; rev:1;) alert tcp $HOME_NET any -> [45.195.54.195] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256032; rev:1;) alert tcp $HOME_NET any -> [45.195.54.195] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256031; rev:1;) alert tcp $HOME_NET any -> [45.195.54.195] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256030/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"46.183.223.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256029; rev:1;) alert tcp $HOME_NET any -> [172.94.39.213] 2016 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256028; rev:1;) alert tcp $HOME_NET any -> [178.73.218.12] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256027/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firepro.php"; depth:16; nocase; http.host; content:"45.15.156.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91255953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wonderforest.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256007/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"nationalviews.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256008/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"crochetkim.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256009/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.app-gehts.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256011/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"coolskyfood.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256010/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"salamfest.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256012/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"voxpublica.no"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256013/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ambtenarensalaris.nl"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256014/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"besocy.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256015/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"entekhab.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256016/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rkbaienfurt.de"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256017/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"amerac.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256018/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256018; rev:1;) alert tcp $HOME_NET any -> [165.232.44.213] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256026/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256026; rev:1;) alert tcp $HOME_NET any -> [89.38.225.168] 4433 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256025/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256025; rev:1;) alert tcp $HOME_NET any -> [165.227.136.196] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256024/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256024; rev:1;) alert tcp $HOME_NET any -> [193.226.15.100] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256023/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256023; rev:1;) alert tcp $HOME_NET any -> [195.35.16.247] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256022/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256022; rev:1;) alert tcp $HOME_NET any -> [195.35.16.247] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256021/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256021; rev:1;) alert tcp $HOME_NET any -> [144.202.47.116] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256020/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256020; rev:1;) alert tcp $HOME_NET any -> [49.13.151.150] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256019/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"news.mn"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256004/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.casagaribaldi.it"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256005/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"thepointsking.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256006/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256006; rev:1;) alert tcp $HOME_NET any -> [5.42.65.50] 33080 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256002; rev:1;) alert tcp $HOME_NET any -> [5.39.43.50] 6136 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255999/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_12; classtype:trojan-activity; sid:91255999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firepro.php"; depth:16; nocase; http.host; content:"85.192.56.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firecom.php"; depth:16; nocase; http.host; content:"5.42.66.10"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91255996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firecom.php"; depth:16; nocase; http.host; content:"85.192.56.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91255998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/flash.php"; depth:14; nocase; http.host; content:"5.42.66.10"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91255995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/flash.php"; depth:14; nocase; http.host; content:"85.192.56.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91255997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firepro.php"; depth:16; nocase; http.host; content:"5.42.66.10"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91255993; rev:1;) alert tcp $HOME_NET any -> [172.245.191.97] 666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255992/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_12; classtype:trojan-activity; sid:91255992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"tecbabbshop24578.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255761/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91255761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"karamdsadvs2.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255762/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91255762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"karakalandankasd5.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255763/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91255763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"tecklardankalan.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255764/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91255764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/2028"; depth:15; nocase; http.host; content:"24.199.107.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256003; rev:1;) alert tcp $HOME_NET any -> [45.15.158.15] 6969 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256000/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91256000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/927339792"; depth:20; nocase; http.host; content:"24.199.107.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"93.123.39.11"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1255991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.202.233.204"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.233.132.241"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1255989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"65.21.118.113"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1255987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"farozinda.ru"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1255988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.201.188"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"top-adobe.site"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.209"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1255983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.216.70.109"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.8.97"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1255982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"unidasg.top"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1255981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"95.216.123.85"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1255980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.201.33"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1255979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"abrws.com.br"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1255978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.184.48.114"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1255977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.223.142"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.105.146.152"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"62.113.119.199"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.26"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"rewe-coupouns.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1255972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"52.143.157.84"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1255971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255971; rev:1;) alert tcp $HOME_NET any -> [154.12.85.5] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"154.12.85.5"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255969; rev:1;) alert tcp $HOME_NET any -> [62.109.5.21] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255968; rev:1;) alert tcp $HOME_NET any -> [212.224.88.151] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255967; rev:1;) alert tcp $HOME_NET any -> [149.129.131.163] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255966; rev:1;) alert tcp $HOME_NET any -> [123.60.128.4] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255965; rev:1;) alert tcp $HOME_NET any -> [107.167.92.76] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255964; rev:1;) alert tcp $HOME_NET any -> [46.246.82.21] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255963; rev:1;) alert tcp $HOME_NET any -> [139.218.246.83] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255962; rev:1;) alert tcp $HOME_NET any -> [43.135.55.212] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255960; rev:1;) alert tcp $HOME_NET any -> [43.135.55.212] 10000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255961; rev:1;) alert tcp $HOME_NET any -> [66.85.173.32] 2268 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255959; rev:1;) alert tcp $HOME_NET any -> [163.181.39.67] 4506 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255958; rev:1;) alert tcp $HOME_NET any -> [111.31.37.38] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255957; rev:1;) alert tcp $HOME_NET any -> [5.253.43.96] 8010 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255956; rev:1;) alert tcp $HOME_NET any -> [45.32.233.38] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255955; rev:1;) alert tcp $HOME_NET any -> [46.246.14.23] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"62.234.27.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"birdpenallitysydw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"telldruggcommitetter.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"doughmebinnybunio.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"orbitpettystudio.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"interferencesandyshiw.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"warningindicationsjw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"concessionofsellerwo.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"strainriskpropos.store"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"neddlepyramidfunnyjok.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"revisedrinkslappyoowi.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"birdvigorousedetertyw.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"newspaperpotatoju.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"brickbrothjorkyooe.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"peanutclutchlowwow.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"appliedgrandyjuiw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sailsystemeyeusjw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"rugbysummerosodnwu.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"spokespersonunjuriwo.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"jewelbasinfrankywoi.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"convictionpartyeokwi.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"competitionpooleow.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"landgateindirectdangre.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"roundpolechildryowjv.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"democraticseekysiwo.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"prematuresolvehumoew.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"directorryversionyju.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tearfulbashfulow.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"computerfuneralljwu.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"divosrcemusemutati.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"practicalcoherentt.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pumpedcalmdeadpannkow.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"meadowannivejrsary.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"awardlandscareposiw.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"chokepopilarvirusew.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"disgustedsorryeedi.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"marchsensedjurkey.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"paintercrutcheniw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"speedparticipatewo.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"wagonglidemonkywo.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"punchtelephoneverdi.store"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"preciousenviouskakei.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"officiallongberyw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"deadpanstupiddyjjuwk.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"combinationconventiwov.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wpseed.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"estesidiosplat.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255759/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"liverpool777.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255760/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255760; rev:1;) alert tcp $HOME_NET any -> [85.239.34.72] 9981 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255758/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255758; rev:1;) alert tcp $HOME_NET any -> [198.46.143.219] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255757/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"infineitsolutions.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"infineitsolutions.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"gitkonus.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255752; rev:1;) alert tcp $HOME_NET any -> [116.202.186.227] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.186.227"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255754; rev:1;) alert tcp $HOME_NET any -> [65.109.242.131] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.131"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.109.58.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255749; rev:1;) alert tcp $HOME_NET any -> [8.220.200.34] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.220.200.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255747; rev:1;) alert tcp $HOME_NET any -> [124.71.150.39] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"86.107.199.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255746; rev:1;) alert tcp $HOME_NET any -> [182.92.79.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255743; rev:1;) alert tcp $HOME_NET any -> [182.92.79.194] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255744; rev:1;) alert tcp $HOME_NET any -> [78.142.18.222] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255718; rev:1;) alert tcp $HOME_NET any -> [5.180.24.155] 445 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255719; rev:1;) alert tcp $HOME_NET any -> [118.25.150.165] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255720; rev:1;) alert tcp $HOME_NET any -> [118.25.150.165] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255721; rev:1;) alert tcp $HOME_NET any -> [119.45.171.159] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255722; rev:1;) alert tcp $HOME_NET any -> [119.45.227.37] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255723; rev:1;) alert tcp $HOME_NET any -> [119.45.227.37] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255724; rev:1;) alert tcp $HOME_NET any -> [119.45.227.37] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255725; rev:1;) alert tcp $HOME_NET any -> [124.220.6.158] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255726; rev:1;) alert tcp $HOME_NET any -> [124.220.6.158] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255727; rev:1;) alert tcp $HOME_NET any -> [154.8.160.93] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255728; rev:1;) alert tcp $HOME_NET any -> [175.27.158.231] 30000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255729; rev:1;) alert tcp $HOME_NET any -> [42.192.42.231] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255730; rev:1;) alert tcp $HOME_NET any -> [101.42.24.57] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255731; rev:1;) alert tcp $HOME_NET any -> [120.53.237.23] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255732; rev:1;) alert tcp $HOME_NET any -> [122.51.219.5] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255733; rev:1;) alert tcp $HOME_NET any -> [124.221.237.200] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255734; rev:1;) alert tcp $HOME_NET any -> [150.158.33.154] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255735; rev:1;) alert tcp $HOME_NET any -> [162.14.102.251] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255736; rev:1;) alert tcp $HOME_NET any -> [47.92.131.203] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255738; rev:1;) alert tcp $HOME_NET any -> [175.24.189.213] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255737; rev:1;) alert tcp $HOME_NET any -> [47.104.82.127] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255739; rev:1;) alert tcp $HOME_NET any -> [47.120.60.63] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255740; rev:1;) alert tcp $HOME_NET any -> [101.37.84.176] 20000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255741; rev:1;) alert tcp $HOME_NET any -> [139.224.231.162] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"212.87.204.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255711/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"germanisoppinionsi.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255712/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"germanisoppinionsi.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255713/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"germanisoppinionsi.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255714/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"germanisoppinionzani.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255715/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"germanisoppinionzani.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255716/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"germanisoppinionzani.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255717/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255717; rev:1;) alert tcp $HOME_NET any -> [91.92.243.79] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255710; rev:1;) alert tcp $HOME_NET any -> [94.154.34.137] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255709; rev:1;) alert tcp $HOME_NET any -> [109.120.176.38] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255708; rev:1;) alert tcp $HOME_NET any -> [79.137.197.154] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255707; rev:1;) alert tcp $HOME_NET any -> [123.56.214.38] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255706; rev:1;) alert tcp $HOME_NET any -> [46.246.84.8] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255705; rev:1;) alert tcp $HOME_NET any -> [179.13.3.18] 8010 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255704; rev:1;) alert tcp $HOME_NET any -> [190.134.136.148] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255703; rev:1;) alert tcp $HOME_NET any -> [41.103.240.47] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255702/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255702; rev:1;) alert tcp $HOME_NET any -> [175.13.33.64] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255701/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255701; rev:1;) alert tcp $HOME_NET any -> [20.125.108.162] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255700; rev:1;) alert tcp $HOME_NET any -> [45.133.238.227] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255699; rev:1;) alert tcp $HOME_NET any -> [16.171.148.52] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255698; rev:1;) alert tcp $HOME_NET any -> [164.215.103.89] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255697; rev:1;) alert tcp $HOME_NET any -> [143.198.73.229] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wassonite.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/putty-64bit-0.80-installer.zip"; depth:43; nocase; http.host; content:"newarticles23.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/filezilla_3.66.1_win64.zip"; depth:39; nocase; http.host; content:"amplex-amplification.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"puttyy.ca"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255683/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"pputy.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255682/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"puuty.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255681/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"file-zilla-projectt.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255680/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"powerup.dynuddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255679/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255679; rev:1;) alert tcp $HOME_NET any -> [104.238.137.229] 6363 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255678/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255678; rev:1;) alert tcp $HOME_NET any -> [34.31.226.230] 37144 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255632; rev:1;) alert tcp $HOME_NET any -> [45.13.227.109] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255633; rev:1;) alert tcp $HOME_NET any -> [192.54.57.69] 3884 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jaztc.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255674; rev:1;) alert tcp $HOME_NET any -> [45.86.86.60] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255675/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/putty-64bit-0.80-installer.zip"; depth:43; nocase; http.host; content:"support.hosting-hero.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/installer.zip"; depth:14; nocase; http.host; content:"mkt.geostrategy-ec.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/putty-64bit-0.80-installer.zip"; depth:43; nocase; http.host; content:"mail.smartnet-support.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"infoputty.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255689/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"putt-get.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255690/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"ssh-client.co"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255691/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"putty-ssh.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255692/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255692; rev:1;) alert tcp $HOME_NET any -> [207.32.216.126] 30685 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"makaraaras.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255492/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"mabelkanadan.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"karamdasn2.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"karakalandan5.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255495/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255495; rev:1;) alert tcp $HOME_NET any -> [179.13.2.154] 5050 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255518/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"parahoyestsidio.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255519/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255519; rev:1;) alert tcp $HOME_NET any -> [179.13.0.175] 5557 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255520/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/88746289041"; depth:22; nocase; http.host; content:"24.199.107.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255676; rev:1;) alert tcp $HOME_NET any -> [172.67.211.144] 443 (msg:"ThreatFox MintStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255671/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255671; rev:1;) alert tcp $HOME_NET any -> [104.21.67.23] 80 (msg:"ThreatFox MintStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255670/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255670; rev:1;) alert tcp $HOME_NET any -> [45.61.139.225] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255669/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255669; rev:1;) alert tcp $HOME_NET any -> [38.92.40.19] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255668/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255668; rev:1;) alert tcp $HOME_NET any -> [45.128.232.135] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255667; rev:1;) alert tcp $HOME_NET any -> [45.128.232.135] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255666; rev:1;) alert tcp $HOME_NET any -> [92.63.96.171] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255665; rev:1;) alert tcp $HOME_NET any -> [91.92.252.146] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255664; rev:1;) alert tcp $HOME_NET any -> [154.40.47.121] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255663; rev:1;) alert tcp $HOME_NET any -> [47.108.204.218] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255662; rev:1;) alert tcp $HOME_NET any -> [43.128.177.204] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255661/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255661; rev:1;) alert tcp $HOME_NET any -> [47.93.174.136] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255660/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255660; rev:1;) alert tcp $HOME_NET any -> [123.57.137.235] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255659/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255659; rev:1;) alert tcp $HOME_NET any -> [47.93.173.235] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255658/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255658; rev:1;) alert tcp $HOME_NET any -> [46.246.82.12] 7000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255657/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255657; rev:1;) alert tcp $HOME_NET any -> [171.41.198.122] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255656/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255656; rev:1;) alert tcp $HOME_NET any -> [216.83.36.247] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255655/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255655; rev:1;) alert tcp $HOME_NET any -> [103.186.108.212] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255654/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255654; rev:1;) alert tcp $HOME_NET any -> [94.156.10.201] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255652/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255652; rev:1;) alert tcp $HOME_NET any -> [86.22.67.194] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255653/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255653; rev:1;) alert tcp $HOME_NET any -> [62.1.168.180] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255651/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255651; rev:1;) alert tcp $HOME_NET any -> [46.246.84.3] 7000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255650/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255650; rev:1;) alert tcp $HOME_NET any -> [185.62.57.235] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255649/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255649; rev:1;) alert tcp $HOME_NET any -> [95.172.23.98] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255648/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255648; rev:1;) alert tcp $HOME_NET any -> [202.95.23.39] 5555 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255647/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255647; rev:1;) alert tcp $HOME_NET any -> [88.214.59.115] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255646/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255646; rev:1;) alert tcp $HOME_NET any -> [43.129.31.231] 8858 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255645/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255645; rev:1;) alert tcp $HOME_NET any -> [116.177.245.48] 4505 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255644; rev:1;) alert tcp $HOME_NET any -> [137.220.197.178] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255643/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255643; rev:1;) alert tcp $HOME_NET any -> [212.113.106.100] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255642; rev:1;) alert tcp $HOME_NET any -> [3.105.98.157] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255641/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255641; rev:1;) alert tcp $HOME_NET any -> [207.180.230.175] 9443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255640/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255640; rev:1;) alert tcp $HOME_NET any -> [94.98.197.28] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255639/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255639; rev:1;) alert tcp $HOME_NET any -> [66.50.11.141] 1800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255638/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255638; rev:1;) alert tcp $HOME_NET any -> [174.75.184.124] 2083 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255637/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255637; rev:1;) alert tcp $HOME_NET any -> [72.203.198.245] 8009 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255636/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255636; rev:1;) alert tcp $HOME_NET any -> [213.195.121.48] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255635/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"123.56.226.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get"; depth:8; nocase; http.host; content:"38.6.178.161"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255631; rev:1;) alert tcp $HOME_NET any -> [202.144.192.44] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"202.144.192.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.47.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.242.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255523; rev:1;) alert tcp $HOME_NET any -> [195.201.47.150] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255522; rev:1;) alert tcp $HOME_NET any -> [95.217.242.90] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.220.200.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.microsoftonline.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"www.microsoftonline.info"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255515; rev:1;) alert tcp $HOME_NET any -> [47.236.185.166] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.236.185.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"154.92.14.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"62.234.27.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"173.249.196.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"49.232.55.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get"; depth:8; nocase; http.host; content:"7b7cd24ea6f08b711cf4053beac43cc5.melonhack.top"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7b7cd24ea6f08b711cf4053beac43cc5.melonhack.top"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255507; rev:1;) alert tcp $HOME_NET any -> [121.37.237.168] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"121.37.237.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255504; rev:1;) alert tcp $HOME_NET any -> [154.204.177.133] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"114.132.62.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"193.32.149.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/azure/api/v2/userinfo/get"; depth:26; nocase; http.host; content:"baidu.freemetb.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baidu.freemetb.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"173.249.196.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"121.37.237.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255497; rev:1;) alert tcp $HOME_NET any -> [154.204.177.133] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255496; rev:1;) alert tcp $HOME_NET any -> [202.144.192.44] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.fdsagwagfdsba.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255490; rev:1;) alert tcp $HOME_NET any -> [45.61.141.168] 35228 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255489; rev:1;) alert tcp $HOME_NET any -> [89.185.84.115] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255488; rev:1;) alert tcp $HOME_NET any -> [93.123.85.100] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255486; rev:1;) alert tcp $HOME_NET any -> [141.98.10.76] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255487; rev:1;) alert tcp $HOME_NET any -> [91.92.242.187] 55555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255478/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255478; rev:1;) alert tcp $HOME_NET any -> [79.137.192.4] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.46.130.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/jetpack/json-endpoints/jetpack/hays_compiled_documents.zip"; depth:78; nocase; http.host; content:"felizcity.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"116.205.228.160"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/unsalted-condensed-soups/"; depth:37; nocase; http.host; content:"samsunguniverse.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"cmsdisybnererdefs.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255474/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"cmsdisybnererdasd65.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255475/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"cmsdisybnererdgfdgn2.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255476/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"cmsdisybnererd5345.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255477/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dsbr.cam"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255467/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255467; rev:1;) alert tcp $HOME_NET any -> [94.156.8.110] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jswl.vipsf888.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255470; rev:1;) alert tcp $HOME_NET any -> [14.225.219.227] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255469; rev:1;) alert tcp $HOME_NET any -> [23.95.254.136] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"23.95.254.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"119.91.214.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pdtzx.scr"; depth:10; nocase; http.host; content:"covid19help.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emv1.ib-comm-gateway.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zhudaji.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rubiconviewer.buzz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hatsune.network"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"int.hatsune.network"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255464; rev:1;) alert tcp $HOME_NET any -> [45.148.244.74] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255459; rev:1;) alert tcp $HOME_NET any -> [91.92.240.123] 999 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255458/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255458; rev:1;) alert tcp $HOME_NET any -> [91.92.253.58] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255457/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255457; rev:1;) alert tcp $HOME_NET any -> [166.88.61.185] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255456/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255456; rev:1;) alert tcp $HOME_NET any -> [38.89.76.175] 61915 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255455/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255455; rev:1;) alert tcp $HOME_NET any -> [106.54.222.22] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255454; rev:1;) alert tcp $HOME_NET any -> [194.87.236.115] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255453; rev:1;) alert tcp $HOME_NET any -> [101.200.160.159] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255452; rev:1;) alert tcp $HOME_NET any -> [121.36.61.185] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255451; rev:1;) alert tcp $HOME_NET any -> [101.200.214.198] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255450; rev:1;) alert tcp $HOME_NET any -> [111.223.247.163] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255449; rev:1;) alert tcp $HOME_NET any -> [179.13.2.154] 2230 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255448; rev:1;) alert tcp $HOME_NET any -> [46.246.14.9] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255447; rev:1;) alert tcp $HOME_NET any -> [51.116.96.182] 4000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255446; rev:1;) alert tcp $HOME_NET any -> [188.126.90.3] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255445; rev:1;) alert tcp $HOME_NET any -> [97.118.50.67] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255444; rev:1;) alert tcp $HOME_NET any -> [8.140.193.181] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255443; rev:1;) alert tcp $HOME_NET any -> [167.172.246.65] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255441; rev:1;) alert tcp $HOME_NET any -> [167.172.246.65] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255442; rev:1;) alert tcp $HOME_NET any -> [47.236.151.19] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255440/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255440; rev:1;) alert tcp $HOME_NET any -> [47.245.38.152] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255439; rev:1;) alert tcp $HOME_NET any -> [167.71.105.169] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255438/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255438; rev:1;) alert tcp $HOME_NET any -> [116.203.15.18] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.15.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255436; rev:1;) alert tcp $HOME_NET any -> [179.13.0.175] 5556 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255424/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255424; rev:1;) alert tcp $HOME_NET any -> [51.68.169.77] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255422; rev:1;) alert tcp $HOME_NET any -> [89.105.201.98] 591 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdfmmdlmzwe1ztji/"; depth:18; nocase; http.host; content:"ahhhuu22cxxx.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255415/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdfmmdlmzwe1ztji/"; depth:18; nocase; http.host; content:"h23hxa22f3f2a.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255416/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255416; rev:1;) alert tcp $HOME_NET any -> [47.242.231.229] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdfmmdlmzwe1ztji/"; depth:18; nocase; http.host; content:"h13f2hah2aa.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255417/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdfmmdlmzwe1ztji/"; depth:18; nocase; http.host; content:"cwcwac3f422af.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255418/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdfmmdlmzwe1ztji/"; depth:18; nocase; http.host; content:"g2agfawfw.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255419/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255419; rev:1;) alert tcp $HOME_NET any -> [77.221.137.22] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lets.exe"; depth:9; nocase; http.host; content:"154.23.178.106"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lets.exe"; depth:9; nocase; http.host; content:"38.181.35.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lets.exe"; depth:9; nocase; http.host; content:"154.23.178.139"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lets.exe"; depth:9; nocase; http.host; content:"154.23.178.70"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuailianv.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"winarkamaps.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255430/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stratimasesstr.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255431/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255431; rev:1;) alert tcp $HOME_NET any -> [51.79.87.4] 8732 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255435/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boom.baiduboomboom.tk"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255433; rev:1;) alert tcp $HOME_NET any -> [1.15.247.249] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"boom.baiduboomboom.tk"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255432; rev:1;) alert tcp $HOME_NET any -> [94.250.249.104] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255414; rev:1;) alert tcp $HOME_NET any -> [178.128.106.68] 2222 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255413; rev:1;) alert tcp $HOME_NET any -> [150.109.70.101] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255412; rev:1;) alert tcp $HOME_NET any -> [176.96.138.72] 9191 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255411; rev:1;) alert tcp $HOME_NET any -> [39.101.205.127] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255410; rev:1;) alert tcp $HOME_NET any -> [39.40.139.74] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255409; rev:1;) alert tcp $HOME_NET any -> [198.135.163.245] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255408/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255408; rev:1;) alert tcp $HOME_NET any -> [159.69.195.86] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255407; rev:1;) alert tcp $HOME_NET any -> [34.195.136.4] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255406; rev:1;) alert tcp $HOME_NET any -> [3.88.131.251] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255405/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255405; rev:1;) alert tcp $HOME_NET any -> [116.122.95.74] 80 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vchaonlyone.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"senpalia.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255402; rev:1;) alert tcp $HOME_NET any -> [46.246.82.18] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255403/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255403; rev:1;) alert tcp $HOME_NET any -> [46.246.6.20] 5050 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255404/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255404; rev:1;) alert tcp $HOME_NET any -> [124.221.56.114] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255224; rev:1;) alert tcp $HOME_NET any -> [124.221.56.114] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255225; rev:1;) alert tcp $HOME_NET any -> [111.229.158.40] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255193; rev:1;) alert tcp $HOME_NET any -> [111.229.158.40] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255192; rev:1;) alert tcp $HOME_NET any -> [101.43.111.190] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255174; rev:1;) alert tcp $HOME_NET any -> [43.139.52.213] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255117; rev:1;) alert tcp $HOME_NET any -> [64.23.173.19] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255276; rev:1;) alert tcp $HOME_NET any -> [128.199.0.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255277; rev:1;) alert tcp $HOME_NET any -> [139.59.101.62] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255278; rev:1;) alert tcp $HOME_NET any -> [159.65.20.58] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255279; rev:1;) alert tcp $HOME_NET any -> [23.95.65.198] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255280; rev:1;) alert tcp $HOME_NET any -> [43.163.220.156] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255281; rev:1;) alert tcp $HOME_NET any -> [119.28.110.63] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tencentweb.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255283; rev:1;) alert tcp $HOME_NET any -> [74.226.216.85] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255284; rev:1;) alert tcp $HOME_NET any -> [47.76.113.146] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255395; rev:1;) alert tcp $HOME_NET any -> [74.226.216.85] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255285; rev:1;) alert tcp $HOME_NET any -> [45.152.243.228] 9090 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255394; rev:1;) alert tcp $HOME_NET any -> [102.165.56.50] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255396; rev:1;) alert tcp $HOME_NET any -> [162.238.154.3] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255397; rev:1;) alert tcp $HOME_NET any -> [179.100.74.227] 1024 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255398; rev:1;) alert tcp $HOME_NET any -> [194.48.251.169] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255399; rev:1;) alert tcp $HOME_NET any -> [47.76.178.33] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255273; rev:1;) alert tcp $HOME_NET any -> [64.23.173.19] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255274; rev:1;) alert tcp $HOME_NET any -> [64.23.173.19] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255275; rev:1;) alert tcp $HOME_NET any -> [47.76.163.6] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255272; rev:1;) alert tcp $HOME_NET any -> [47.97.96.147] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255266; rev:1;) alert tcp $HOME_NET any -> [1.92.79.205] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255269; rev:1;) alert tcp $HOME_NET any -> [47.120.65.94] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255267; rev:1;) alert tcp $HOME_NET any -> [112.124.34.225] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255268; rev:1;) alert tcp $HOME_NET any -> [124.71.129.181] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255270; rev:1;) alert tcp $HOME_NET any -> [23.94.148.10] 666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255271/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255271; rev:1;) alert tcp $HOME_NET any -> [47.92.200.141] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255265; rev:1;) alert tcp $HOME_NET any -> [121.40.139.97] 17500 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255263; rev:1;) alert tcp $HOME_NET any -> [121.40.139.97] 44888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255264; rev:1;) alert tcp $HOME_NET any -> [8.130.143.185] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255261; rev:1;) alert tcp $HOME_NET any -> [120.24.170.13] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255262; rev:1;) alert tcp $HOME_NET any -> [8.130.98.244] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255259; rev:1;) alert tcp $HOME_NET any -> [8.130.142.27] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255260; rev:1;) alert tcp $HOME_NET any -> [206.233.128.64] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255356; rev:1;) alert tcp $HOME_NET any -> [45.77.24.231] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255388; rev:1;) alert tcp $HOME_NET any -> [181.162.187.238] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255353; rev:1;) alert tcp $HOME_NET any -> [184.190.169.22] 3389 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255354; rev:1;) alert tcp $HOME_NET any -> [185.174.101.93] 6546 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255355; rev:1;) alert tcp $HOME_NET any -> [8.130.34.199] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255349; rev:1;) alert tcp $HOME_NET any -> [150.158.139.196] 6666 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255352; rev:1;) alert tcp $HOME_NET any -> [91.92.254.190] 8084 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255350; rev:1;) alert tcp $HOME_NET any -> [103.143.15.58] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255351; rev:1;) alert tcp $HOME_NET any -> [38.6.178.161] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255331; rev:1;) alert tcp $HOME_NET any -> [38.6.178.161] 8010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255332; rev:1;) alert tcp $HOME_NET any -> [172.247.5.223] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255329; rev:1;) alert tcp $HOME_NET any -> [23.224.143.16] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255330; rev:1;) alert tcp $HOME_NET any -> [45.145.228.157] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"fairfurryfriends.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"fairfurryfriends.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"newintento777.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255286/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"akademipraktik.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"akademipraktik.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255288; rev:1;) alert tcp $HOME_NET any -> [91.92.255.45] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255389; rev:1;) alert tcp $HOME_NET any -> [91.92.255.45] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255390; rev:1;) alert tcp $HOME_NET any -> [94.156.65.159] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255391; rev:1;) alert tcp $HOME_NET any -> [94.156.65.159] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255392; rev:1;) alert tcp $HOME_NET any -> [49.232.55.153] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255131; rev:1;) alert tcp $HOME_NET any -> [49.232.208.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255144; rev:1;) alert tcp $HOME_NET any -> [43.136.90.70] 50034 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255096; rev:1;) alert tcp $HOME_NET any -> [45.89.53.187] 445 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255085; rev:1;) alert tcp $HOME_NET any -> [159.100.30.207] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255393/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255393; rev:1;) alert tcp $HOME_NET any -> [193.143.1.168] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255387/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255387; rev:1;) alert tcp $HOME_NET any -> [193.143.1.168] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255386/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255386; rev:1;) alert tcp $HOME_NET any -> [93.123.39.11] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255385/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255385; rev:1;) alert tcp $HOME_NET any -> [93.123.39.11] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255384/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255384; rev:1;) alert tcp $HOME_NET any -> [52.143.157.84] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255383/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255383; rev:1;) alert tcp $HOME_NET any -> [52.143.157.84] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255382/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255382; rev:1;) alert tcp $HOME_NET any -> [185.209.162.38] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255381/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255381; rev:1;) alert tcp $HOME_NET any -> [185.209.162.38] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255380/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255380; rev:1;) alert tcp $HOME_NET any -> [185.172.128.209] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255379/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255379; rev:1;) alert tcp $HOME_NET any -> [185.172.128.209] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255378/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255378; rev:1;) alert tcp $HOME_NET any -> [95.164.2.59] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255377/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255377; rev:1;) alert tcp $HOME_NET any -> [95.164.2.59] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255376/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255376; rev:1;) alert tcp $HOME_NET any -> [62.113.119.199] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255375/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255375; rev:1;) alert tcp $HOME_NET any -> [62.113.119.199] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255374/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255374; rev:1;) alert tcp $HOME_NET any -> [185.172.128.145] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255373/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255373; rev:1;) alert tcp $HOME_NET any -> [193.143.1.226] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255372/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255372; rev:1;) alert tcp $HOME_NET any -> [193.143.1.226] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255371/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255371; rev:1;) alert tcp $HOME_NET any -> [185.216.70.109] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255370/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255370; rev:1;) alert tcp $HOME_NET any -> [185.216.70.109] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255369/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255369; rev:1;) alert tcp $HOME_NET any -> [217.182.197.48] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255368/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255368; rev:1;) alert tcp $HOME_NET any -> [217.182.197.48] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255367/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255367; rev:1;) alert tcp $HOME_NET any -> [185.172.128.26] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255366/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255366; rev:1;) alert tcp $HOME_NET any -> [185.172.128.26] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255365/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255365; rev:1;) alert tcp $HOME_NET any -> [185.172.128.208] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255364/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255364; rev:1;) alert tcp $HOME_NET any -> [185.172.128.208] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255363/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255363; rev:1;) alert tcp $HOME_NET any -> [94.156.8.97] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255362/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255362; rev:1;) alert tcp $HOME_NET any -> [94.156.8.97] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255361/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255361; rev:1;) alert tcp $HOME_NET any -> [91.202.233.204] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255360/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255360; rev:1;) alert tcp $HOME_NET any -> [91.202.233.204] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255359/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255359; rev:1;) alert tcp $HOME_NET any -> [147.45.78.181] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255358/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255358; rev:1;) alert tcp $HOME_NET any -> [147.45.78.181] 22 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255357/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255357; rev:1;) alert tcp $HOME_NET any -> [188.166.232.102] 35769 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255348/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255348; rev:1;) alert tcp $HOME_NET any -> [45.67.86.155] 9009 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255347/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255347; rev:1;) alert tcp $HOME_NET any -> [209.141.37.216] 3074 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255346/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255346; rev:1;) alert tcp $HOME_NET any -> [45.128.232.130] 1337 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255345/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255345; rev:1;) alert tcp $HOME_NET any -> [45.67.86.157] 9009 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255344/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255344; rev:1;) alert tcp $HOME_NET any -> [51.68.213.73] 25 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255343/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255343; rev:1;) alert tcp $HOME_NET any -> [206.217.139.231] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255342/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255342; rev:1;) alert tcp $HOME_NET any -> [103.97.58.61] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255341/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255341; rev:1;) alert tcp $HOME_NET any -> [185.158.132.135] 80 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255340/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255340; rev:1;) alert tcp $HOME_NET any -> [79.132.140.216] 50054 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255339/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255339; rev:1;) alert tcp $HOME_NET any -> [60.204.242.181] 7018 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255338/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255338; rev:1;) alert tcp $HOME_NET any -> [147.78.47.15] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255337/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255337; rev:1;) alert tcp $HOME_NET any -> [182.92.216.171] 57001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255336/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255336; rev:1;) alert tcp $HOME_NET any -> [91.92.252.116] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255335/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255335; rev:1;) alert tcp $HOME_NET any -> [62.234.166.174] 6789 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255334/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255334; rev:1;) alert tcp $HOME_NET any -> [81.19.137.205] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255333/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255333; rev:1;) alert tcp $HOME_NET any -> [107.167.93.99] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255328/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255328; rev:1;) alert tcp $HOME_NET any -> [64.94.85.165] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255327/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255327; rev:1;) alert tcp $HOME_NET any -> [92.42.96.24] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255326/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255326; rev:1;) alert tcp $HOME_NET any -> [77.221.156.212] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255325/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255325; rev:1;) alert tcp $HOME_NET any -> [193.233.132.114] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255324/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255324; rev:1;) alert tcp $HOME_NET any -> [141.195.117.127] 80 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255323/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255323; rev:1;) alert tcp $HOME_NET any -> [188.40.248.148] 80 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255322/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255322; rev:1;) alert tcp $HOME_NET any -> [91.227.40.93] 80 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255321/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255321; rev:1;) alert tcp $HOME_NET any -> [91.92.255.182] 10000 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255320/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255320; rev:1;) alert tcp $HOME_NET any -> [91.92.255.182] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255319/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255319; rev:1;) alert tcp $HOME_NET any -> [178.62.239.104] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255318/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255318; rev:1;) alert tcp $HOME_NET any -> [64.7.199.224] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255317/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255317; rev:1;) alert tcp $HOME_NET any -> [89.238.170.230] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255316/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255316; rev:1;) alert tcp $HOME_NET any -> [185.17.40.132] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255315/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255315; rev:1;) alert tcp $HOME_NET any -> [146.70.135.158] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255314/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255314; rev:1;) alert tcp $HOME_NET any -> [91.198.166.140] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255313/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255313; rev:1;) alert tcp $HOME_NET any -> [192.227.94.170] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255312/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255312; rev:1;) alert tcp $HOME_NET any -> [193.233.132.111] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255311/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255311; rev:1;) alert tcp $HOME_NET any -> [193.233.132.38] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255310/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255310; rev:1;) alert tcp $HOME_NET any -> [116.203.15.173] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255307/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255307; rev:1;) alert tcp $HOME_NET any -> [195.201.250.50] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255306/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255306; rev:1;) alert tcp $HOME_NET any -> [159.69.102.165] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255305/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255305; rev:1;) alert tcp $HOME_NET any -> [195.201.47.206] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255304/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255304; rev:1;) alert tcp $HOME_NET any -> [78.47.141.20] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255303/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255303; rev:1;) alert tcp $HOME_NET any -> [95.217.240.145] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255302/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255302; rev:1;) alert tcp $HOME_NET any -> [115.74.21.108] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255301/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255301; rev:1;) alert tcp $HOME_NET any -> [115.74.21.108] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255300/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255300; rev:1;) alert tcp $HOME_NET any -> [86.106.87.158] 2222 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255299/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255299; rev:1;) alert tcp $HOME_NET any -> [139.180.171.110] 22841 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255298/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255298; rev:1;) alert tcp $HOME_NET any -> [185.224.135.175] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255297/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255297; rev:1;) alert tcp $HOME_NET any -> [101.237.34.239] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255296/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255296; rev:1;) alert tcp $HOME_NET any -> [173.248.141.247] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255295/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255295; rev:1;) alert tcp $HOME_NET any -> [98.191.141.157] 2000 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255294/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255294; rev:1;) alert tcp $HOME_NET any -> [111.173.116.170] 1235 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255293/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255293; rev:1;) alert tcp $HOME_NET any -> [37.221.93.29] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255292/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255292; rev:1;) alert tcp $HOME_NET any -> [171.249.235.149] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255291/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255291; rev:1;) alert tcp $HOME_NET any -> [154.62.175.113] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255289/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ms_excel_azure_cloud_open_document.vbs"; depth:41; nocase; http.host; content:"45.89.53.187"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255084; rev:1;) alert tcp $HOME_NET any -> [103.124.106.237] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255083; rev:1;) alert tcp $HOME_NET any -> [192.3.95.135] 80 (msg:"ThreatFox Remcos payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xampp/kjk/weareverybeautifulgirlsxygirlwantokissmeharderthanbeforetogetmeback___sheisverybeeautifulgirlforme.doc"; depth:113; nocase; http.host; content:"192.3.95.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m0804t/wininit.exe"; depth:19; nocase; http.host; content:"192.3.95.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255080; rev:1;) alert tcp $HOME_NET any -> [103.151.123.225] 1664 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tzitziklishop4.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"bannerbarter.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"bannerbarter.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shgoini.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255076; rev:1;) alert tcp $HOME_NET any -> [107.175.229.143] 30902 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255077; rev:1;) alert tcp $HOME_NET any -> [66.204.14.97] 20256 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255073/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.236.171.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255070; rev:1;) alert tcp $HOME_NET any -> [8.220.200.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.220.200.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"39.100.107.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255066; rev:1;) alert tcp $HOME_NET any -> [39.100.107.190] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255067; rev:1;) alert tcp $HOME_NET any -> [141.98.7.91] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255064; rev:1;) alert tcp $HOME_NET any -> [107.172.148.197] 4781 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tdpzx.scr"; depth:10; nocase; http.host; content:"universalmovies.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"psolver827.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255062; rev:1;) alert tcp $HOME_NET any -> [141.98.7.218] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"117.50.182.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"service-cedqvyh7-1322145958.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"116.205.228.160"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"206.189.182.123"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255056; rev:1;) alert tcp $HOME_NET any -> [192.3.216.142] 7232 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/de17fs"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199667616374"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.243.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255052; rev:1;) alert tcp $HOME_NET any -> [65.109.243.220] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255051; rev:1;) alert tcp $HOME_NET any -> [147.135.119.43] 8081 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255046; rev:1;) alert tcp $HOME_NET any -> [134.255.218.111] 8081 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255047; rev:1;) alert tcp $HOME_NET any -> [147.135.119.43] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255048; rev:1;) alert tcp $HOME_NET any -> [134.255.218.111] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255049; rev:1;) alert tcp $HOME_NET any -> [185.150.26.199] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255050/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255044; rev:1;) alert tcp $HOME_NET any -> [195.133.44.41] 2295 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255043; rev:1;) alert tcp $HOME_NET any -> [164.155.128.124] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.18.202.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"114.55.1.119"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"120.55.65.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"114.55.1.119"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255037; rev:1;) alert tcp $HOME_NET any -> [23.95.182.33] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255036; rev:1;) alert tcp $HOME_NET any -> [23.95.182.33] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255035; rev:1;) alert tcp $HOME_NET any -> [193.57.41.184] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255034; rev:1;) alert tcp $HOME_NET any -> [193.57.41.185] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255033; rev:1;) alert tcp $HOME_NET any -> [178.128.106.68] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255032; rev:1;) alert tcp $HOME_NET any -> [3.22.252.148] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255031; rev:1;) alert tcp $HOME_NET any -> [109.107.181.48] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255030/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255030; rev:1;) alert tcp $HOME_NET any -> [109.120.178.115] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255029/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255029; rev:1;) alert tcp $HOME_NET any -> [111.231.145.137] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255028; rev:1;) alert tcp $HOME_NET any -> [45.61.150.7] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255027/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255027; rev:1;) alert tcp $HOME_NET any -> [185.123.53.157] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255026/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255026; rev:1;) alert tcp $HOME_NET any -> [34.84.42.35] 2095 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255025/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255025; rev:1;) alert tcp $HOME_NET any -> [148.66.5.228] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255024/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255024; rev:1;) alert tcp $HOME_NET any -> [111.223.247.232] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255023/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255023; rev:1;) alert tcp $HOME_NET any -> [8.140.205.59] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255022/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255022; rev:1;) alert tcp $HOME_NET any -> [45.76.142.33] 1604 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255021/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255021; rev:1;) alert tcp $HOME_NET any -> [85.209.195.22] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255020/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255020; rev:1;) alert tcp $HOME_NET any -> [151.30.250.89] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255019/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255019; rev:1;) alert tcp $HOME_NET any -> [165.227.223.174] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255018/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255018; rev:1;) alert tcp $HOME_NET any -> [165.227.223.174] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255017/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255017; rev:1;) alert tcp $HOME_NET any -> [138.197.80.243] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255016/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255016; rev:1;) alert tcp $HOME_NET any -> [68.183.56.211] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255014/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255014; rev:1;) alert tcp $HOME_NET any -> [68.183.56.211] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255015/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255015; rev:1;) alert tcp $HOME_NET any -> [137.184.78.220] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255013/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255013; rev:1;) alert tcp $HOME_NET any -> [159.223.0.103] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255012/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255012; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20006 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255011/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255011; rev:1;) alert tcp $HOME_NET any -> [203.96.177.103] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255010/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255010; rev:1;) alert tcp $HOME_NET any -> [99.83.207.194] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255009/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255009; rev:1;) alert tcp $HOME_NET any -> [39.100.72.235] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255008/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255008; rev:1;) alert tcp $HOME_NET any -> [165.227.90.98] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255007/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255007; rev:1;) alert tcp $HOME_NET any -> [3.125.188.168] 13306 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255004/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"appdiscordgg.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91254995; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 14391 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254991/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91254991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"firmes777.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254988/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91254988; rev:1;) alert tcp $HOME_NET any -> [172.94.73.133] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91254967; rev:1;) alert tcp $HOME_NET any -> [179.13.0.175] 5555 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254987/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91254987; rev:1;) alert tcp $HOME_NET any -> [128.90.123.160] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91254966; rev:1;) alert tcp $HOME_NET any -> [93.183.95.223] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255006/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/990ecb7630625681.php"; depth:21; nocase; http.host; content:"93.123.39.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255005; rev:1;) alert tcp $HOME_NET any -> [3.67.15.169] 13306 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255003; rev:1;) alert tcp $HOME_NET any -> [3.68.56.232] 13306 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255002; rev:1;) alert tcp $HOME_NET any -> [3.126.224.214] 13306 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255000; rev:1;) alert tcp $HOME_NET any -> [3.124.67.191] 13306 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255001; rev:1;) alert tcp $HOME_NET any -> [35.157.111.131] 13306 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91254999; rev:1;) alert tcp $HOME_NET any -> [105.154.228.255] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91254998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/pomo/po.php"; depth:24; nocase; http.host; content:"kenesrakishev.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vsdjcn3khs/index.php"; depth:21; nocase; http.host; content:"atillapro.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254996; rev:1;) alert tcp $HOME_NET any -> [200.217.111.70] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254994; rev:1;) alert tcp $HOME_NET any -> [191.89.247.6] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254993; rev:1;) alert tcp $HOME_NET any -> [81.214.136.253] 125 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254992; rev:1;) alert tcp $HOME_NET any -> [91.207.102.163] 9899 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254990; rev:1;) alert tcp $HOME_NET any -> [45.129.199.228] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254989/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_08; classtype:trojan-activity; sid:91254989; rev:1;) alert tcp $HOME_NET any -> [23.137.253.76] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254986/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254986; rev:1;) alert tcp $HOME_NET any -> [23.137.253.76] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254985/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254985; rev:1;) alert tcp $HOME_NET any -> [91.215.85.131] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254984/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254984; rev:1;) alert tcp $HOME_NET any -> [45.88.90.80] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254983/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254983; rev:1;) alert tcp $HOME_NET any -> [147.45.69.114] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254982/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254982; rev:1;) alert tcp $HOME_NET any -> [37.221.93.9] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254981/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254981; rev:1;) alert tcp $HOME_NET any -> [107.172.157.239] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254980; rev:1;) alert tcp $HOME_NET any -> [8.218.138.77] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254979/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254979; rev:1;) alert tcp $HOME_NET any -> [117.50.179.126] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254978; rev:1;) alert tcp $HOME_NET any -> [46.246.4.6] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254977; rev:1;) alert tcp $HOME_NET any -> [217.165.15.163] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254976/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254976; rev:1;) alert tcp $HOME_NET any -> [78.172.87.190] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254975/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254975; rev:1;) alert tcp $HOME_NET any -> [1.161.123.219] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254974/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254974; rev:1;) alert tcp $HOME_NET any -> [23.95.182.10] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254973/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254973; rev:1;) alert tcp $HOME_NET any -> [154.12.179.67] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254972; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20011 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254970; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20012 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254971/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254971; rev:1;) alert tcp $HOME_NET any -> [128.14.226.110] 448 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254969/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254969; rev:1;) alert tcp $HOME_NET any -> [139.144.96.187] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"linkerfunyfile.store"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254964; rev:1;) alert tcp $HOME_NET any -> [38.180.62.112] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kibagendi.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karmaandfate.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"playfulyogi.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"gteairfone.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"christmascookie.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"salesoftskills.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whattotext.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beaulieuhome.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gteairfone.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pillowscrawler.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"000111.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"playfulyogi.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"karmaandfate.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"kibagendi.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"000111.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"pillowscrawler.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"gteairfone.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"beaulieuhome.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"whattotext.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"salesoftskills.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"christmascookie.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stodia.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cytuns.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"galvins.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"disear.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yetties.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254942; rev:1;) alert tcp $HOME_NET any -> [95.217.241.187] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254931; rev:1;) alert tcp $HOME_NET any -> [49.13.149.204] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254932; rev:1;) alert tcp $HOME_NET any -> [195.201.250.50] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254933; rev:1;) alert tcp $HOME_NET any -> [65.109.242.143] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254934; rev:1;) alert tcp $HOME_NET any -> [94.130.188.149] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254935; rev:1;) alert tcp $HOME_NET any -> [116.203.12.29] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254936; rev:1;) alert tcp $HOME_NET any -> [116.203.14.84] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254937; rev:1;) alert tcp $HOME_NET any -> [95.217.212.139] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254929; rev:1;) alert tcp $HOME_NET any -> [95.217.27.87] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"yetties.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"disear.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"galvins.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cytuns.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"stodia.fun"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.14.84"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.12.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.130.188.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.250.50"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.149.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.241.187"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.27.87"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.212.139"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254915; rev:1;) alert tcp $HOME_NET any -> [51.79.171.174] 1337 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.81.17.166"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zopz-api.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"167.114.127.93"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1254677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nuclear.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254679; rev:1;) alert tcp $HOME_NET any -> [51.81.230.244] 9900 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254577; rev:1;) alert tcp $HOME_NET any -> [51.89.251.242] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254578; rev:1;) alert tcp $HOME_NET any -> [51.222.204.13] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254579; rev:1;) alert tcp $HOME_NET any -> [79.133.46.200] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254580; rev:1;) alert tcp $HOME_NET any -> [79.137.203.236] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254581; rev:1;) alert tcp $HOME_NET any -> [84.54.51.107] 7070 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254582; rev:1;) alert tcp $HOME_NET any -> [84.54.51.132] 7070 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254583; rev:1;) alert tcp $HOME_NET any -> [84.54.51.144] 7070 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254584; rev:1;) alert tcp $HOME_NET any -> [84.54.51.195] 7070 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254585; rev:1;) alert tcp $HOME_NET any -> [84.54.51.205] 7070 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254586; rev:1;) alert tcp $HOME_NET any -> [84.54.51.206] 10000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254587; rev:1;) alert tcp $HOME_NET any -> [84.54.51.207] 7070 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254588; rev:1;) alert tcp $HOME_NET any -> [84.54.51.208] 7070 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254589; rev:1;) alert tcp $HOME_NET any -> [85.203.42.64] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254590; rev:1;) alert tcp $HOME_NET any -> [86.104.194.180] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254591; rev:1;) alert tcp $HOME_NET any -> [91.92.255.74] 999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254592; rev:1;) alert tcp $HOME_NET any -> [91.103.253.34] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254593; rev:1;) alert tcp $HOME_NET any -> [92.249.48.147] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254594; rev:1;) alert tcp $HOME_NET any -> [93.123.85.172] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254595; rev:1;) alert tcp $HOME_NET any -> [94.156.8.32] 9900 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254596; rev:1;) alert tcp $HOME_NET any -> [94.156.8.72] 7777 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254597; rev:1;) alert tcp $HOME_NET any -> [94.156.8.79] 7777 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254598; rev:1;) alert tcp $HOME_NET any -> [94.156.71.51] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254599; rev:1;) alert tcp $HOME_NET any -> [94.156.71.66] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254600; rev:1;) alert tcp $HOME_NET any -> [94.156.71.193] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254601; rev:1;) alert tcp $HOME_NET any -> [103.82.135.217] 9900 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254602; rev:1;) alert tcp $HOME_NET any -> [135.148.124.223] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254603; rev:1;) alert tcp $HOME_NET any -> [141.98.7.123] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254604; rev:1;) alert tcp $HOME_NET any -> [141.98.7.200] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254605; rev:1;) alert tcp $HOME_NET any -> [144.172.73.9] 10000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254606; rev:1;) alert tcp $HOME_NET any -> [144.172.73.20] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254607; rev:1;) alert tcp $HOME_NET any -> [144.172.73.25] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254608; rev:1;) alert tcp $HOME_NET any -> [144.172.73.26] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254609; rev:1;) alert tcp $HOME_NET any -> [144.172.73.28] 10000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254610; rev:1;) alert tcp $HOME_NET any -> [144.172.73.44] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254611; rev:1;) alert tcp $HOME_NET any -> [144.217.16.164] 9900 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254612; rev:1;) alert tcp $HOME_NET any -> [146.19.254.219] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254613; rev:1;) alert tcp $HOME_NET any -> [149.56.79.118] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254614; rev:1;) alert tcp $HOME_NET any -> [172.65.149.128] 22 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254616; rev:1;) alert tcp $HOME_NET any -> [159.253.120.116] 7777 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254615; rev:1;) alert tcp $HOME_NET any -> [185.91.127.66] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254617; rev:1;) alert tcp $HOME_NET any -> [185.171.121.161] 420 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254618; rev:1;) alert tcp $HOME_NET any -> [195.58.39.34] 6643 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254619; rev:1;) alert tcp $HOME_NET any -> [198.98.57.36] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254620; rev:1;) alert tcp $HOME_NET any -> [198.98.58.246] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254621; rev:1;) alert tcp $HOME_NET any -> [205.185.119.42] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254623; rev:1;) alert tcp $HOME_NET any -> [199.195.251.103] 22 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254622; rev:1;) alert tcp $HOME_NET any -> [209.141.35.229] 27358 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254624; rev:1;) alert tcp $HOME_NET any -> [216.107.139.159] 9966 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ninja-cnc.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poggo-proxy.lol"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdnet-web.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leanc2.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poggo-proxy.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naucosi.cfd"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proxy-voidc2.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cumshot.vip"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nuclear.baby"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lydiari.mrbonus.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pf7.prsv.ch"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fuzzyproxy.cc"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254627; rev:1;) alert tcp $HOME_NET any -> [94.156.71.184] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254626; rev:1;) alert tcp $HOME_NET any -> [45.141.202.79] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254575; rev:1;) alert tcp $HOME_NET any -> [51.81.115.26] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254576; rev:1;) alert tcp $HOME_NET any -> [45.140.188.47] 911 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254574; rev:1;) alert tcp $HOME_NET any -> [45.128.232.138] 7070 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254572; rev:1;) alert tcp $HOME_NET any -> [45.128.232.169] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254573; rev:1;) alert tcp $HOME_NET any -> [45.128.232.85] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254570; rev:1;) alert tcp $HOME_NET any -> [45.128.232.100] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254571; rev:1;) alert tcp $HOME_NET any -> [41.216.182.208] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254569; rev:1;) alert tcp $HOME_NET any -> [23.160.193.4] 1225 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254565; rev:1;) alert tcp $HOME_NET any -> [23.160.193.10] 1225 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254566; rev:1;) alert tcp $HOME_NET any -> [23.160.194.106] 1225 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254567; rev:1;) alert tcp $HOME_NET any -> [38.45.100.58] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254568; rev:1;) alert tcp $HOME_NET any -> [15.204.18.204] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254561; rev:1;) alert tcp $HOME_NET any -> [15.204.211.81] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254563; rev:1;) alert tcp $HOME_NET any -> [15.204.240.170] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254564; rev:1;) alert tcp $HOME_NET any -> [5.196.239.182] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254560; rev:1;) alert tcp $HOME_NET any -> [15.204.22.165] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254562; rev:1;) alert tcp $HOME_NET any -> [5.39.34.46] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254557; rev:1;) alert tcp $HOME_NET any -> [5.196.162.1] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254559; rev:1;) alert tcp $HOME_NET any -> [5.181.80.64] 999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254558; rev:1;) alert tcp $HOME_NET any -> [2.58.95.55] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254556; rev:1;) alert tcp $HOME_NET any -> [185.216.70.169] 21425 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254675; rev:1;) alert tcp $HOME_NET any -> [85.204.116.22] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254673; rev:1;) alert tcp $HOME_NET any -> [85.204.116.206] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254674; rev:1;) alert tcp $HOME_NET any -> [85.204.116.20] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254671; rev:1;) alert tcp $HOME_NET any -> [85.204.116.21] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254672; rev:1;) alert tcp $HOME_NET any -> [62.72.185.38] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254670; rev:1;) alert tcp $HOME_NET any -> [62.72.185.4] 16726 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tcpsyn.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tcpfin.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254668; rev:1;) alert tcp $HOME_NET any -> [45.55.197.133] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.mypowerzip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254648; rev:1;) alert tcp $HOME_NET any -> [139.59.127.44] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254645; rev:1;) alert tcp $HOME_NET any -> [146.190.5.80] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254646; rev:1;) alert tcp $HOME_NET any -> [51.195.124.239] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254644; rev:1;) alert tcp $HOME_NET any -> [62.122.184.51] 6017 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254641; rev:1;) alert tcp $HOME_NET any -> [193.26.115.240] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 25%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254642/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_08; classtype:trojan-activity; sid:91254642; rev:1;) alert tcp $HOME_NET any -> [80.66.87.240] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"80.66.87.240"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254665; rev:1;) alert tcp $HOME_NET any -> [54.144.199.247] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/page/7384/word-macros-not-working/"; depth:35; nocase; http.host; content:"defender.us.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"defender.us.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taek.cp-redteam.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"taek.cp-redteam.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"42.51.37.127"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.134.89.221"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hubcap/mayo-clinic-radio-full-shows/"; depth:37; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"170.106.178.146"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"1.14.69.16"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"111.123.250.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.251.159.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"123.207.45.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254649; rev:1;) alert tcp $HOME_NET any -> [81.17.17.70] 1198 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254643/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_08; classtype:trojan-activity; sid:91254643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254640; rev:1;) alert tcp $HOME_NET any -> [93.183.95.223] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254639; rev:1;) alert tcp $HOME_NET any -> [103.35.191.158] 5851 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254555; rev:1;) alert tcp $HOME_NET any -> [121.37.237.168] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254553; rev:1;) alert tcp $HOME_NET any -> [121.37.237.168] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254554; rev:1;) alert tcp $HOME_NET any -> [110.41.21.197] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254552; rev:1;) alert tcp $HOME_NET any -> [141.98.7.56] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254551/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_08; classtype:trojan-activity; sid:91254551; rev:1;) alert tcp $HOME_NET any -> [8.137.116.204] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254548; rev:1;) alert tcp $HOME_NET any -> [175.178.78.176] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254547; rev:1;) alert tcp $HOME_NET any -> [39.105.141.35] 22222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254549; rev:1;) alert tcp $HOME_NET any -> [92.249.48.39] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254550/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_08; classtype:trojan-activity; sid:91254550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.34.69.249"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"198.27.107.169"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1254509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"38.45.100.58"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.89.251.242"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"41.216.182.208"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1254512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.123"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.103.253.34"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.10.46"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"79.133.46.200"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.222.204.13"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.254.109"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"205.185.119.42"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1254521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.35.18.98"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"85.203.42.64"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"199.195.251.103"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1254522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.131.99.113"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"159.253.120.116"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1254524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.35.18.35"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.217"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"92.249.48.147"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.208.103.203"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1254528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.71.66"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.128.232.43"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.140.188.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.61.188.140"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254539; rev:1;) alert tcp $HOME_NET any -> [45.178.6.2] 4444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254531/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_08; classtype:trojan-activity; sid:91254531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peurnick24.bumbleshrimp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.140.143.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"188.93.233.235"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"171.244.42.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"51.81.230.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"54.39.252.71"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"92.249.48.78"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"120.48.75.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254538; rev:1;) alert tcp $HOME_NET any -> [49.234.17.50] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"49.234.17.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"120.48.75.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254535; rev:1;) alert tcp $HOME_NET any -> [116.205.228.160] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"116.205.228.160"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254533; rev:1;) alert tcp $HOME_NET any -> [45.88.90.160] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"packetinfo.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.ddosvps.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddosvps.cc"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.przsc.cn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net.przsc.cn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.przsc.cn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"przsc.cn"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wcjwcj.lol"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254506; rev:1;) alert tcp $HOME_NET any -> [212.109.221.128] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254498; rev:1;) alert tcp $HOME_NET any -> [193.143.1.161] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254497; rev:1;) alert tcp $HOME_NET any -> [93.123.39.127] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254496; rev:1;) alert tcp $HOME_NET any -> [42.96.5.32] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254495; rev:1;) alert tcp $HOME_NET any -> [91.92.250.167] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254494; rev:1;) alert tcp $HOME_NET any -> [82.147.85.159] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254493; rev:1;) alert tcp $HOME_NET any -> [38.180.45.153] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254492; rev:1;) alert tcp $HOME_NET any -> [91.202.233.174] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254491; rev:1;) alert tcp $HOME_NET any -> [45.82.152.138] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254490; rev:1;) alert tcp $HOME_NET any -> [109.120.184.181] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254489; rev:1;) alert tcp $HOME_NET any -> [38.47.101.176] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254488; rev:1;) alert tcp $HOME_NET any -> [99.196.212.115] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254487; rev:1;) alert tcp $HOME_NET any -> [39.106.250.105] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254486; rev:1;) alert tcp $HOME_NET any -> [39.106.250.105] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254485/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254485; rev:1;) alert tcp $HOME_NET any -> [143.244.200.146] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254484/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254484; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20008 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254483/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254483; rev:1;) alert tcp $HOME_NET any -> [167.71.184.214] 808 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254482/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254482; rev:1;) alert tcp $HOME_NET any -> [34.159.237.198] 6668 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254322; rev:1;) alert tcp $HOME_NET any -> [5.253.246.12] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254321; rev:1;) alert tcp $HOME_NET any -> [193.181.23.187] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254323; rev:1;) alert tcp $HOME_NET any -> [154.44.25.185] 36912 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254477; rev:1;) alert tcp $HOME_NET any -> [41.142.31.190] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254479/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_08; classtype:trojan-activity; sid:91254479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/927339792"; depth:20; nocase; http.host; content:"140.82.61.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254481; rev:1;) alert tcp $HOME_NET any -> [193.222.96.11] 57484 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254480; rev:1;) alert tcp $HOME_NET any -> [103.35.191.158] 5515 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254478; rev:1;) alert tcp $HOME_NET any -> [172.111.131.97] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254476; rev:1;) alert tcp $HOME_NET any -> [193.32.149.59] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254475; rev:1;) alert tcp $HOME_NET any -> [45.84.1.227] 45451 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254474; rev:1;) alert tcp $HOME_NET any -> [45.141.87.233] 39200 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254473; rev:1;) alert tcp $HOME_NET any -> [185.154.52.150] 45451 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254472; rev:1;) alert tcp $HOME_NET any -> [38.60.200.161] 2086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254471; rev:1;) alert tcp $HOME_NET any -> [38.54.111.45] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254470; rev:1;) alert tcp $HOME_NET any -> [154.12.30.6] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254469; rev:1;) alert tcp $HOME_NET any -> [35.241.117.103] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254468; rev:1;) alert tcp $HOME_NET any -> [35.234.1.138] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254466; rev:1;) alert tcp $HOME_NET any -> [35.234.1.138] 8060 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254467; rev:1;) alert tcp $HOME_NET any -> [43.251.159.58] 46675 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254465; rev:1;) alert tcp $HOME_NET any -> [43.245.199.144] 10 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254464; rev:1;) alert tcp $HOME_NET any -> [38.147.171.19] 2095 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254462; rev:1;) alert tcp $HOME_NET any -> [38.147.171.19] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254463; rev:1;) alert tcp $HOME_NET any -> [38.147.171.19] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254461; rev:1;) alert tcp $HOME_NET any -> [114.115.220.199] 9963 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254460; rev:1;) alert tcp $HOME_NET any -> [206.237.2.159] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254459; rev:1;) alert tcp $HOME_NET any -> [148.135.72.115] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254458; rev:1;) alert tcp $HOME_NET any -> [54.250.253.8] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254456; rev:1;) alert tcp $HOME_NET any -> [54.250.253.8] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254457; rev:1;) alert tcp $HOME_NET any -> [18.176.57.203] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254455; rev:1;) alert tcp $HOME_NET any -> [154.92.14.6] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254454; rev:1;) alert tcp $HOME_NET any -> [20.237.62.65] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254453; rev:1;) alert tcp $HOME_NET any -> [20.124.95.169] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254451; rev:1;) alert tcp $HOME_NET any -> [20.124.95.169] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"irreceiver.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hk.luckyu.icu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254449; rev:1;) alert tcp $HOME_NET any -> [192.227.155.158] 2052 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254448; rev:1;) alert tcp $HOME_NET any -> [23.95.254.136] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254447; rev:1;) alert tcp $HOME_NET any -> [23.94.123.235] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254446; rev:1;) alert tcp $HOME_NET any -> [206.189.182.123] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254445; rev:1;) alert tcp $HOME_NET any -> [206.189.182.123] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254444; rev:1;) alert tcp $HOME_NET any -> [206.189.113.118] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alipan.lol"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254442; rev:1;) alert tcp $HOME_NET any -> [152.42.188.132] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254440; rev:1;) alert tcp $HOME_NET any -> [152.42.188.132] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254441; rev:1;) alert tcp $HOME_NET any -> [47.236.185.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254438; rev:1;) alert tcp $HOME_NET any -> [47.236.185.166] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254439; rev:1;) alert tcp $HOME_NET any -> [47.236.171.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254437; rev:1;) alert tcp $HOME_NET any -> [8.212.71.0] 8008 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254436; rev:1;) alert tcp $HOME_NET any -> [124.70.158.35] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254435; rev:1;) alert tcp $HOME_NET any -> [116.205.185.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254434; rev:1;) alert tcp $HOME_NET any -> [110.41.17.183] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254433; rev:1;) alert tcp $HOME_NET any -> [60.204.217.11] 9998 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254432; rev:1;) alert tcp $HOME_NET any -> [1.94.2.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254431; rev:1;) alert tcp $HOME_NET any -> [123.56.182.19] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254430; rev:1;) alert tcp $HOME_NET any -> [47.98.247.113] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254422; rev:1;) alert tcp $HOME_NET any -> [47.116.213.137] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254423; rev:1;) alert tcp $HOME_NET any -> [101.201.54.74] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254424; rev:1;) alert tcp $HOME_NET any -> [101.201.54.74] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254425; rev:1;) alert tcp $HOME_NET any -> [114.55.1.119] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254426; rev:1;) alert tcp $HOME_NET any -> [114.55.1.119] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254427; rev:1;) alert tcp $HOME_NET any -> [120.55.75.220] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254428; rev:1;) alert tcp $HOME_NET any -> [120.78.90.43] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254429; rev:1;) alert tcp $HOME_NET any -> [39.100.111.77] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254417; rev:1;) alert tcp $HOME_NET any -> [39.101.204.250] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254418; rev:1;) alert tcp $HOME_NET any -> [39.104.200.45] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254419; rev:1;) alert tcp $HOME_NET any -> [39.106.77.203] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254420; rev:1;) alert tcp $HOME_NET any -> [47.98.247.113] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254421; rev:1;) alert tcp $HOME_NET any -> [8.130.118.27] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254414; rev:1;) alert tcp $HOME_NET any -> [8.130.121.45] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254415; rev:1;) alert tcp $HOME_NET any -> [39.100.107.190] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254416; rev:1;) alert tcp $HOME_NET any -> [43.143.170.206] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254408; rev:1;) alert tcp $HOME_NET any -> [81.71.18.121] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254409; rev:1;) alert tcp $HOME_NET any -> [81.71.127.160] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254410; rev:1;) alert tcp $HOME_NET any -> [101.34.221.218] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254411; rev:1;) alert tcp $HOME_NET any -> [114.132.62.71] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254412; rev:1;) alert tcp $HOME_NET any -> [175.24.133.215] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254413; rev:1;) alert tcp $HOME_NET any -> [1.14.202.205] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254402; rev:1;) alert tcp $HOME_NET any -> [1.14.202.205] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254403; rev:1;) alert tcp $HOME_NET any -> [42.192.53.52] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254404; rev:1;) alert tcp $HOME_NET any -> [43.138.72.60] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254405; rev:1;) alert tcp $HOME_NET any -> [43.138.111.120] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254406; rev:1;) alert tcp $HOME_NET any -> [43.143.165.217] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254407; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254401; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254391; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254392; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254393; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254394; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254395; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254396; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254397; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254398; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254399; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254400; rev:1;) alert tcp $HOME_NET any -> [187.135.178.42] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254381; rev:1;) alert tcp $HOME_NET any -> [187.135.178.42] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254382; rev:1;) alert tcp $HOME_NET any -> [187.135.178.42] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254383; rev:1;) alert tcp $HOME_NET any -> [187.135.178.42] 1892 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254384; rev:1;) alert tcp $HOME_NET any -> [187.135.178.42] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254385; rev:1;) alert tcp $HOME_NET any -> [187.135.178.42] 1648 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254386; rev:1;) alert tcp $HOME_NET any -> [187.135.178.42] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254387; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254388; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254389; rev:1;) alert tcp $HOME_NET any -> [187.135.122.238] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254390; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254372; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254373; rev:1;) alert tcp $HOME_NET any -> [187.135.122.251] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254374; rev:1;) alert tcp $HOME_NET any -> [187.135.122.251] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254375; rev:1;) alert tcp $HOME_NET any -> [187.135.122.251] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254376; rev:1;) alert tcp $HOME_NET any -> [187.135.122.251] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254377; rev:1;) alert tcp $HOME_NET any -> [187.135.122.251] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254378; rev:1;) alert tcp $HOME_NET any -> [187.135.178.42] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254379; rev:1;) alert tcp $HOME_NET any -> [187.135.178.42] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254380; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254362; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254363; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254364; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254365; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254366; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254367; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 1982 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254368; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254369; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254370; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254371; rev:1;) alert tcp $HOME_NET any -> [187.135.94.250] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254356; rev:1;) alert tcp $HOME_NET any -> [187.135.94.250] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254357; rev:1;) alert tcp $HOME_NET any -> [187.135.94.250] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254358; rev:1;) alert tcp $HOME_NET any -> [187.135.94.250] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254359; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254360; rev:1;) alert tcp $HOME_NET any -> [187.135.141.72] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254361; rev:1;) alert tcp $HOME_NET any -> [105.101.65.139] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254355; rev:1;) alert tcp $HOME_NET any -> [172.111.245.98] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254354; rev:1;) alert tcp $HOME_NET any -> [128.90.103.14] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254349; rev:1;) alert tcp $HOME_NET any -> [128.90.103.14] 1018 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254350; rev:1;) alert tcp $HOME_NET any -> [146.103.11.88] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254351; rev:1;) alert tcp $HOME_NET any -> [172.94.8.100] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254352; rev:1;) alert tcp $HOME_NET any -> [172.111.245.38] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254353; rev:1;) alert tcp $HOME_NET any -> [5.63.21.76] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254342; rev:1;) alert tcp $HOME_NET any -> [15.204.170.41] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254343; rev:1;) alert tcp $HOME_NET any -> [38.180.31.223] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254344; rev:1;) alert tcp $HOME_NET any -> [95.216.41.33] 82 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254345; rev:1;) alert tcp $HOME_NET any -> [103.47.147.22] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254346; rev:1;) alert tcp $HOME_NET any -> [123.253.32.76] 22 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254347; rev:1;) alert tcp $HOME_NET any -> [128.90.102.230] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254348; rev:1;) alert tcp $HOME_NET any -> [193.222.96.186] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254341; rev:1;) alert tcp $HOME_NET any -> [185.102.172.72] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254340; rev:1;) alert tcp $HOME_NET any -> [173.212.219.194] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254339; rev:1;) alert tcp $HOME_NET any -> [91.92.255.150] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254338; rev:1;) alert tcp $HOME_NET any -> [45.128.96.116] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254337; rev:1;) alert tcp $HOME_NET any -> [20.55.63.136] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254336; rev:1;) alert tcp $HOME_NET any -> [79.137.207.33] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254335; rev:1;) alert tcp $HOME_NET any -> [159.203.174.80] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254334/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254334; rev:1;) alert tcp $HOME_NET any -> [39.99.225.218] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254333/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254333; rev:1;) alert tcp $HOME_NET any -> [184.89.62.16] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254332/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254332; rev:1;) alert tcp $HOME_NET any -> [173.255.230.190] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254331/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254331; rev:1;) alert tcp $HOME_NET any -> [8.217.88.225] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254330/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254330; rev:1;) alert tcp $HOME_NET any -> [154.12.179.67] 10000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254329/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254329; rev:1;) alert tcp $HOME_NET any -> [110.40.133.81] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254328/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254328; rev:1;) alert tcp $HOME_NET any -> [137.220.197.178] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254327/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254327; rev:1;) alert tcp $HOME_NET any -> [116.203.56.238] 1194 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254326/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254326; rev:1;) alert tcp $HOME_NET any -> [103.137.27.83] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254325/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254325; rev:1;) alert tcp $HOME_NET any -> [103.99.178.207] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254324/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254324; rev:1;) alert tcp $HOME_NET any -> [194.26.192.34] 666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254265; rev:1;) alert tcp $HOME_NET any -> [2.58.56.66] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254266; rev:1;) alert tcp $HOME_NET any -> [86.242.42.233] 1194 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254267; rev:1;) alert tcp $HOME_NET any -> [128.199.66.119] 18982 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254268; rev:1;) alert tcp $HOME_NET any -> [181.162.141.33] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254270; rev:1;) alert tcp $HOME_NET any -> [147.45.189.30] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254269; rev:1;) alert tcp $HOME_NET any -> [181.162.177.83] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254271; rev:1;) alert tcp $HOME_NET any -> [185.245.183.74] 2 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254272; rev:1;) alert tcp $HOME_NET any -> [187.35.7.95] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254273; rev:1;) alert tcp $HOME_NET any -> [189.110.0.220] 6653 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254274; rev:1;) alert tcp $HOME_NET any -> [191.82.201.30] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254275; rev:1;) alert tcp $HOME_NET any -> [191.82.231.105] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254276; rev:1;) alert tcp $HOME_NET any -> [128.199.66.119] 57411 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254277; rev:1;) alert tcp $HOME_NET any -> [1.14.126.22] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254280; rev:1;) alert tcp $HOME_NET any -> [8.210.3.81] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cd.qqweixinzhuce.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254320; rev:1;) alert tcp $HOME_NET any -> [8.217.88.225] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254282; rev:1;) alert tcp $HOME_NET any -> [8.217.140.110] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254283; rev:1;) alert tcp $HOME_NET any -> [8.217.225.19] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"cd.qqweixinzhuce.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254319; rev:1;) alert tcp $HOME_NET any -> [8.218.27.81] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254285; rev:1;) alert tcp $HOME_NET any -> [38.147.172.16] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254286; rev:1;) alert tcp $HOME_NET any -> [39.101.177.68] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254287; rev:1;) alert tcp $HOME_NET any -> [47.76.41.68] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254288; rev:1;) alert tcp $HOME_NET any -> [47.242.64.202] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254289; rev:1;) alert tcp $HOME_NET any -> [47.243.4.123] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254290; rev:1;) alert tcp $HOME_NET any -> [58.87.70.252] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254291; rev:1;) alert tcp $HOME_NET any -> [88.99.214.187] 3232 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254292; rev:1;) alert tcp $HOME_NET any -> [89.105.201.158] 591 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254293; rev:1;) alert tcp $HOME_NET any -> [89.105.201.158] 4444 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254294; rev:1;) alert tcp $HOME_NET any -> [89.105.201.158] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254295; rev:1;) alert tcp $HOME_NET any -> [89.105.201.158] 8090 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254296; rev:1;) alert tcp $HOME_NET any -> [91.92.250.207] 8081 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254297; rev:1;) alert tcp $HOME_NET any -> [91.92.255.244] 8845 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254298; rev:1;) alert tcp $HOME_NET any -> [91.92.255.244] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254299; rev:1;) alert tcp $HOME_NET any -> [91.92.255.249] 8845 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254300; rev:1;) alert tcp $HOME_NET any -> [91.92.255.249] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254301; rev:1;) alert tcp $HOME_NET any -> [144.91.127.15] 4546 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254302; rev:1;) alert tcp $HOME_NET any -> [160.20.109.7] 2003 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254303; rev:1;) alert tcp $HOME_NET any -> [206.233.128.142] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254304; rev:1;) alert tcp $HOME_NET any -> [206.238.43.147] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254305; rev:1;) alert tcp $HOME_NET any -> [206.238.196.192] 8090 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254306; rev:1;) alert tcp $HOME_NET any -> [211.101.247.89] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marinion.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rooty.cc"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254310; rev:1;) alert tcp $HOME_NET any -> [103.67.197.152] 2023 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254311; rev:1;) alert tcp $HOME_NET any -> [84.54.51.35] 6788 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254312; rev:1;) alert tcp $HOME_NET any -> [23.95.182.31] 1024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254313; rev:1;) alert tcp $HOME_NET any -> [46.102.174.17] 1024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254314; rev:1;) alert tcp $HOME_NET any -> [185.65.205.158] 1024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254315; rev:1;) alert tcp $HOME_NET any -> [185.224.128.34] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254316; rev:1;) alert tcp $HOME_NET any -> [185.94.29.111] 1302 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254317/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_07; classtype:trojan-activity; sid:91254317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"softultra.info"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254318; rev:1;) alert tcp $HOME_NET any -> [137.184.10.195] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254278/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_07; classtype:trojan-activity; sid:91254278; rev:1;) alert tcp $HOME_NET any -> [185.196.10.155] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254279/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_07; classtype:trojan-activity; sid:91254279; rev:1;) alert tcp $HOME_NET any -> [81.19.137.171] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254258; rev:1;) alert tcp $HOME_NET any -> [91.92.248.202] 2301 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254259; rev:1;) alert tcp $HOME_NET any -> [91.92.254.44] 1339 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254260; rev:1;) alert tcp $HOME_NET any -> [94.156.64.122] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254261; rev:1;) alert tcp $HOME_NET any -> [172.94.73.162] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254262; rev:1;) alert tcp $HOME_NET any -> [192.210.255.140] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254263; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 14620 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254264/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_07; classtype:trojan-activity; sid:91254264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sex.secure-cyber-security-rebirthltd.su"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254255; rev:1;) alert tcp $HOME_NET any -> [185.196.11.209] 59962 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254257; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 12117 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254253/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_07; classtype:trojan-activity; sid:91254253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure-network-rebirthltd.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254252; rev:1;) alert tcp $HOME_NET any -> [193.149.187.16] 443 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254251/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254251; rev:1;) alert tcp $HOME_NET any -> [94.98.185.133] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254250/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254250; rev:1;) alert tcp $HOME_NET any -> [45.154.96.48] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254249/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254249; rev:1;) alert tcp $HOME_NET any -> [82.67.69.234] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254248/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254248; rev:1;) alert tcp $HOME_NET any -> [45.74.50.53] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254247/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254247; rev:1;) alert tcp $HOME_NET any -> [185.174.101.246] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254246/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254246; rev:1;) alert tcp $HOME_NET any -> [195.3.223.146] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254245/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254245; rev:1;) alert tcp $HOME_NET any -> [128.90.103.14] 9443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254244/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254244; rev:1;) alert tcp $HOME_NET any -> [2.58.56.216] 38382 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254243; rev:1;) alert tcp $HOME_NET any -> [45.63.121.237] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254242/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254242; rev:1;) alert tcp $HOME_NET any -> [23.224.4.162] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254241/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254241; rev:1;) alert tcp $HOME_NET any -> [139.180.157.87] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254240/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254240; rev:1;) alert tcp $HOME_NET any -> [91.92.252.114] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254239/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254239; rev:1;) alert tcp $HOME_NET any -> [108.61.250.107] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254238/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254238; rev:1;) alert tcp $HOME_NET any -> [146.56.214.238] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254237/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254237; rev:1;) alert tcp $HOME_NET any -> [154.90.63.63] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254236/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254236; rev:1;) alert tcp $HOME_NET any -> [45.152.115.131] 8000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254235/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254235; rev:1;) alert tcp $HOME_NET any -> [45.156.85.187] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254234/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254234; rev:1;) alert tcp $HOME_NET any -> [94.237.56.207] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254233/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wave-assistant.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254223; rev:1;) alert tcp $HOME_NET any -> [185.125.50.49] 48860 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure7multi/temporaryjavascript0base/7/eternalimagetoprocessorcentral.php"; depth:75; nocase; http.host; content:"77.105.161.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c9cac53e5e9ec7ba.php"; depth:21; nocase; http.host; content:"62.113.119.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bigloadtempcentraldownloads.php"; depth:32; nocase; http.host; content:"267097cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"39.100.111.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254228; rev:1;) alert tcp $HOME_NET any -> [160.178.39.123] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yixc"; depth:5; nocase; http.host; content:"120.78.65.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254226/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254226; rev:1;) alert tcp $HOME_NET any -> [120.78.65.206] 44444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254225; rev:1;) alert tcp $HOME_NET any -> [185.123.53.250] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254224/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"194.33.191.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"24.199.71.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"64.23.168.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"103.54.57.251"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"91.194.135.254"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"147.45.45.131"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"212.64.217.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/webpanel/login.php"; depth:19; nocase; http.host; content:"www.guncelmetin2hile.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"mileminer.000webhostapp.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unamwebpanel-master/unamwebpanel/pages/login.php"; depth:49; nocase; http.host; content:"toktokwebpanel.elementfx.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"scarwrld.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"badtrippaap.store"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nam/pages/login.php"; depth:20; nocase; http.host; content:"anbu.bond"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"173.201.180.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"modules.su"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"linkerfunyfile.store"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awdrgyj/pages/login.php"; depth:24; nocase; http.host; content:"46.23.108.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"dvr.getenjoyment.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"95.216.253.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"vh373519.hostline.su"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"smartpanel.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"18.191.246.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dxrxcloud.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"12pintsandacurry.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"temptraffsolutions.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ultralowsulphurgas.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mailhost.freemsk.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gordeeva.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"trattles.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"whukkers.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"davidpeterinteriors.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"simplyavailable.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cartelsclothing.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"blythwood-plant.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dumpthedebt.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"miopart.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"celebrationgenerator.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"reginacrowley.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"diyshopper.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"designgeneralstore.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"office.freemsk.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eastlothianpropertymanagement.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.42.66.25"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"freemsk.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.simplyavailable.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.42.66.4"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ganjawars.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"0p2q9.com.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"tectumio.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.182.86.229"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254094/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.221.148.13"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254096/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"46.226.166.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254095/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.202.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254097/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"85.192.40.131"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254098/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"91.103.255.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254099/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.120.177.177"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254100/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"217.196.98.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254101/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254101; rev:1;) alert tcp $HOME_NET any -> [147.45.47.65] 47232 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254102; rev:1;) alert tcp $HOME_NET any -> [91.92.253.221] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254138/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dtyedh/five/fre.php"; depth:20; nocase; http.host; content:"91.92.253.221"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/medical/plan/oslo/"; depth:19; nocase; http.host; content:"iseberkis.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/medical/plan/oslo/"; depth:19; nocase; http.host; content:"dumingas.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/medical/plan/oslo/"; depth:19; nocase; http.host; content:"musarno.app"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/medical/plan/oslo/"; depth:19; nocase; http.host; content:"somakop.app"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254141; rev:1;) alert tcp $HOME_NET any -> [185.196.10.155] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.109.58.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/category/research-2/"; depth:21; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"154.201.89.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"chniabank.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"172.121.5.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254213; rev:1;) alert tcp $HOME_NET any -> [78.24.217.201] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254212/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254212; rev:1;) alert tcp $HOME_NET any -> [45.63.121.237] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254211/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254211; rev:1;) alert tcp $HOME_NET any -> [149.88.67.97] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254210/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254210; rev:1;) alert tcp $HOME_NET any -> [23.224.4.163] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254209/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254209; rev:1;) alert tcp $HOME_NET any -> [23.224.4.165] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254195/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254195; rev:1;) alert tcp $HOME_NET any -> [130.43.22.207] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254184; rev:1;) alert tcp $HOME_NET any -> [165.22.39.29] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254183; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20017 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254182/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254182; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20007 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254181/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254181; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20009 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254179/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254179; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20002 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254180/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254180; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20005 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254178; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20003 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254176/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254176; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20004 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254177; rev:1;) alert tcp $HOME_NET any -> [72.255.55.82] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254175/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"172.111.218.218"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254174; rev:1;) alert tcp $HOME_NET any -> [217.237.84.33] 3389 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254173/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254173; rev:1;) alert tcp $HOME_NET any -> [94.237.50.44] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"102.33.34.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254170/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254170; rev:1;) alert tcp $HOME_NET any -> [89.105.201.43] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"altaskifer.sbs"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254060/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"christmascookie.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254079; rev:1;) alert tcp $HOME_NET any -> [185.196.10.207] 60195 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254087/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ezz.ust.cx"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254088/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254088; rev:1;) alert tcp $HOME_NET any -> [93.123.85.166] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254090/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"zarya-amura.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254093/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"sunvi.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254092/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"akros.in.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254091/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4d4d3a49ccbc77eb.php"; depth:21; nocase; http.host; content:"89.105.201.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254089; rev:1;) alert tcp $HOME_NET any -> [149.129.131.163] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"nodejsmysql.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254085; rev:1;) alert tcp $HOME_NET any -> [154.204.176.13] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254084; rev:1;) alert tcp $HOME_NET any -> [149.129.131.163] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nodejsmysql.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"nodejsmysql.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"49.232.214.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254080; rev:1;) alert tcp $HOME_NET any -> [164.155.128.124] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"164.155.128.124"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254077; rev:1;) alert tcp $HOME_NET any -> [123.57.143.169] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"123.57.143.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254075; rev:1;) alert tcp $HOME_NET any -> [154.204.176.13] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254074; rev:1;) alert tcp $HOME_NET any -> [111.230.117.89] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"111.230.207.253"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"111.230.117.89"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"111.230.121.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254070; rev:1;) alert tcp $HOME_NET any -> [42.192.53.52] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"i.xlei.cc"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"i.xlei.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254068; rev:1;) alert tcp $HOME_NET any -> [116.205.189.199] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"206.189.182.123"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.236.230.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"107.151.247.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"107.151.247.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"110.34.30.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"altaskifer.sbs"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254058/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254058; rev:1;) alert tcp $HOME_NET any -> [89.105.201.240] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254057; rev:1;) alert tcp $HOME_NET any -> [154.9.255.11] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254056; rev:1;) alert tcp $HOME_NET any -> [109.120.177.177] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254055/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254055; rev:1;) alert tcp $HOME_NET any -> [23.224.4.166] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254054/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254054; rev:1;) alert tcp $HOME_NET any -> [23.224.4.164] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254053; rev:1;) alert tcp $HOME_NET any -> [216.224.119.201] 8889 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254052; rev:1;) alert tcp $HOME_NET any -> [74.48.129.190] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254051; rev:1;) alert tcp $HOME_NET any -> [41.97.189.195] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254050; rev:1;) alert tcp $HOME_NET any -> [4.236.36.4] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254049; rev:1;) alert tcp $HOME_NET any -> [62.72.26.78] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254048/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254048; rev:1;) alert tcp $HOME_NET any -> [52.223.20.75] 8443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254047/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254047; rev:1;) alert tcp $HOME_NET any -> [88.130.123.89] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254046/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254046; rev:1;) alert tcp $HOME_NET any -> [104.156.255.239] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254045/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254045; rev:1;) alert tcp $HOME_NET any -> [185.196.8.48] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254044/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"135.125.124.72"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"8.20.255.249"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"201.222.146.184"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"148.153.34.82"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253949/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"132.148.79.222"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253947/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"132.148.73.117"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253948/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"139.144.31.103"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253939/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.131.108.250"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253945/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"38.242.240.28"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253946/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.68.146.19"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253942/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.16.122.250"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253944/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.106.94.174"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253943/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"15.235.143.190"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253941/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"104.200.28.75"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253937/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.76.223.93"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253938/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.79.174.92"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253940/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"161.97.98.95"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"154.61.75.156"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"161.97.97.181"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"158.220.90.199"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"155.138.203.158"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"57.128.83.129"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"139.180.185.171"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.95.108.252"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"66.135.31.146"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"172.232.186.100"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253922/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.226.138.143"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"154.12.248.41"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253920/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"178.18.246.136"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253921/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.72.104.80"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253918/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"209.126.86.48"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253919/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"192.9.135.73"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253917/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253917; rev:1;) alert tcp $HOME_NET any -> [8.220.200.34] 10086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253909/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"194.233.91.144"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253916/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"172.232.173.13"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"139.180.137.30"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"149.28.189.244"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"vmd129057.contaboserver.net"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1253924/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"24.199.109.6"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253952/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.154.24.57"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"103.151.20.137"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"129.153.135.83"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"129.213.54.49"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.122.200.171"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.134.126.43"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"85.215.162.167"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"67.21.33.208"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.85.235.39"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"109.123.244.131"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.87.148.132"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.122.186.107"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"129.213.79.229"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.122.128.77"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"129.80.253.141"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"150.136.16.205"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253969/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"202.61.141.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"103.229.60.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"104.168.122.113"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"8.134.69.22"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"39.101.70.82"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"38.6.218.204"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"107.175.35.40"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"120.48.99.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"117.72.9.31"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"124.70.143.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"101.35.198.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"122.10.5.85"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"20.205.173.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.132.193.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"103.163.208.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"142.171.62.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"111.92.243.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.136.20.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"167.71.91.12"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"172.245.81.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"34.81.83.87"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"123.1.189.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"122.10.10.100"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bvxwqdec3/login.php"; depth:21; nocase; http.host; content:"platformforcreateinterest.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bvxwqdec3/login.php"; depth:21; nocase; http.host; content:"bestofthebesttraining.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7vaficzogd/login.php"; depth:21; nocase; http.host; content:"pleasurecanbesafe.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j4fvskd3/login.php"; depth:19; nocase; http.host; content:"topgamecheats.dev"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pneh2sxqk0/login.php"; depth:21; nocase; http.host; content:"193.233.132.56"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j4fvskd3/login.php"; depth:19; nocase; http.host; content:"ruspyc.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yandex/login.php"; depth:17; nocase; http.host; content:"185.215.113.32"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enigma/login.php"; depth:17; nocase; http.host; content:"193.233.132.167"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b8sdjsdks/login.php"; depth:20; nocase; http.host; content:"185.196.10.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u8v5zeq/login.php"; depth:18; nocase; http.host; content:"193.3.19.114"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jd9dd3vw/login.php"; depth:19; nocase; http.host; content:"second.amadgood.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"retromuzsika.hu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253867/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kawapopularna.pl"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253868/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"smartgamepiano.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253869/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.eurotranschanet.fr"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253870/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"americanbussales.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253871/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mediterranews.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253879/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"shodo.cosavostra.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253880/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"tophomenews.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253881/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"osinkokuningas.fi"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253882/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"iveri.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253883/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"atvtrade.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253884/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"systra-logistik.de"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253885/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.cremer-fliesen.de"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253886/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"asegurar1s.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253887/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91253887; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 18746 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91253908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7t6x/certificate.crt"; depth:21; nocase; http.host; content:"cdnforfiles.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7t6x/certificate.crt"; depth:21; nocase; http.host; content:"file-transfer.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"107.175.28.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.120.177.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"8.134.126.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"103.161.224.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.106.164"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"46.226.164.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"huboftest.ir"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"94.156.10.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.48"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/login.php"; depth:16; nocase; http.host; content:"65.20.106.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.226"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.58"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"94.156.8.188"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.253"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.138.16.166"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.15.156.142"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.106"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.42.65.117"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.42.92.73"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.108"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"101.99.92.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.11"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"95.216.41.236"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254017; rev:1;) alert tcp $HOME_NET any -> [179.13.0.175] 5554 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254012/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"whattotext.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"gteairfone.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7t6x/certificate.crt"; depth:21; nocase; http.host; content:"thecheapestcdn.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ketmqfqxwbukenxmtkckkwyggqmbotuiaokzmnlumqfbcfiwdzobpipfkkymzpqlmqofkodnko"; depth:75; nocase; http.host; content:"thecheapestcdn.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"salesoftskills.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wasted9sss1-57718.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254041/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254041; rev:1;) alert tcp $HOME_NET any -> [16.171.25.219] 8099 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254043/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254043; rev:1;) alert tcp $HOME_NET any -> [77.221.157.58] 38538 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254042; rev:1;) alert tcp $HOME_NET any -> [162.209.178.189] 38433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91254001; rev:1;) alert tcp $HOME_NET any -> [162.209.178.188] 38433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253999; rev:1;) alert tcp $HOME_NET any -> [162.209.178.187] 38433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253998; rev:1;) alert tcp $HOME_NET any -> [162.209.178.190] 38433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/accelerate/members/9zbukm2fct"; depth:30; nocase; http.host; content:"162.209.178.186"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcnlaleanae8.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcnlaleanae9.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253911; rev:1;) alert tcp $HOME_NET any -> [193.143.1.197] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253907/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253907; rev:1;) alert tcp $HOME_NET any -> [195.211.124.144] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253906/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253906; rev:1;) alert tcp $HOME_NET any -> [212.224.86.223] 8056 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253905; rev:1;) alert tcp $HOME_NET any -> [62.109.2.162] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253904; rev:1;) alert tcp $HOME_NET any -> [89.208.103.64] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253903; rev:1;) alert tcp $HOME_NET any -> [94.156.8.125] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253902; rev:1;) alert tcp $HOME_NET any -> [57.151.90.74] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253901; rev:1;) alert tcp $HOME_NET any -> [106.53.186.12] 8012 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253900; rev:1;) alert tcp $HOME_NET any -> [46.246.84.3] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253899; rev:1;) alert tcp $HOME_NET any -> [20.199.44.70] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253898; rev:1;) alert tcp $HOME_NET any -> [85.101.93.234] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253897; rev:1;) alert tcp $HOME_NET any -> [149.88.67.40] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253896; rev:1;) alert tcp $HOME_NET any -> [141.164.57.125] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253895; rev:1;) alert tcp $HOME_NET any -> [93.127.163.159] 4433 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253894/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253894; rev:1;) alert tcp $HOME_NET any -> [38.55.201.92] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253893/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253893; rev:1;) alert tcp $HOME_NET any -> [45.66.217.179] 45 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253892/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253892; rev:1;) alert tcp $HOME_NET any -> [128.199.224.162] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253891/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253891; rev:1;) alert tcp $HOME_NET any -> [128.199.224.162] 63333 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253890/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"154.201.89.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.113.195.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253888; rev:1;) alert tcp $HOME_NET any -> [46.246.84.18] 5050 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253878; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 11964 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253877; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 11964 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253876; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 11964 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253875; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 11964 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253874; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 11964 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253873; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 11964 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253872; rev:1;) alert tcp $HOME_NET any -> [141.11.228.23] 65483 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253866/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.bgagro.bg"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253841/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"pinokiosacz.pl"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253842/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"spinmortgage.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253843/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"javtorrent.me"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253844/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"adktechs.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253845/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"janniolssondeler.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253846/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hubby69.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253847/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"eneva.ru"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253848/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.debarcadere.be"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253849/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.bluewateryoga.com.au"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253850/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"atasafaris.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253851/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"granitedevices.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253852/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"76crimes.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253853/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"guitardivision.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253854/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"activefisher.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253856/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"searkweather.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253855/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"waheeda.nl"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253857/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wakapi.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253858/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"limatuju.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253859/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.absoluteestimating.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253860/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"canadajobbank.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253861/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"xvideospornor.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253862/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sterling-sound.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253863/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"fantasy-hive.co.uk"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253864/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"virusvaria.nl"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253865/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253865; rev:1;) alert tcp $HOME_NET any -> [179.13.0.175] 5553 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253838/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"promesasalvaro1.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253839/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253839; rev:1;) alert tcp $HOME_NET any -> [104.198.2.251] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253671/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jyiikm.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253672/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"kapandayarankal.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"kanepedeyatan.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"kapandayarkarnaval.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"karakasabadakan.online"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253677/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"karakamazandar.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253678/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/securebigloadprotecttemporary.php"; depth:34; nocase; http.host; content:"38.180.35.114"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253673; rev:1;) alert tcp $HOME_NET any -> [193.222.96.75] 8823 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253670/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253670; rev:1;) alert tcp $HOME_NET any -> [93.123.85.47] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253669/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253669; rev:1;) alert tcp $HOME_NET any -> [45.87.153.190] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253668/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.109.58.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"chniabank.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"service-43eyvs26-1312185610.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/improve/ustats/kozht9uj"; depth:24; nocase; http.host; content:"47.236.43.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.138.0.70"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0938913.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253662; rev:1;) alert tcp $HOME_NET any -> [46.29.234.85] 35727 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253661; rev:1;) alert tcp $HOME_NET any -> [154.204.177.22] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"154.201.89.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253657; rev:1;) alert tcp $HOME_NET any -> [154.201.89.19] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253658; rev:1;) alert tcp $HOME_NET any -> [107.149.240.218] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"update.winservers-network.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.winservers-network.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253655; rev:1;) alert tcp $HOME_NET any -> [154.204.177.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"101.201.155.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253651; rev:1;) alert tcp $HOME_NET any -> [122.51.59.18] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"122.51.59.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"119.3.190.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253648; rev:1;) alert tcp $HOME_NET any -> [122.51.59.18] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"122.51.59.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253646; rev:1;) alert tcp $HOME_NET any -> [43.139.48.143] 1450 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"platformforcreateinterest.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253640/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cdnforbusiness.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253642/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"creationofprogress.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253641/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fastestfreecdn.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253643/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pufpufooootools/150_clwwfhzotee"; depth:32; nocase; http.host; content:"leibk.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253644/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253644; rev:1;) alert tcp $HOME_NET any -> [172.233.155.253] 2078 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253639; rev:1;) alert tcp $HOME_NET any -> [212.192.15.251] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253638; rev:1;) alert tcp $HOME_NET any -> [45.241.37.251] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253637; rev:1;) alert tcp $HOME_NET any -> [41.96.66.25] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253636; rev:1;) alert tcp $HOME_NET any -> [141.164.57.125] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253635; rev:1;) alert tcp $HOME_NET any -> [217.196.60.141] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bestofthebesttraining.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253633; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 10468 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253625/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"newnano-shel.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253624/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253624; rev:1;) alert tcp $HOME_NET any -> [209.73.100.130] 6969 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kingjoker420.ddnsking.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"njpantalla.4cloud.click"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253623/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bestofthebesttraining.com"; depth:25; nocase; reference:url, threatfox.abuse.ch/ioc/1253604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bvxwqdec3/index.php"; depth:21; nocase; http.host; content:"bestofthebesttraining.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253605; rev:1;) alert tcp $HOME_NET any -> [93.123.85.135] 118 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253617; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 18511 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253626/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253626; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 18511 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253627/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253627; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 18511 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253628/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253628; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 14390 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253629/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253629; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 10543 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253630/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253630; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 14390 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253631/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253631; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 11464 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0938327.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253620; rev:1;) alert tcp $HOME_NET any -> [105.154.98.75] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"192.227.94.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oraclecloudsig.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253615; rev:1;) alert tcp $HOME_NET any -> [31.172.87.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/translated"; depth:11; nocase; http.host; content:"oraclecloudsig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253614; rev:1;) alert tcp $HOME_NET any -> [38.180.82.154] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"38.180.82.154"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253612; rev:1;) alert tcp $HOME_NET any -> [193.143.1.198] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253611/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253611; rev:1;) alert tcp $HOME_NET any -> [193.143.1.207] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253610/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253610; rev:1;) alert tcp $HOME_NET any -> [193.143.1.196] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253609/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253609; rev:1;) alert tcp $HOME_NET any -> [193.233.132.58] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253608/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253608; rev:1;) alert tcp $HOME_NET any -> [91.92.253.115] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253603/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253603; rev:1;) alert tcp $HOME_NET any -> [20.124.81.203] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253602; rev:1;) alert tcp $HOME_NET any -> [43.143.112.29] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253601; rev:1;) alert tcp $HOME_NET any -> [178.73.218.14] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253600; rev:1;) alert tcp $HOME_NET any -> [46.246.82.18] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253599; rev:1;) alert tcp $HOME_NET any -> [78.161.126.239] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253598; rev:1;) alert tcp $HOME_NET any -> [104.236.70.31] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253597; rev:1;) alert tcp $HOME_NET any -> [141.164.57.125] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253596; rev:1;) alert tcp $HOME_NET any -> [162.33.177.165] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253595; rev:1;) alert tcp $HOME_NET any -> [86.125.229.50] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253594; rev:1;) alert tcp $HOME_NET any -> [47.243.188.147] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253593; rev:1;) alert tcp $HOME_NET any -> [47.238.200.165] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253592/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253592; rev:1;) alert tcp $HOME_NET any -> [151.236.220.113] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253591/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253591; rev:1;) alert tcp $HOME_NET any -> [81.43.22.106] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253590/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253590; rev:1;) alert tcp $HOME_NET any -> [192.121.162.196] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253589; rev:1;) alert tcp $HOME_NET any -> [109.116.170.118] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4/longpoll/6/secure/eternallowdatalifebetter/linuxpublic4base/longpollwindowsprocessor/0poll/line/poll38processor/request7serverapi/dleupdate6/eternallowprocessorauthdblocaluploads.php"; depth:185; nocase; http.host; content:"80.71.227.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qs5d"; depth:5; nocase; http.host; content:"123.60.162.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253586/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/discussion/mayo-clinic-radio-als/"; depth:34; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253585; rev:1;) alert tcp $HOME_NET any -> [46.246.84.9] 3030 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lesserafimeasy.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253583; rev:1;) alert tcp $HOME_NET any -> [45.147.229.134] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253581/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253581; rev:1;) alert tcp $HOME_NET any -> [45.155.250.106] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253582/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/useraccount.aspx"; depth:17; nocase; http.host; content:"iseberkis.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/useraccount.aspx"; depth:17; nocase; http.host; content:"dumingas.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.aspx"; depth:11; nocase; http.host; content:"somakop.app"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.aspx"; depth:11; nocase; http.host; content:"musarno.app"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253370; rev:1;) alert tcp $HOME_NET any -> [179.13.0.175] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253366; rev:1;) alert tcp $HOME_NET any -> [91.92.241.169] 3434 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nt-stealer.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nt-stealer.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbystealer.com.tr"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nt-stealer.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbystealer.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbystealer.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbystealer.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"20.110.42.40"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nt-stealer.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nt-stealer.online"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bbystealer.com.tr"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nt-stealer.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bbystealer.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bbystealer.online"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bbystealer.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253363; rev:1;) alert tcp $HOME_NET any -> [20.110.42.40] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"64.176.41.98"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"47.92.140.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253347; rev:1;) alert tcp $HOME_NET any -> [104.168.145.228] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipv6.beijing-qax.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"ipv6.beijing-qax.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"canarapay-f5agf9ccgteqbpg2.z03.azurefd.net"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/safebrowsing/i7f9l/s0rm6wozidfyrb6yai2d"; depth:40; nocase; http.host; content:"canarapay-f5agf9ccgteqbpg2.z03.azurefd.net"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"49.233.244.7"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"106.75.6.207"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"64.176.41.98"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"shop.amazon-aws.fr"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253338; rev:1;) alert tcp $HOME_NET any -> [129.211.26.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"129.211.26.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"154.201.89.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253335; rev:1;) alert tcp $HOME_NET any -> [81.17.17.70] 62520 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253334/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253334; rev:1;) alert tcp $HOME_NET any -> [141.98.102.227] 30311 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253333/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253333; rev:1;) alert tcp $HOME_NET any -> [74.91.29.102] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/display/chan/ib61i7mya"; depth:23; nocase; http.host; content:"74.91.29.102"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253331; rev:1;) alert tcp $HOME_NET any -> [45.88.186.209] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjm2njm4yte3zjq2/"; depth:18; nocase; http.host; content:"185.161.248.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253314/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ythimdnq4mgqwzti1/"; depth:19; nocase; http.host; content:"psgrcsklmmallocprisma.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253315/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ythimeq4mgqwzti1/"; depth:18; nocase; http.host; content:"psgrcsklmmalloc2prisma.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253316/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ythimvq4mgqwzti1/"; depth:18; nocase; http.host; content:"psgrcsklmmalloc3prisma.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253317/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ythimeq4mgqwzti1/"; depth:18; nocase; http.host; content:"psgrcsklmmalloc5prisma.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253319/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ythimrq4mgqwzti1/"; depth:18; nocase; http.host; content:"psgrcsklmmalloc4prisma.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253318/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ythimmdmq4mgqwzti1/"; depth:20; nocase; http.host; content:"psgrcsklmmalloc6prisma.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253320/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253320; rev:1;) alert tcp $HOME_NET any -> [147.45.47.64] 11837 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"154.12.30.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.159.58.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"118.25.182.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.201.155.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"47.109.137.235"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"49.233.244.7"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253322; rev:1;) alert tcp $HOME_NET any -> [139.9.193.13] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253321; rev:1;) alert tcp $HOME_NET any -> [192.3.216.139] 44800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253313/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253313; rev:1;) alert tcp $HOME_NET any -> [91.92.253.150] 2505 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253312/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"bertol-metal.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253311/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253311; rev:1;) alert tcp $HOME_NET any -> [212.109.220.144] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253310/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253310; rev:1;) alert tcp $HOME_NET any -> [45.32.156.218] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253309/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253309; rev:1;) alert tcp $HOME_NET any -> [172.233.221.61] 5938 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253308/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253308; rev:1;) alert tcp $HOME_NET any -> [124.223.180.54] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253307/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253307; rev:1;) alert tcp $HOME_NET any -> [104.168.122.113] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253306/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253306; rev:1;) alert tcp $HOME_NET any -> [103.229.60.151] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253305/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253305; rev:1;) alert tcp $HOME_NET any -> [18.167.51.188] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253304/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253304; rev:1;) alert tcp $HOME_NET any -> [46.246.80.9] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253303/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253303; rev:1;) alert tcp $HOME_NET any -> [70.31.125.224] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253302/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253302; rev:1;) alert tcp $HOME_NET any -> [94.98.76.27] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253301/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253301; rev:1;) alert tcp $HOME_NET any -> [41.96.20.226] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253300/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253300; rev:1;) alert tcp $HOME_NET any -> [159.246.29.74] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253299/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253299; rev:1;) alert tcp $HOME_NET any -> [104.236.70.31] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253298/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253298; rev:1;) alert tcp $HOME_NET any -> [86.104.72.149] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253297/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253297; rev:1;) alert tcp $HOME_NET any -> [43.198.82.119] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253296/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253296; rev:1;) alert tcp $HOME_NET any -> [80.87.206.160] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253295/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253295; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 14555 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253294/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253294; rev:1;) alert tcp $HOME_NET any -> [148.135.40.198] 60000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253293/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253293; rev:1;) alert tcp $HOME_NET any -> [148.135.40.198] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253292/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253292; rev:1;) alert tcp $HOME_NET any -> [148.135.40.198] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253291/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.47.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253290; rev:1;) alert tcp $HOME_NET any -> [195.201.47.206] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253289; rev:1;) alert tcp $HOME_NET any -> [185.174.101.164] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253228; rev:1;) alert tcp $HOME_NET any -> [185.174.101.246] 6006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253229; rev:1;) alert tcp $HOME_NET any -> [101.43.219.232] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253230; rev:1;) alert tcp $HOME_NET any -> [172.111.137.194] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253227; rev:1;) alert tcp $HOME_NET any -> [128.90.122.249] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253225; rev:1;) alert tcp $HOME_NET any -> [128.90.123.31] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253226; rev:1;) alert tcp $HOME_NET any -> [91.92.254.251] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253224; rev:1;) alert tcp $HOME_NET any -> [91.92.242.190] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253223; rev:1;) alert tcp $HOME_NET any -> [106.53.164.29] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253231; rev:1;) alert tcp $HOME_NET any -> [124.222.52.190] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253232; rev:1;) alert tcp $HOME_NET any -> [124.223.15.17] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253233; rev:1;) alert tcp $HOME_NET any -> [124.223.15.17] 49227 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253234; rev:1;) alert tcp $HOME_NET any -> [162.14.73.154] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253235; rev:1;) alert tcp $HOME_NET any -> [39.100.85.244] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253236; rev:1;) alert tcp $HOME_NET any -> [47.94.246.144] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253237; rev:1;) alert tcp $HOME_NET any -> [47.95.37.53] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253238; rev:1;) alert tcp $HOME_NET any -> [47.96.38.241] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253239; rev:1;) alert tcp $HOME_NET any -> [47.116.33.203] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253240; rev:1;) alert tcp $HOME_NET any -> [112.74.180.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253241; rev:1;) alert tcp $HOME_NET any -> [118.178.231.167] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253242; rev:1;) alert tcp $HOME_NET any -> [120.55.74.104] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253243; rev:1;) alert tcp $HOME_NET any -> [120.55.240.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253244; rev:1;) alert tcp $HOME_NET any -> [1.92.112.211] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253246; rev:1;) alert tcp $HOME_NET any -> [1.94.103.1] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253247; rev:1;) alert tcp $HOME_NET any -> [119.3.190.89] 2082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253248; rev:1;) alert tcp $HOME_NET any -> [47.236.230.99] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253249; rev:1;) alert tcp $HOME_NET any -> [8.219.48.197] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253250; rev:1;) alert tcp $HOME_NET any -> [165.232.67.3] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253251; rev:1;) alert tcp $HOME_NET any -> [165.232.67.3] 4848 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chu-healthcare-infra.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253253; rev:1;) alert tcp $HOME_NET any -> [143.198.126.173] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253254; rev:1;) alert tcp $HOME_NET any -> [107.174.90.234] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253255; rev:1;) alert tcp $HOME_NET any -> [170.106.178.146] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253256; rev:1;) alert tcp $HOME_NET any -> [106.75.6.207] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253257; rev:1;) alert tcp $HOME_NET any -> [64.176.41.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253258; rev:1;) alert tcp $HOME_NET any -> [64.176.41.98] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253259; rev:1;) alert tcp $HOME_NET any -> [66.135.4.59] 8010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253260; rev:1;) alert tcp $HOME_NET any -> [139.180.198.241] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253261; rev:1;) alert tcp $HOME_NET any -> [154.92.14.6] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253262; rev:1;) alert tcp $HOME_NET any -> [66.103.204.115] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253263; rev:1;) alert tcp $HOME_NET any -> [118.107.4.157] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253270; rev:1;) alert tcp $HOME_NET any -> [117.72.35.189] 1231 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253271; rev:1;) alert tcp $HOME_NET any -> [18.119.137.185] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253272; rev:1;) alert tcp $HOME_NET any -> [18.119.137.185] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253273; rev:1;) alert tcp $HOME_NET any -> [43.203.118.25] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253274; rev:1;) alert tcp $HOME_NET any -> [45.142.214.245] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253275; rev:1;) alert tcp $HOME_NET any -> [172.98.22.48] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253276; rev:1;) alert tcp $HOME_NET any -> [107.151.247.136] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253277; rev:1;) alert tcp $HOME_NET any -> [107.151.247.136] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253278; rev:1;) alert tcp $HOME_NET any -> [103.188.244.189] 2024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253279; rev:1;) alert tcp $HOME_NET any -> [146.103.11.88] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253288; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 10468 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253286; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 10468 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253287; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 10468 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253285; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 10468 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253284; rev:1;) alert tcp $HOME_NET any -> [45.133.174.81] 2020 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253283/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updatelongpollprotect.php"; depth:26; nocase; http.host; content:"77.221.143.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253282; rev:1;) alert tcp $HOME_NET any -> [173.254.204.77] 8026 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2a0949c1.php"; depth:13; nocase; http.host; content:"a0933252.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"170.106.178.146"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253269; rev:1;) alert tcp $HOME_NET any -> [172.233.1.132] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/resc/ewk"; depth:9; nocase; http.host; content:"172.233.1.132"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253267; rev:1;) alert tcp $HOME_NET any -> [47.92.213.31] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"47.92.213.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253265; rev:1;) alert tcp $HOME_NET any -> [193.233.132.226] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253264; rev:1;) alert tcp $HOME_NET any -> [193.233.132.226] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253245; rev:1;) alert tcp $HOME_NET any -> [192.236.146.112] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253222/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253222; rev:1;) alert tcp $HOME_NET any -> [77.221.154.28] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253221/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253221; rev:1;) alert tcp $HOME_NET any -> [91.92.240.202] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253220/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253220; rev:1;) alert tcp $HOME_NET any -> [95.164.85.68] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253219/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253219; rev:1;) alert tcp $HOME_NET any -> [20.117.210.254] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253218/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253218; rev:1;) alert tcp $HOME_NET any -> [5.182.86.229] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253217/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253217; rev:1;) alert tcp $HOME_NET any -> [79.137.202.60] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253216/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253216; rev:1;) alert tcp $HOME_NET any -> [91.103.255.188] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253215/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253215; rev:1;) alert tcp $HOME_NET any -> [38.55.201.18] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253214/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253214; rev:1;) alert tcp $HOME_NET any -> [86.38.247.112] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253213/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253213; rev:1;) alert tcp $HOME_NET any -> [185.23.182.196] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253212/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253212; rev:1;) alert tcp $HOME_NET any -> [46.246.14.15] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253211/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253211; rev:1;) alert tcp $HOME_NET any -> [105.97.193.91] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253210/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253210; rev:1;) alert tcp $HOME_NET any -> [86.185.5.114] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253209/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253209; rev:1;) alert tcp $HOME_NET any -> [189.140.48.94] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253208/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253208; rev:1;) alert tcp $HOME_NET any -> [37.114.41.230] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253207/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253207; rev:1;) alert tcp $HOME_NET any -> [3.83.189.245] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253206/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253206; rev:1;) alert tcp $HOME_NET any -> [185.149.146.252] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253205/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253205; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20001 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253204/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253204; rev:1;) alert tcp $HOME_NET any -> [130.193.40.102] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253203/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253203; rev:1;) alert tcp $HOME_NET any -> [94.156.65.115] 53535 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253202/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253202; rev:1;) alert tcp $HOME_NET any -> [94.156.65.115] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253201/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253201; rev:1;) alert tcp $HOME_NET any -> [45.138.16.166] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253200/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253200; rev:1;) alert tcp $HOME_NET any -> [45.138.16.166] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253199; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 10543 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253198; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 10543 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"healitytherapy.pro"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"emonteiroadm.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"emonteiroadm.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.31.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.14.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.179.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199662282318"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t8jmhl"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252954; rev:1;) alert tcp $HOME_NET any -> [95.216.179.73] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252949; rev:1;) alert tcp $HOME_NET any -> [116.203.14.35] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252950; rev:1;) alert tcp $HOME_NET any -> [95.217.31.228] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252951; rev:1;) alert tcp $HOME_NET any -> [65.109.241.38] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252952; rev:1;) alert tcp $HOME_NET any -> [65.109.243.191] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252953; rev:1;) alert tcp $HOME_NET any -> [146.103.11.88] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bootstrap-5.3.1.min.js"; depth:23; nocase; http.host; content:"service-qwflcy7c-1305872204.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-qwflcy7c-1305872204.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"154.3.8.55"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252945; rev:1;) alert tcp $HOME_NET any -> [193.233.132.253] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252944/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252944; rev:1;) alert tcp $HOME_NET any -> [193.233.132.253] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252942; rev:1;) alert tcp $HOME_NET any -> [91.207.102.163] 9771 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252939/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_03; classtype:trojan-activity; sid:91252939; rev:1;) alert tcp $HOME_NET any -> [194.147.140.222] 36829 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252938/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_03; classtype:trojan-activity; sid:91252938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"goldensoftware.co.uk"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252937; rev:1;) alert tcp $HOME_NET any -> [154.221.16.3] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"service-kjjaddjc-1309114380.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"124.222.52.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252934; rev:1;) alert tcp $HOME_NET any -> [93.123.85.139] 7775 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252933/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_03; classtype:trojan-activity; sid:91252933; rev:1;) alert tcp $HOME_NET any -> [154.221.16.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-kjjaddjc-1309114380.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"service-kjjaddjc-1309114380.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252930; rev:1;) alert tcp $HOME_NET any -> [124.222.52.190] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252929; rev:1;) alert tcp $HOME_NET any -> [65.109.13.226] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drive-east-us-fahybddhebhxejbb.z02.azurefd.net"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/686c6c647a/api-get"; depth:19; nocase; http.host; content:"drive-east-us-fahybddhebhxejbb.z02.azurefd.net"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252926; rev:1;) alert tcp $HOME_NET any -> [47.236.43.234] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.236.43.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pipesecure.php"; depth:15; nocase; http.host; content:"firerebbit.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/discussion/mayo-clinic-radio-als/"; depth:34; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"newstatisc.googleinfo.se"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"172.121.5.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"213.109.202.227"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-n14rot1h-1303081427.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-n14rot1h-1303081427.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/o4gyipjzznwaey19wvgnuy7r2i"; depth:31; nocase; http.host; content:"gostatts.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252911; rev:1;) alert tcp $HOME_NET any -> [47.92.140.21] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"213.109.202.135"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252908; rev:1;) alert tcp $HOME_NET any -> [213.109.202.135] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252909; rev:1;) alert tcp $HOME_NET any -> [46.101.71.182] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/onedrive"; depth:9; nocase; http.host; content:"chu-healthcare-infra.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chu-healthcare-infra.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252906; rev:1;) alert tcp $HOME_NET any -> [194.32.149.189] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252904; rev:1;) alert tcp $HOME_NET any -> [45.94.4.36] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252903; rev:1;) alert tcp $HOME_NET any -> [91.92.247.112] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252902; rev:1;) alert tcp $HOME_NET any -> [45.76.180.152] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252901; rev:1;) alert tcp $HOME_NET any -> [70.31.125.37] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252900; rev:1;) alert tcp $HOME_NET any -> [77.124.103.14] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252899; rev:1;) alert tcp $HOME_NET any -> [207.180.230.175] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252898; rev:1;) alert tcp $HOME_NET any -> [91.219.236.89] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252897; rev:1;) alert tcp $HOME_NET any -> [168.119.236.136] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252896; rev:1;) alert tcp $HOME_NET any -> [193.142.146.203] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/centralsql/localvmasync0/trafficwindows/apitosql/proton/pythondefaultapi/defaulteternal6/better_3/dlehttp/wordpress8/6test6/temporary4privatemulti/linejs_multiprotecttrafficpublictemp.php"; depth:188; nocase; http.host; content:"185.230.64.239"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"comigoninguempodes.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252828/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"limpandoacasa.store"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252829/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"saldaolegal.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252830/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"cinemaeuquero.cloud"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"31yc.com"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/project/five/fre.php"; depth:21; nocase; http.host; content:"ebnsina.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"60.204.171.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloadsdump/7downloadsjs/lowmulti/generatorasyncgeneratordatalife/to/javascript/processpacket/videoimage7/linepollserverdatalife.php"; depth:135; nocase; http.host; content:"91.107.120.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252889; rev:1;) alert tcp $HOME_NET any -> [194.147.140.167] 1986 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.242.237.231"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252887/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252887; rev:1;) alert tcp $HOME_NET any -> [105.155.169.10] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252886; rev:1;) alert tcp $HOME_NET any -> [192.153.57.54] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252885/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252885; rev:1;) alert tcp $HOME_NET any -> [52.71.150.237] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252884; rev:1;) alert tcp $HOME_NET any -> [100.24.150.174] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252883/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252883; rev:1;) alert tcp $HOME_NET any -> [44.194.68.71] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252882/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252882; rev:1;) alert tcp $HOME_NET any -> [5.252.177.195] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252881/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252881; rev:1;) alert tcp $HOME_NET any -> [14.225.208.190] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252880/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252880; rev:1;) alert tcp $HOME_NET any -> [144.91.109.161] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252879; rev:1;) alert tcp $HOME_NET any -> [103.174.73.85] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252878/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252878; rev:1;) alert tcp $HOME_NET any -> [91.92.254.34] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252877/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252877; rev:1;) alert tcp $HOME_NET any -> [14.225.213.142] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252876/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252876; rev:1;) alert tcp $HOME_NET any -> [51.254.186.98] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252875/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252875; rev:1;) alert tcp $HOME_NET any -> [94.98.181.154] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252874/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252874; rev:1;) alert tcp $HOME_NET any -> [94.98.186.180] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252873/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252873; rev:1;) alert tcp $HOME_NET any -> [66.50.8.125] 1800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252872/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252872; rev:1;) alert tcp $HOME_NET any -> [41.107.100.224] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252871/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252871; rev:1;) alert tcp $HOME_NET any -> [154.197.69.33] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252870/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252870; rev:1;) alert tcp $HOME_NET any -> [125.160.213.15] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252869/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252869; rev:1;) alert tcp $HOME_NET any -> [41.232.216.196] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252868/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252868; rev:1;) alert tcp $HOME_NET any -> [147.50.253.190] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252867/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252867; rev:1;) alert tcp $HOME_NET any -> [39.120.184.43] 80 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252866/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252866; rev:1;) alert tcp $HOME_NET any -> [89.213.140.91] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252865/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252865; rev:1;) alert tcp $HOME_NET any -> [172.111.139.246] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252864/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252864; rev:1;) alert tcp $HOME_NET any -> [23.94.30.124] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252863/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252863; rev:1;) alert tcp $HOME_NET any -> [45.74.50.132] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252862/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252862; rev:1;) alert tcp $HOME_NET any -> [41.68.131.21] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252861/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252861; rev:1;) alert tcp $HOME_NET any -> [111.229.114.158] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252860/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252860; rev:1;) alert tcp $HOME_NET any -> [2.224.144.191] 8089 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252859/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252859; rev:1;) alert tcp $HOME_NET any -> [184.182.242.110] 3306 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252858/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252858; rev:1;) alert tcp $HOME_NET any -> [3.17.181.161] 443 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252857/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252857; rev:1;) alert tcp $HOME_NET any -> [220.69.33.83] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252856/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252856; rev:1;) alert tcp $HOME_NET any -> [211.226.30.202] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252854/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252854; rev:1;) alert tcp $HOME_NET any -> [125.141.145.190] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252853/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252853; rev:1;) alert tcp $HOME_NET any -> [211.226.30.198] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252852/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252852; rev:1;) alert tcp $HOME_NET any -> [172.187.180.204] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252851/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252851; rev:1;) alert tcp $HOME_NET any -> [13.38.235.203] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252850/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/853aaed2e28950b2.php"; depth:21; nocase; http.host; content:"89.105.223.142"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252849; rev:1;) alert tcp $HOME_NET any -> [103.180.186.144] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252848/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252848; rev:1;) alert tcp $HOME_NET any -> [3.92.185.192] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252847/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252847; rev:1;) alert tcp $HOME_NET any -> [54.226.31.121] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252846/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252846; rev:1;) alert tcp $HOME_NET any -> [47.120.14.97] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252845/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252845; rev:1;) alert tcp $HOME_NET any -> [13.200.127.74] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252844/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252844; rev:1;) alert tcp $HOME_NET any -> [94.156.68.16] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252843/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252843; rev:1;) alert tcp $HOME_NET any -> [94.156.69.11] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252842/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252842; rev:1;) alert tcp $HOME_NET any -> [82.156.43.68] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252841/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252841; rev:1;) alert tcp $HOME_NET any -> [37.37.183.28] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252840/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252840; rev:1;) alert tcp $HOME_NET any -> [152.42.140.119] 9001 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252839/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252839; rev:1;) alert tcp $HOME_NET any -> [103.86.177.103] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252838/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252838; rev:1;) alert tcp $HOME_NET any -> [65.109.124.116] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252837/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252837; rev:1;) alert tcp $HOME_NET any -> [156.192.141.126] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252836/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252836; rev:1;) alert tcp $HOME_NET any -> [132.145.80.201] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252835/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252835; rev:1;) alert tcp $HOME_NET any -> [3.115.218.3] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252834/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252834; rev:1;) alert tcp $HOME_NET any -> [86.106.20.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252833/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dle1update/generatorprotect00/linuxprivatedownloadsprocess/toauth/dumpmariadbbetterjavascript/privatephpline/multiprotectuploads0/baseuniversal_windows/cdn/multi/6/8wordpress/5/uploadsservercdn/http/requestgamemultidefaultdle.php"; depth:230; nocase; http.host; content:"62.109.7.175"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252832; rev:1;) alert tcp $HOME_NET any -> [194.67.193.69] 80 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252827/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252827; rev:1;) alert tcp $HOME_NET any -> [85.114.96.4] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252826/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252826; rev:1;) alert tcp $HOME_NET any -> [93.123.39.96] 443 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252825/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252825; rev:1;) alert tcp $HOME_NET any -> [194.116.214.7] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252824/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252824; rev:1;) alert tcp $HOME_NET any -> [83.136.232.33] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252823/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252823; rev:1;) alert tcp $HOME_NET any -> [5.42.106.136] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252822/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252822; rev:1;) alert tcp $HOME_NET any -> [185.216.70.67] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252821/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252821; rev:1;) alert tcp $HOME_NET any -> [27.124.32.60] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252820/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252820; rev:1;) alert tcp $HOME_NET any -> [38.55.201.16] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252819/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252819; rev:1;) alert tcp $HOME_NET any -> [1.161.115.247] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252818/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252818; rev:1;) alert tcp $HOME_NET any -> [103.20.60.248] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252817/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252817; rev:1;) alert tcp $HOME_NET any -> [64.176.224.27] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252816/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252816; rev:1;) alert tcp $HOME_NET any -> [101.33.35.171] 8081 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252815; rev:1;) alert tcp $HOME_NET any -> [51.159.183.32] 9000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252814/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252814; rev:1;) alert tcp $HOME_NET any -> [64.7.198.249] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252813/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252813; rev:1;) alert tcp $HOME_NET any -> [103.20.60.248] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252812/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252812; rev:1;) alert tcp $HOME_NET any -> [62.171.158.126] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252811/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252811; rev:1;) alert tcp $HOME_NET any -> [206.188.196.174] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252810/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252810; rev:1;) alert tcp $HOME_NET any -> [206.188.196.174] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252809/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"galvaoministerio.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brigadafraternidade.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252808; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 18511 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252806; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 18511 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252805; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 18511 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0938575.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twiceoohah.uk"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"healitytherapy.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"semikan.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252798/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"bavuor.bond"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252799/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"111.230.207.249"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252801; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 14390 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252563; rev:1;) alert tcp $HOME_NET any -> [141.98.7.37] 65480 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252562/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"ahryssa.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"ahryssa.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252560; rev:1;) alert tcp $HOME_NET any -> [185.216.70.123] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252561; rev:1;) alert tcp $HOME_NET any -> [5.188.87.50] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252558; rev:1;) alert tcp $HOME_NET any -> [94.156.8.109] 671 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252557/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trembolone.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252545/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252545; rev:1;) alert tcp $HOME_NET any -> [91.92.252.229] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252544/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"81.70.232.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w/index.php"; depth:12; nocase; http.host; content:"116.62.34.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.26.243.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252554; rev:1;) alert tcp $HOME_NET any -> [81.70.232.50] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"81.70.232.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.92.147.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"39.106.77.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"5.188.87.50"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252549; rev:1;) alert tcp $HOME_NET any -> [164.155.128.124] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"164.155.128.124"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252547; rev:1;) alert tcp $HOME_NET any -> [193.233.132.106] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252546; rev:1;) alert tcp $HOME_NET any -> [193.233.132.106] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252543; rev:1;) alert tcp $HOME_NET any -> [185.196.10.121] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252541; rev:1;) alert tcp $HOME_NET any -> [42.193.17.127] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"42.193.17.127"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252539; rev:1;) alert tcp $HOME_NET any -> [185.222.58.253] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"111.231.140.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"js.msedgeupdate.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.93.63.179"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"service-cedqvyh7-1322145958.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"1.117.232.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.222.97.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.104.179.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"213.109.202.227"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bind.bestresulttostart.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.220.192.251"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252526; rev:1;) alert tcp $HOME_NET any -> [103.116.247.207] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"115.159.50.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252523; rev:1;) alert tcp $HOME_NET any -> [103.116.247.207] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs.xfdaili.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.76.218.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"42.192.36.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.136.13.96"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252516; rev:1;) alert tcp $HOME_NET any -> [43.136.13.96] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.136.81.17"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252514; rev:1;) alert tcp $HOME_NET any -> [43.136.81.17] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"45.182.189.102"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252512; rev:1;) alert tcp $HOME_NET any -> [45.182.189.102] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252513; rev:1;) alert tcp $HOME_NET any -> [45.182.189.102] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"45.182.189.102"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/getb"; depth:12; nocase; http.host; content:"45.144.136.14"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"60.204.208.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ob/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252506; rev:1;) alert tcp $HOME_NET any -> [194.147.140.157] 3361 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252505; rev:1;) alert tcp $HOME_NET any -> [202.61.141.168] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252504; rev:1;) alert tcp $HOME_NET any -> [202.61.141.147] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252503/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252503; rev:1;) alert tcp $HOME_NET any -> [139.199.2.99] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252502/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252502; rev:1;) alert tcp $HOME_NET any -> [94.156.71.212] 2222 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252501; rev:1;) alert tcp $HOME_NET any -> [187.224.25.138] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252500; rev:1;) alert tcp $HOME_NET any -> [161.35.138.53] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252499; rev:1;) alert tcp $HOME_NET any -> [172.233.230.75] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252498; rev:1;) alert tcp $HOME_NET any -> [194.246.114.147] 40050 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252497; rev:1;) alert tcp $HOME_NET any -> [51.195.115.244] 7639 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252496; rev:1;) alert tcp $HOME_NET any -> [13.112.154.194] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252495; rev:1;) alert tcp $HOME_NET any -> [104.234.155.118] 5040 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252494; rev:1;) alert tcp $HOME_NET any -> [142.93.79.177] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"discovus.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"discovus.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"discovus.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252491; rev:1;) alert tcp $HOME_NET any -> [194.147.140.229] 4718 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"saubere-dienste.de"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"buhexpert8.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252485/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_02; classtype:trojan-activity; sid:91252485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"balabaksha.kz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252486/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_02; classtype:trojan-activity; sid:91252486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"alcorfund.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252487/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_02; classtype:trojan-activity; sid:91252487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"unimus.ac.id"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252488/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_02; classtype:trojan-activity; sid:91252488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"arquivisticalocal.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mtlaikins.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"schedule.golfballnutz.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"147.45.47.87"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/theme.js"; depth:17; nocase; http.host; content:"147.45.47.87"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"smtp.thanhancompony.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"thanhancompony.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252480; rev:1;) alert tcp $HOME_NET any -> [104.168.32.17] 21425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252473/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252473; rev:1;) alert tcp $HOME_NET any -> [104.234.204.151] 100 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252471; rev:1;) alert tcp $HOME_NET any -> [94.156.8.116] 1337 (msg:"ThreatFox Kaiten botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252470; rev:1;) alert tcp $HOME_NET any -> [185.224.128.36] 33335 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252469; rev:1;) alert tcp $HOME_NET any -> [104.234.204.161] 100 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252460; rev:1;) alert tcp $HOME_NET any -> [85.239.33.129] 12345 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252459; rev:1;) alert tcp $HOME_NET any -> [104.234.204.151] 1 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252440/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252440; rev:1;) alert tcp $HOME_NET any -> [185.141.63.27] 2023 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252458; rev:1;) alert tcp $HOME_NET any -> [195.154.173.35] 2023 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252457; rev:1;) alert tcp $HOME_NET any -> [185.216.70.250] 21425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252472/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"47.92.34.207"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252483; rev:1;) alert tcp $HOME_NET any -> [194.147.140.229] 4781 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"93757283cm.whiteproducts.ru"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lesserafine.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252468; rev:1;) alert tcp $HOME_NET any -> [18.175.57.54] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"umo3uuoo57.execute-api.us-east-1.amazonaws.com"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/search/"; depth:12; nocase; http.host; content:"umo3uuoo57.execute-api.us-east-1.amazonaws.com"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"172.111.218.218"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252464; rev:1;) alert tcp $HOME_NET any -> [94.131.13.68] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.updateservices.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"api.updateservices.org"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252461; rev:1;) alert tcp $HOME_NET any -> [103.145.191.100] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252456/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252456; rev:1;) alert tcp $HOME_NET any -> [202.61.141.166] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252455/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252455; rev:1;) alert tcp $HOME_NET any -> [149.104.30.4] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252454; rev:1;) alert tcp $HOME_NET any -> [150.109.241.155] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252453; rev:1;) alert tcp $HOME_NET any -> [46.246.86.15] 7000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252452; rev:1;) alert tcp $HOME_NET any -> [46.246.86.15] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252451; rev:1;) alert tcp $HOME_NET any -> [46.246.12.2] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252450; rev:1;) alert tcp $HOME_NET any -> [105.103.18.143] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252449; rev:1;) alert tcp $HOME_NET any -> [78.181.209.3] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252448; rev:1;) alert tcp $HOME_NET any -> [39.40.151.24] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252447; rev:1;) alert tcp $HOME_NET any -> [41.96.91.111] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252446; rev:1;) alert tcp $HOME_NET any -> [151.236.26.171] 3410 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252445; rev:1;) alert tcp $HOME_NET any -> [185.196.9.7] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252444; rev:1;) alert tcp $HOME_NET any -> [47.116.25.208] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252443; rev:1;) alert tcp $HOME_NET any -> [94.156.65.98] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252442; rev:1;) alert tcp $HOME_NET any -> [94.156.65.98] 53535 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gostatts.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252408; rev:1;) alert tcp $HOME_NET any -> [91.92.246.236] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252409; rev:1;) alert tcp $HOME_NET any -> [103.106.203.165] 443 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252410; rev:1;) alert tcp $HOME_NET any -> [94.156.10.119] 443 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252411; rev:1;) alert tcp $HOME_NET any -> [41.97.204.61] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"applereports.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252413; rev:1;) alert tcp $HOME_NET any -> [94.156.10.119] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252414; rev:1;) alert tcp $HOME_NET any -> [45.63.52.184] 8094 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"axskowoe20.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252435/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"fqfqosoleosak23.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252436/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"xkslsxll294os.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252433/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"vaodfko2342o.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252434/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"kamalankaranda.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252431/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"vasderosxls11.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252432/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252432; rev:1;) alert tcp $HOME_NET any -> [45.131.111.159] 777 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252416; rev:1;) alert tcp $HOME_NET any -> [67.217.60.78] 7855 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"aaaaoooopppplllll33.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252437/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"lauytropopo.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252438/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252438; rev:1;) alert tcp $HOME_NET any -> [38.15.51.3] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252338; rev:1;) alert tcp $HOME_NET any -> [50.34.35.222] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252339; rev:1;) alert tcp $HOME_NET any -> [51.223.58.16] 2404 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252340; rev:1;) alert tcp $HOME_NET any -> [82.69.26.196] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252341; rev:1;) alert tcp $HOME_NET any -> [116.204.42.20] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252342; rev:1;) alert tcp $HOME_NET any -> [181.162.159.238] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252343; rev:1;) alert tcp $HOME_NET any -> [190.203.52.245] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252344; rev:1;) alert tcp $HOME_NET any -> [194.48.251.116] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"arquivisticalocal.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"arquivisticalocal.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"mtlaikins.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252348; rev:1;) alert tcp $HOME_NET any -> [173.201.180.75] 49737 (msg:"ThreatFox Agent Tesla payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252370; rev:1;) alert tcp $HOME_NET any -> [173.201.180.75] 49739 (msg:"ThreatFox Agent Tesla payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252371; rev:1;) alert tcp $HOME_NET any -> [1.14.66.185] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c.bywe.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252373; rev:1;) alert tcp $HOME_NET any -> [1.14.152.195] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252374; rev:1;) alert tcp $HOME_NET any -> [49.233.244.7] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252375; rev:1;) alert tcp $HOME_NET any -> [49.233.244.7] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252376; rev:1;) alert tcp $HOME_NET any -> [124.220.192.251] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252377; rev:1;) alert tcp $HOME_NET any -> [8.130.88.184] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252378; rev:1;) alert tcp $HOME_NET any -> [8.130.118.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252379; rev:1;) alert tcp $HOME_NET any -> [8.137.126.202] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252380; rev:1;) alert tcp $HOME_NET any -> [8.140.254.212] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252381; rev:1;) alert tcp $HOME_NET any -> [47.92.34.207] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252382; rev:1;) alert tcp $HOME_NET any -> [47.93.12.178] 50002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252383; rev:1;) alert tcp $HOME_NET any -> [47.94.241.49] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252384; rev:1;) alert tcp $HOME_NET any -> [112.124.64.105] 7894 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252385; rev:1;) alert tcp $HOME_NET any -> [115.29.202.95] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252386; rev:1;) alert tcp $HOME_NET any -> [118.31.8.234] 6664 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252387; rev:1;) alert tcp $HOME_NET any -> [8.217.127.240] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252388; rev:1;) alert tcp $HOME_NET any -> [47.76.101.44] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252389; rev:1;) alert tcp $HOME_NET any -> [198.12.107.149] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252390; rev:1;) alert tcp $HOME_NET any -> [116.196.92.13] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252391; rev:1;) alert tcp $HOME_NET any -> [124.156.213.14] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252393; rev:1;) alert tcp $HOME_NET any -> [144.202.43.169] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252394; rev:1;) alert tcp $HOME_NET any -> [144.202.43.169] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252395; rev:1;) alert tcp $HOME_NET any -> [128.14.229.56] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252396; rev:1;) alert tcp $HOME_NET any -> [173.44.141.234] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252397; rev:1;) alert tcp $HOME_NET any -> [45.135.118.251] 35201 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252398; rev:1;) alert tcp $HOME_NET any -> [123.184.43.123] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252399; rev:1;) alert tcp $HOME_NET any -> [89.147.108.109] 5093 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252400; rev:1;) alert tcp $HOME_NET any -> [45.128.96.237] 64980 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252401; rev:1;) alert tcp $HOME_NET any -> [193.32.162.70] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252402; rev:1;) alert tcp $HOME_NET any -> [77.91.122.210] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252403; rev:1;) alert tcp $HOME_NET any -> [91.92.244.214] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ilearnschools.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252405/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_01; classtype:trojan-activity; sid:91252405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lokersma.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252406/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_01; classtype:trojan-activity; sid:91252406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"emmikochteinfach.de"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252407/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_01; classtype:trojan-activity; sid:91252407; rev:1;) alert tcp $HOME_NET any -> [3.12.160.6] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252325; rev:1;) alert tcp $HOME_NET any -> [20.19.89.127] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252326; rev:1;) alert tcp $HOME_NET any -> [45.8.146.124] 2004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252327; rev:1;) alert tcp $HOME_NET any -> [51.195.94.201] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252328; rev:1;) alert tcp $HOME_NET any -> [88.229.5.89] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252329; rev:1;) alert tcp $HOME_NET any -> [88.252.160.133] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252330; rev:1;) alert tcp $HOME_NET any -> [91.110.144.1] 9000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252331; rev:1;) alert tcp $HOME_NET any -> [156.195.238.74] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252332; rev:1;) alert tcp $HOME_NET any -> [172.94.8.163] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252333; rev:1;) alert tcp $HOME_NET any -> [172.94.9.138] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252334; rev:1;) alert tcp $HOME_NET any -> [207.180.232.14] 1973 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search"; depth:7; nocase; http.host; content:"81.181.110.95"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252439; rev:1;) alert tcp $HOME_NET any -> [146.70.113.136] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.googletagmauager.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.googletagmauager.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"stviw.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252422; rev:1;) alert tcp $HOME_NET any -> [78.47.221.177] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252423; rev:1;) alert tcp $HOME_NET any -> [168.119.60.168] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252424; rev:1;) alert tcp $HOME_NET any -> [95.217.155.87] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mogor.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stviw.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mogor.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.155.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"168.119.60.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.221.177"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"ca87122.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0934860.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5bd4c8b2.php"; depth:13; nocase; http.host; content:"a0936238.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252368; rev:1;) alert tcp $HOME_NET any -> [77.221.156.45] 18734 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tracktrafficprivatetest/javascript/dle0/0downloads02/geocpupython/universalsecure/javascriptauth.php"; depth:101; nocase; http.host; content:"91.92.252.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//receive.php"; depth:13; nocase; http.host; content:"botnetera.pagekite.me"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"huinyao.hunamuna.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252364; rev:1;) alert tcp $HOME_NET any -> [185.222.58.244] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cf73329.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252362; rev:1;) alert tcp $HOME_NET any -> [5.61.63.125] 35333 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"490523cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252360; rev:1;) alert tcp $HOME_NET any -> [104.250.169.162] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252359; rev:1;) alert tcp $HOME_NET any -> [195.3.223.146] 6668 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/longpollflower.php"; depth:19; nocase; http.host; content:"77.105.161.254"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252357; rev:1;) alert tcp $HOME_NET any -> [91.92.250.84] 35966 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eb488f9cb9d466ca.php"; depth:21; nocase; http.host; content:"185.216.70.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252355; rev:1;) alert tcp $HOME_NET any -> [144.217.189.92] 3000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252354; rev:1;) alert tcp $HOME_NET any -> [163.5.112.53] 51523 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252353; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 18950 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252352; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 18950 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252351; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 18950 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252350; rev:1;) alert tcp $HOME_NET any -> [154.236.129.160] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ch"; depth:3; nocase; http.host; content:"big-walls.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252323; rev:1;) alert tcp $HOME_NET any -> [195.137.220.121] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heicehjuisyq.bond"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252321; rev:1;) alert tcp $HOME_NET any -> [109.199.108.92] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omentget"; depth:9; nocase; http.host; content:"heicehjuisyq.bond"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"156.224.24.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"62.234.180.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"154.201.89.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kj"; depth:3; nocase; http.host; content:"195.137.220.121"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252315; rev:1;) alert tcp $HOME_NET any -> [195.137.220.121] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"222.112.93.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"123.60.162.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"62.234.180.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.223.15.17"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"115.29.202.95"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js"; depth:41; nocase; http.host; content:"183.255.43.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"111.230.207.249"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252307; rev:1;) alert tcp $HOME_NET any -> [111.230.207.249] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252308; rev:1;) alert tcp $HOME_NET any -> [52.235.59.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ldap.htm"; depth:9; nocase; http.host; content:"goliathms.azureedge.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goliathms.azureedge.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rdtest.static.hao123-wise.otp.baidu.com.cn.cdn.dnsv1.com"; depth:56; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compute/cd/k7ba6v385v"; depth:22; nocase; http.host; content:"rdtest.static.hao123-wise.otp.baidu.com.cn.cdn.dnsv1.com"; depth:56; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252301; rev:1;) alert tcp $HOME_NET any -> [47.101.170.17] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0935095.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252299; rev:1;) alert tcp $HOME_NET any -> [77.91.123.52] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252298/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252298; rev:1;) alert tcp $HOME_NET any -> [91.92.248.125] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252297/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252297; rev:1;) alert tcp $HOME_NET any -> [45.77.40.77] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252296/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252296; rev:1;) alert tcp $HOME_NET any -> [147.78.103.240] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252295/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252295; rev:1;) alert tcp $HOME_NET any -> [38.6.218.204] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252294/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252294; rev:1;) alert tcp $HOME_NET any -> [137.220.197.178] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252293/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252293; rev:1;) alert tcp $HOME_NET any -> [151.80.152.122] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252292/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252292; rev:1;) alert tcp $HOME_NET any -> [137.220.197.198] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252291/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252291; rev:1;) alert tcp $HOME_NET any -> [137.220.197.198] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252290/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252290; rev:1;) alert tcp $HOME_NET any -> [137.220.197.198] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252289/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252289; rev:1;) alert tcp $HOME_NET any -> [193.124.205.100] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252288/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252288; rev:1;) alert tcp $HOME_NET any -> [104.248.44.99] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252287/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252287; rev:1;) alert tcp $HOME_NET any -> [111.180.192.60] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252286/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252286; rev:1;) alert tcp $HOME_NET any -> [57.180.189.117] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252285/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252285; rev:1;) alert tcp $HOME_NET any -> [3.36.144.103] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252284/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252284; rev:1;) alert tcp $HOME_NET any -> [23.94.44.162] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252283/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.233.132.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a/z.png"; depth:8; nocase; http.host; content:"193.233.132.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a/0x.png"; depth:9; nocase; http.host; content:"193.233.132.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a/a.png"; depth:8; nocase; http.host; content:"193.233.132.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252255; rev:1;) alert tcp $HOME_NET any -> [5.253.246.170] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252278/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_01; classtype:trojan-activity; sid:91252278; rev:1;) alert tcp $HOME_NET any -> [8.134.126.121] 8086 (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252282/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dockerupdate.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252280; rev:1;) alert tcp $HOME_NET any -> [185.239.84.203] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"dockerupdate.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252279; rev:1;) alert tcp $HOME_NET any -> [195.123.217.22] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"195.123.217.22"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"185.236.231.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252274; rev:1;) alert tcp $HOME_NET any -> [185.236.231.201] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"172.121.5.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252273; rev:1;) alert tcp $HOME_NET any -> [194.67.193.67] 80 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252272/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252272; rev:1;) alert tcp $HOME_NET any -> [193.26.115.181] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252271/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252271; rev:1;) alert tcp $HOME_NET any -> [193.26.115.181] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252270/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252270; rev:1;) alert tcp $HOME_NET any -> [185.43.4.238] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252269/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252269; rev:1;) alert tcp $HOME_NET any -> [137.184.228.202] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252268/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252268; rev:1;) alert tcp $HOME_NET any -> [18.166.113.24] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252267/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252267; rev:1;) alert tcp $HOME_NET any -> [188.48.80.235] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252266/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252266; rev:1;) alert tcp $HOME_NET any -> [172.233.120.154] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252265/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252265; rev:1;) alert tcp $HOME_NET any -> [92.116.36.36] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252264; rev:1;) alert tcp $HOME_NET any -> [159.65.173.112] 9443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252263/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252263; rev:1;) alert tcp $HOME_NET any -> [3.111.169.215] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252262/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252262; rev:1;) alert tcp $HOME_NET any -> [146.190.108.145] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252261/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252261; rev:1;) alert tcp $HOME_NET any -> [146.190.108.145] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252260/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"45.93.20.242"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252259; rev:1;) alert tcp $HOME_NET any -> [8.147.132.135] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"chniabank.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chniabank.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hentaiworld.tv"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252248/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.8ktv-test.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252249/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mlwmlw.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252250/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"seorongdaiduong.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252251/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"serenitytherapy.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"illitmagnetic.site"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252247; rev:1;) alert tcp $HOME_NET any -> [93.185.166.60] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/common.css"; depth:11; nocase; http.host; content:"93.185.166.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.94.241.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.360safety.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"update.360safety.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.99.177.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"service-43eyvs26-1312185610.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252239; rev:1;) alert tcp $HOME_NET any -> [8.147.132.135] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"service-43eyvs26-1312185610.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-43eyvs26-1312185610.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"120.46.130.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"plano-safra.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252234/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"huboftest.ir"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252233/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bnd-servers.komakhazine.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252232/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giga.giganoob.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252231; rev:1;) alert tcp $HOME_NET any -> [193.141.60.143] 6789 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252229/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252229; rev:1;) alert tcp $HOME_NET any -> [193.141.60.143] 59432 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252230/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giga.giganoob.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252228; rev:1;) alert tcp $HOME_NET any -> [103.35.190.189] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252227/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252227; rev:1;) alert tcp $HOME_NET any -> [103.35.190.238] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252226/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252226; rev:1;) alert tcp $HOME_NET any -> [45.61.136.169] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"45.61.136.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252224; rev:1;) alert tcp $HOME_NET any -> [124.223.220.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3g.ali213.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info"; depth:5; nocase; http.host; content:"3g.ali213.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info"; depth:5; nocase; http.host; content:"m.old.gxjczx.gov.cn"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m.old.gxjczx.gov.cn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252220; rev:1;) alert tcp $HOME_NET any -> [154.219.177.156] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252218; rev:1;) alert tcp $HOME_NET any -> [192.236.176.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"192.236.176.143"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252216; rev:1;) alert tcp $HOME_NET any -> [156.232.192.101] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"121.199.0.54"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252213; rev:1;) alert tcp $HOME_NET any -> [121.199.0.54] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252214; rev:1;) alert tcp $HOME_NET any -> [185.196.10.233] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252212/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252212; rev:1;) alert tcp $HOME_NET any -> [185.196.10.233] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252210/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252210; rev:1;) alert tcp $HOME_NET any -> [185.196.10.233] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252211/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252211; rev:1;) alert tcp $HOME_NET any -> [185.196.10.233] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252209; rev:1;) alert tcp $HOME_NET any -> [45.152.86.86] 56789 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252207/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"a.iruko.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252208/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252208; rev:1;) alert tcp $HOME_NET any -> [45.138.16.150] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252206/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252206; rev:1;) alert tcp $HOME_NET any -> [86.38.247.37] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252205/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252205; rev:1;) alert tcp $HOME_NET any -> [93.123.39.201] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252204/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252204; rev:1;) alert tcp $HOME_NET any -> [94.228.169.68] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252203/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252203; rev:1;) alert tcp $HOME_NET any -> [147.78.103.54] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252202/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252202; rev:1;) alert tcp $HOME_NET any -> [142.11.236.34] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252201/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252201; rev:1;) alert tcp $HOME_NET any -> [134.209.34.122] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252200/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252200; rev:1;) alert tcp $HOME_NET any -> [43.132.193.188] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252199/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252199; rev:1;) alert tcp $HOME_NET any -> [38.45.126.181] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252198/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252198; rev:1;) alert tcp $HOME_NET any -> [45.207.36.50] 2086 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252197/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252197; rev:1;) alert tcp $HOME_NET any -> [38.45.126.182] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252196/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252196; rev:1;) alert tcp $HOME_NET any -> [38.45.126.178] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252195/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252195; rev:1;) alert tcp $HOME_NET any -> [71.88.244.13] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252194/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252194; rev:1;) alert tcp $HOME_NET any -> [175.10.220.47] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252193/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252193; rev:1;) alert tcp $HOME_NET any -> [165.232.68.248] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252192/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252192; rev:1;) alert tcp $HOME_NET any -> [16.16.187.254] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252191/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252191; rev:1;) alert tcp $HOME_NET any -> [5.181.20.63] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252190/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252190; rev:1;) alert tcp $HOME_NET any -> [15.197.164.51] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252189/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252189; rev:1;) alert tcp $HOME_NET any -> [43.138.0.70] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91251883; rev:1;) alert tcp $HOME_NET any -> [42.194.251.253] 10080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91251882; rev:1;) alert tcp $HOME_NET any -> [42.192.36.31] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91251881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hitech-us.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252161/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"eatech.uk"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252162/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"topcoloringpages.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252163/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"seiji-folk.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252164/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ww4.amazila.cz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252165/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wielkopolskamagazyn.pl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252181/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"tanya-tanya.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252182/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"baaghitv.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252183/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"192-168-1-1-admin-admin.ru"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252184/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lasantaespina.cat"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252185/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mepiu.it"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252186/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"vipaco.vn"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252187/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.beeldvorm.eu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252188/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nocapsrt.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nocapsrt.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252031; rev:1;) alert tcp $HOME_NET any -> [40.66.40.211] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91251908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1076575623880921249/1223388963822375054/sky-beta-setup.rar"; depth:71; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91251909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.49.156.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252180/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252180; rev:1;) alert tcp $HOME_NET any -> [5.188.86.215] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab.html"; depth:8; nocase; http.host; content:"86.106.20.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252177; rev:1;) alert tcp $HOME_NET any -> [154.219.151.250] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252176; rev:1;) alert tcp $HOME_NET any -> [156.232.192.121] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252175; rev:1;) alert tcp $HOME_NET any -> [154.219.177.143] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252174; rev:1;) alert tcp $HOME_NET any -> [156.232.186.206] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252173; rev:1;) alert tcp $HOME_NET any -> [156.232.186.214] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252172; rev:1;) alert tcp $HOME_NET any -> [154.219.154.71] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.115.203.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-bjb5aex0-1318428097.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/user"; depth:9; nocase; http.host; content:"service-bjb5aex0-1318428097.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"120.46.130.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252166; rev:1;) alert tcp $HOME_NET any -> [20.115.56.254] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252029/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91252029; rev:1;) alert tcp $HOME_NET any -> [165.232.68.248] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91252028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pr8c"; depth:5; nocase; http.host; content:"112.124.64.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252027/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91252027; rev:1;) alert tcp $HOME_NET any -> [197.202.118.111] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"124.71.136.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252025; rev:1;) alert tcp $HOME_NET any -> [47.109.53.241] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252021; rev:1;) alert tcp $HOME_NET any -> [38.45.126.179] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252019; rev:1;) alert tcp $HOME_NET any -> [38.45.126.180] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252020; rev:1;) alert tcp $HOME_NET any -> [222.112.93.163] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252017; rev:1;) alert tcp $HOME_NET any -> [176.32.35.104] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252015; rev:1;) alert tcp $HOME_NET any -> [176.32.35.104] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252016; rev:1;) alert tcp $HOME_NET any -> [114.134.188.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252014; rev:1;) alert tcp $HOME_NET any -> [103.97.176.249] 10 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252013; rev:1;) alert tcp $HOME_NET any -> [185.196.9.226] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252011; rev:1;) alert tcp $HOME_NET any -> [185.196.9.226] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252012; rev:1;) alert tcp $HOME_NET any -> [185.196.11.210] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252010; rev:1;) alert tcp $HOME_NET any -> [209.141.44.168] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252009; rev:1;) alert tcp $HOME_NET any -> [94.103.188.162] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252008; rev:1;) alert tcp $HOME_NET any -> [198.98.53.81] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252006; rev:1;) alert tcp $HOME_NET any -> [198.98.53.81] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252007; rev:1;) alert tcp $HOME_NET any -> [45.15.156.142] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252005/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91252005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cleaninghouseinc.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252004; rev:1;) alert tcp $HOME_NET any -> [170.130.55.104] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252001; rev:1;) alert tcp $HOME_NET any -> [170.130.165.44] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252002; rev:1;) alert tcp $HOME_NET any -> [173.44.141.205] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252003; rev:1;) alert tcp $HOME_NET any -> [103.30.76.64] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252000; rev:1;) alert tcp $HOME_NET any -> [206.237.2.203] 28080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251999; rev:1;) alert tcp $HOME_NET any -> [94.156.69.121] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251998; rev:1;) alert tcp $HOME_NET any -> [91.92.245.110] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251996; rev:1;) alert tcp $HOME_NET any -> [91.92.245.110] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251997; rev:1;) alert tcp $HOME_NET any -> [91.92.245.111] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251995; rev:1;) alert tcp $HOME_NET any -> [23.224.196.53] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251991; rev:1;) alert tcp $HOME_NET any -> [23.225.14.81] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251992; rev:1;) alert tcp $HOME_NET any -> [38.6.177.16] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251993; rev:1;) alert tcp $HOME_NET any -> [38.6.178.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251994; rev:1;) alert tcp $HOME_NET any -> [165.154.162.112] 2323 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251990; rev:1;) alert tcp $HOME_NET any -> [148.135.67.47] 6443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251989; rev:1;) alert tcp $HOME_NET any -> [148.135.127.214] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251987; rev:1;) alert tcp $HOME_NET any -> [148.135.127.214] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251988; rev:1;) alert tcp $HOME_NET any -> [117.50.188.167] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251986; rev:1;) alert tcp $HOME_NET any -> [172.212.14.172] 9005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251985; rev:1;) alert tcp $HOME_NET any -> [20.2.85.120] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251984; rev:1;) alert tcp $HOME_NET any -> [182.61.148.159] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251980; rev:1;) alert tcp $HOME_NET any -> [192.3.128.204] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251981; rev:1;) alert tcp $HOME_NET any -> [208.87.201.226] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251982; rev:1;) alert tcp $HOME_NET any -> [211.101.244.196] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251983; rev:1;) alert tcp $HOME_NET any -> [149.104.26.163] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251973; rev:1;) alert tcp $HOME_NET any -> [154.3.2.171] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251974; rev:1;) alert tcp $HOME_NET any -> [154.8.177.111] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251975; rev:1;) alert tcp $HOME_NET any -> [154.12.19.39] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251976; rev:1;) alert tcp $HOME_NET any -> [166.88.61.173] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251977; rev:1;) alert tcp $HOME_NET any -> [172.247.34.5] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251978; rev:1;) alert tcp $HOME_NET any -> [182.43.85.190] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251979; rev:1;) alert tcp $HOME_NET any -> [123.57.65.209] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251968; rev:1;) alert tcp $HOME_NET any -> [123.57.237.103] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251969; rev:1;) alert tcp $HOME_NET any -> [124.220.70.96] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251970; rev:1;) alert tcp $HOME_NET any -> [124.221.254.249] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251971; rev:1;) alert tcp $HOME_NET any -> [139.196.84.232] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251972; rev:1;) alert tcp $HOME_NET any -> [111.92.241.105] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251961; rev:1;) alert tcp $HOME_NET any -> [115.159.149.77] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251962; rev:1;) alert tcp $HOME_NET any -> [118.25.195.224] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251963; rev:1;) alert tcp $HOME_NET any -> [120.46.65.104] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251964; rev:1;) alert tcp $HOME_NET any -> [120.53.241.93] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251965; rev:1;) alert tcp $HOME_NET any -> [120.76.250.182] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251966; rev:1;) alert tcp $HOME_NET any -> [123.56.22.128] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251967; rev:1;) alert tcp $HOME_NET any -> [103.214.174.123] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251957; rev:1;) alert tcp $HOME_NET any -> [103.234.72.24] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251958; rev:1;) alert tcp $HOME_NET any -> [106.54.62.117] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251959; rev:1;) alert tcp $HOME_NET any -> [107.172.159.139] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251960; rev:1;) alert tcp $HOME_NET any -> [47.113.144.237] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251951; rev:1;) alert tcp $HOME_NET any -> [47.120.34.9] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251952; rev:1;) alert tcp $HOME_NET any -> [47.245.117.119] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251953; rev:1;) alert tcp $HOME_NET any -> [74.48.220.31] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251954; rev:1;) alert tcp $HOME_NET any -> [81.70.207.90] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251955; rev:1;) alert tcp $HOME_NET any -> [82.156.183.197] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251956; rev:1;) alert tcp $HOME_NET any -> [39.106.7.95] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251945; rev:1;) alert tcp $HOME_NET any -> [39.108.11.237] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251946; rev:1;) alert tcp $HOME_NET any -> [45.32.8.82] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251947; rev:1;) alert tcp $HOME_NET any -> [47.76.197.224] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251948; rev:1;) alert tcp $HOME_NET any -> [47.95.39.96] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251949; rev:1;) alert tcp $HOME_NET any -> [47.108.145.56] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251950; rev:1;) alert tcp $HOME_NET any -> [8.130.36.30] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251937; rev:1;) alert tcp $HOME_NET any -> [8.134.166.14] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251938; rev:1;) alert tcp $HOME_NET any -> [8.138.16.56] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251939; rev:1;) alert tcp $HOME_NET any -> [8.141.82.134] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251940; rev:1;) alert tcp $HOME_NET any -> [14.36.168.161] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251941; rev:1;) alert tcp $HOME_NET any -> [16.162.105.39] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251942; rev:1;) alert tcp $HOME_NET any -> [27.0.232.30] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251943; rev:1;) alert tcp $HOME_NET any -> [38.54.85.190] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251944; rev:1;) alert tcp $HOME_NET any -> [1.92.66.44] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251936; rev:1;) alert tcp $HOME_NET any -> [38.147.170.150] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251934; rev:1;) alert tcp $HOME_NET any -> [38.147.170.150] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251935; rev:1;) alert tcp $HOME_NET any -> [149.104.30.223] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251931; rev:1;) alert tcp $HOME_NET any -> [149.104.26.45] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251932; rev:1;) alert tcp $HOME_NET any -> [45.144.136.182] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251933; rev:1;) alert tcp $HOME_NET any -> [167.179.111.67] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251930; rev:1;) alert tcp $HOME_NET any -> [64.176.71.36] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251926; rev:1;) alert tcp $HOME_NET any -> [139.180.154.208] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251927; rev:1;) alert tcp $HOME_NET any -> [45.63.119.177] 445 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251928; rev:1;) alert tcp $HOME_NET any -> [207.148.109.8] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251929; rev:1;) alert tcp $HOME_NET any -> [114.115.159.80] 60443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251925; rev:1;) alert tcp $HOME_NET any -> [117.50.185.133] 6444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251924; rev:1;) alert tcp $HOME_NET any -> [114.115.174.131] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251923; rev:1;) alert tcp $HOME_NET any -> [114.115.174.131] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251922; rev:1;) alert tcp $HOME_NET any -> [45.15.156.142] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251921; rev:1;) alert tcp $HOME_NET any -> [192.227.248.201] 9633 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251919; rev:1;) alert tcp $HOME_NET any -> [192.227.248.201] 50057 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251920; rev:1;) alert tcp $HOME_NET any -> [172.245.45.163] 2052 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251912; rev:1;) alert tcp $HOME_NET any -> [23.94.200.249] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251913; rev:1;) alert tcp $HOME_NET any -> [23.94.200.249] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251914; rev:1;) alert tcp $HOME_NET any -> [23.94.200.249] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251915; rev:1;) alert tcp $HOME_NET any -> [107.172.157.70] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251916; rev:1;) alert tcp $HOME_NET any -> [107.174.254.9] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251917; rev:1;) alert tcp $HOME_NET any -> [107.174.254.9] 7890 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251918; rev:1;) alert tcp $HOME_NET any -> [107.173.114.222] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"175.27.137.15"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251907; rev:1;) alert tcp $HOME_NET any -> [47.236.41.162] 5000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251906; rev:1;) alert tcp $HOME_NET any -> [8.217.117.6] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251903; rev:1;) alert tcp $HOME_NET any -> [8.217.117.6] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251904; rev:1;) alert tcp $HOME_NET any -> [8.217.117.6] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251905; rev:1;) alert tcp $HOME_NET any -> [47.76.219.122] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251902; rev:1;) alert tcp $HOME_NET any -> [8.210.224.32] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251901; rev:1;) alert tcp $HOME_NET any -> [8.217.137.245] 60012 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251900; rev:1;) alert tcp $HOME_NET any -> [47.254.46.30] 60891 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251899; rev:1;) alert tcp $HOME_NET any -> [8.219.0.189] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251898; rev:1;) alert tcp $HOME_NET any -> [47.236.111.110] 8899 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251897; rev:1;) alert tcp $HOME_NET any -> [134.122.74.37] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251896; rev:1;) alert tcp $HOME_NET any -> [68.183.92.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251895; rev:1;) alert tcp $HOME_NET any -> [64.227.148.40] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251894; rev:1;) alert tcp $HOME_NET any -> [24.144.96.216] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251893; rev:1;) alert tcp $HOME_NET any -> [82.157.190.109] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251888; rev:1;) alert tcp $HOME_NET any -> [111.231.146.98] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251889; rev:1;) alert tcp $HOME_NET any -> [124.222.78.73] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251890; rev:1;) alert tcp $HOME_NET any -> [150.158.37.125] 55555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251891; rev:1;) alert tcp $HOME_NET any -> [159.75.188.216] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251892; rev:1;) alert tcp $HOME_NET any -> [49.232.129.71] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251884; rev:1;) alert tcp $HOME_NET any -> [49.235.87.201] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251885; rev:1;) alert tcp $HOME_NET any -> [62.234.180.148] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251886; rev:1;) alert tcp $HOME_NET any -> [81.69.250.247] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251887; rev:1;) alert tcp $HOME_NET any -> [156.232.192.113] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251880; rev:1;) alert tcp $HOME_NET any -> [154.219.145.67] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251879; rev:1;) alert tcp $HOME_NET any -> [154.219.177.142] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251878; rev:1;) alert tcp $HOME_NET any -> [156.232.192.99] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251877; rev:1;) alert tcp $HOME_NET any -> [156.232.192.120] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251876; rev:1;) alert tcp $HOME_NET any -> [154.219.164.205] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251875; rev:1;) alert tcp $HOME_NET any -> [154.219.151.231] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251874; rev:1;) alert tcp $HOME_NET any -> [154.219.151.227] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251873; rev:1;) alert tcp $HOME_NET any -> [156.232.186.198] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251872; rev:1;) alert tcp $HOME_NET any -> [154.219.145.80] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251871; rev:1;) alert tcp $HOME_NET any -> [154.219.154.86] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251870; rev:1;) alert tcp $HOME_NET any -> [154.219.177.134] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251869; rev:1;) alert tcp $HOME_NET any -> [156.232.192.115] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251868; rev:1;) alert tcp $HOME_NET any -> [175.27.137.15] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"service-b7okr3qc-1300276284.nj.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-b7okr3qc-1300276284.nj.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251866; rev:1;) alert tcp $HOME_NET any -> [154.219.154.85] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"139.198.33.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251863; rev:1;) alert tcp $HOME_NET any -> [154.219.145.77] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251862; rev:1;) alert tcp $HOME_NET any -> [154.219.164.203] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251861; rev:1;) alert tcp $HOME_NET any -> [156.232.192.117] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251860; rev:1;) alert tcp $HOME_NET any -> [154.219.151.243] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251859; rev:1;) alert tcp $HOME_NET any -> [154.219.154.75] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251858; rev:1;) alert tcp $HOME_NET any -> [156.232.186.194] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251857; rev:1;) alert tcp $HOME_NET any -> [154.219.151.228] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251856; rev:1;) alert tcp $HOME_NET any -> [156.232.186.201] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251855; rev:1;) alert tcp $HOME_NET any -> [154.219.151.252] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251854; rev:1;) alert tcp $HOME_NET any -> [154.219.145.75] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251853; rev:1;) alert tcp $HOME_NET any -> [154.219.177.148] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251852; rev:1;) alert tcp $HOME_NET any -> [156.232.192.100] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251851; rev:1;) alert tcp $HOME_NET any -> [154.219.154.93] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251850; rev:1;) alert tcp $HOME_NET any -> [154.219.164.210] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251849; rev:1;) alert tcp $HOME_NET any -> [154.219.177.130] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251848; rev:1;) alert tcp $HOME_NET any -> [156.232.186.210] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251847; rev:1;) alert tcp $HOME_NET any -> [154.219.154.89] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251846; rev:1;) alert tcp $HOME_NET any -> [154.219.154.82] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251845; rev:1;) alert tcp $HOME_NET any -> [154.219.145.72] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251844; rev:1;) alert tcp $HOME_NET any -> [154.219.151.238] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251843; rev:1;) alert tcp $HOME_NET any -> [154.219.145.73] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251842; rev:1;) alert tcp $HOME_NET any -> [156.232.186.215] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"120.25.1.52"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251840; rev:1;) alert tcp $HOME_NET any -> [137.175.88.241] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251829/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251829; rev:1;) alert tcp $HOME_NET any -> [137.175.88.242] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251830/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251830; rev:1;) alert tcp $HOME_NET any -> [137.175.88.243] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251831/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251831; rev:1;) alert tcp $HOME_NET any -> [137.175.88.244] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251832/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251832; rev:1;) alert tcp $HOME_NET any -> [137.175.88.245] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251833/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251833; rev:1;) alert tcp $HOME_NET any -> [198.2.217.64] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251834/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251834; rev:1;) alert tcp $HOME_NET any -> [198.2.217.65] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251835/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251835; rev:1;) alert tcp $HOME_NET any -> [198.2.217.66] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251836/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251836; rev:1;) alert tcp $HOME_NET any -> [198.2.217.67] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251837/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251837; rev:1;) alert tcp $HOME_NET any -> [198.2.217.68] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251838/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251838; rev:1;) alert tcp $HOME_NET any -> [198.2.217.69] 1430 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251839/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dd.nnmm234.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dd.xxcc789.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dd.jjkk567.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dd.vvbb321.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251827; rev:1;) alert tcp $HOME_NET any -> [8.137.91.85] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251754; rev:1;) alert tcp $HOME_NET any -> [8.137.127.73] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251755; rev:1;) alert tcp $HOME_NET any -> [8.130.48.46] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251752; rev:1;) alert tcp $HOME_NET any -> [8.130.165.254] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251753; rev:1;) alert tcp $HOME_NET any -> [8.130.37.38] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251750; rev:1;) alert tcp $HOME_NET any -> [8.130.45.8] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251751; rev:1;) alert tcp $HOME_NET any -> [172.94.8.37] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251748; rev:1;) alert tcp $HOME_NET any -> [8.130.34.85] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251749; rev:1;) alert tcp $HOME_NET any -> [91.92.120.13] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251747; rev:1;) alert tcp $HOME_NET any -> [77.105.219.98] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251745; rev:1;) alert tcp $HOME_NET any -> [88.229.0.76] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251746; rev:1;) alert tcp $HOME_NET any -> [39.100.68.188] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251756; rev:1;) alert tcp $HOME_NET any -> [39.101.75.126] 37777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251757; rev:1;) alert tcp $HOME_NET any -> [39.103.196.134] 33889 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251758; rev:1;) alert tcp $HOME_NET any -> [39.105.24.180] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251759; rev:1;) alert tcp $HOME_NET any -> [39.105.184.73] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251760; rev:1;) alert tcp $HOME_NET any -> [47.92.140.21] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251761; rev:1;) alert tcp $HOME_NET any -> [47.92.147.123] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251762; rev:1;) alert tcp $HOME_NET any -> [47.94.220.159] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251763; rev:1;) alert tcp $HOME_NET any -> [47.105.69.34] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251764; rev:1;) alert tcp $HOME_NET any -> [47.108.24.97] 6000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251765; rev:1;) alert tcp $HOME_NET any -> [47.108.157.156] 50099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251766; rev:1;) alert tcp $HOME_NET any -> [47.108.180.121] 50001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251767; rev:1;) alert tcp $HOME_NET any -> [47.108.254.149] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251768; rev:1;) alert tcp $HOME_NET any -> [47.113.147.219] 50080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251769; rev:1;) alert tcp $HOME_NET any -> [47.113.188.133] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251770; rev:1;) alert tcp $HOME_NET any -> [47.115.210.48] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251771; rev:1;) alert tcp $HOME_NET any -> [47.120.45.70] 60000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251772; rev:1;) alert tcp $HOME_NET any -> [59.110.142.91] 13564 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251774; rev:1;) alert tcp $HOME_NET any -> [47.120.67.163] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251773; rev:1;) alert tcp $HOME_NET any -> [60.205.2.104] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251775; rev:1;) alert tcp $HOME_NET any -> [101.201.53.70] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251776; rev:1;) alert tcp $HOME_NET any -> [106.14.56.137] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251777; rev:1;) alert tcp $HOME_NET any -> [116.62.4.148] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251778; rev:1;) alert tcp $HOME_NET any -> [116.62.34.159] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251779; rev:1;) alert tcp $HOME_NET any -> [120.26.102.134] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251780; rev:1;) alert tcp $HOME_NET any -> [120.26.195.1] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251781; rev:1;) alert tcp $HOME_NET any -> [120.55.47.4] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251782; rev:1;) alert tcp $HOME_NET any -> [120.55.183.142] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251783; rev:1;) alert tcp $HOME_NET any -> [121.43.114.9] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251784; rev:1;) alert tcp $HOME_NET any -> [121.199.0.54] 14443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251785; rev:1;) alert tcp $HOME_NET any -> [139.224.194.38] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.donquichottedeladendre-ath.be"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251798/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"stanta.co.uk"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251799/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"juststories.se"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251800/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kemilektioner.se"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251801/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"support.dotregis.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251802/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.cantinalandi.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251803/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"descarca.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251804/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"exceloffthegrid.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251805/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anbu.bond"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251742; rev:1;) alert tcp $HOME_NET any -> [167.86.115.184] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251744; rev:1;) alert tcp $HOME_NET any -> [195.10.205.203] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251741; rev:1;) alert tcp $HOME_NET any -> [2.58.56.109] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251743; rev:1;) alert tcp $HOME_NET any -> [89.213.140.115] 443 (msg:"ThreatFox Nova Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"89.213.140.115.nerozix.ovh"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onsttuiona.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251737; rev:1;) alert tcp $HOME_NET any -> [185.224.128.34] 33335 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251739; rev:1;) alert tcp $HOME_NET any -> [185.196.10.58] 5140 (msg:"ThreatFox zgRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/mauqes.rar"; depth:20; nocase; http.host; content:"www.gamerforyou.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bitonecore.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/8xgv80zsbs5mp92wr3xrj/onebit-core.zip"; depth:45; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251716; rev:1;) alert tcp $HOME_NET any -> [176.113.115.229] 36576 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251732; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 14500 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251712/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251712; rev:1;) alert tcp $HOME_NET any -> [92.63.192.108] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251824/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251824; rev:1;) alert tcp $HOME_NET any -> [147.182.199.146] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251823/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251823; rev:1;) alert tcp $HOME_NET any -> [77.221.156.22] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251822/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251822; rev:1;) alert tcp $HOME_NET any -> [143.198.54.223] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251821/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251821; rev:1;) alert tcp $HOME_NET any -> [45.207.36.45] 2086 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251820/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251820; rev:1;) alert tcp $HOME_NET any -> [104.161.53.196] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251819/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251819; rev:1;) alert tcp $HOME_NET any -> [125.209.169.44] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251818/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251818; rev:1;) alert tcp $HOME_NET any -> [41.96.180.49] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251817/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251817; rev:1;) alert tcp $HOME_NET any -> [97.118.60.71] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251816/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251816; rev:1;) alert tcp $HOME_NET any -> [140.246.157.86] 4433 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251815; rev:1;) alert tcp $HOME_NET any -> [110.40.133.81] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251814/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251814; rev:1;) alert tcp $HOME_NET any -> [92.116.39.126] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251813/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251813; rev:1;) alert tcp $HOME_NET any -> [185.234.216.209] 20000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251812/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251812; rev:1;) alert tcp $HOME_NET any -> [8.219.236.149] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251811/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251811; rev:1;) alert tcp $HOME_NET any -> [217.182.79.54] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251810/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251810; rev:1;) alert tcp $HOME_NET any -> [217.237.82.88] 3389 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251809/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251809; rev:1;) alert tcp $HOME_NET any -> [121.127.33.69] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251808/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"27.215.123.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251807/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251807; rev:1;) alert tcp $HOME_NET any -> [193.233.132.108] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251806/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251806; rev:1;) alert tcp $HOME_NET any -> [194.67.193.69] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251797/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251797; rev:1;) alert tcp $HOME_NET any -> [154.219.154.80] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251795; rev:1;) alert tcp $HOME_NET any -> [154.219.177.155] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251794; rev:1;) alert tcp $HOME_NET any -> [156.232.186.212] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251793; rev:1;) alert tcp $HOME_NET any -> [43.240.48.69] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251792; rev:1;) alert tcp $HOME_NET any -> [154.219.177.131] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251791; rev:1;) alert tcp $HOME_NET any -> [154.219.151.245] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251790; rev:1;) alert tcp $HOME_NET any -> [94.156.8.44] 4787 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251789; rev:1;) alert tcp $HOME_NET any -> [217.63.234.90] 1313 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251788; rev:1;) alert tcp $HOME_NET any -> [193.233.132.108] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0935883.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251740; rev:1;) alert tcp $HOME_NET any -> [185.216.70.210] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251731/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251731; rev:1;) alert tcp $HOME_NET any -> [195.133.88.120] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251730/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251730; rev:1;) alert tcp $HOME_NET any -> [174.138.63.63] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251729/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251729; rev:1;) alert tcp $HOME_NET any -> [45.207.36.33] 2086 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251728/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251728; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 12853 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251727/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251727; rev:1;) alert tcp $HOME_NET any -> [45.241.43.95] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251726/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251726; rev:1;) alert tcp $HOME_NET any -> [2.50.51.175] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251725/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251725; rev:1;) alert tcp $HOME_NET any -> [185.239.209.56] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251724/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251724; rev:1;) alert tcp $HOME_NET any -> [62.171.158.126] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251723/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251723; rev:1;) alert tcp $HOME_NET any -> [45.77.255.164] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251722/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251722; rev:1;) alert tcp $HOME_NET any -> [183.36.40.98] 10004 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251721/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251721; rev:1;) alert tcp $HOME_NET any -> [103.169.126.238] 44447 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251720/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251720; rev:1;) alert tcp $HOME_NET any -> [164.90.238.212] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251719; rev:1;) alert tcp $HOME_NET any -> [210.215.129.104] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251718; rev:1;) alert tcp $HOME_NET any -> [193.233.132.169] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251714; rev:1;) alert tcp $HOME_NET any -> [162.120.71.68] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"widur.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.176.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.221.177"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"widur.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251708; rev:1;) alert tcp $HOME_NET any -> [95.216.176.246] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251706; rev:1;) alert tcp $HOME_NET any -> [78.47.221.177] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251707; rev:1;) alert tcp $HOME_NET any -> [193.233.132.169] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251705; rev:1;) alert tcp $HOME_NET any -> [156.232.192.122] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251704; rev:1;) alert tcp $HOME_NET any -> [154.219.154.81] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251703; rev:1;) alert tcp $HOME_NET any -> [156.232.192.103] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251702; rev:1;) alert tcp $HOME_NET any -> [154.219.154.91] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251701; rev:1;) alert tcp $HOME_NET any -> [156.232.192.104] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251700; rev:1;) alert tcp $HOME_NET any -> [43.240.48.103] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251699; rev:1;) alert tcp $HOME_NET any -> [154.219.154.84] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251698; rev:1;) alert tcp $HOME_NET any -> [154.219.151.235] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251697; rev:1;) alert tcp $HOME_NET any -> [156.232.186.200] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251696; rev:1;) alert tcp $HOME_NET any -> [154.219.154.70] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251695; rev:1;) alert tcp $HOME_NET any -> [156.232.192.109] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251694; rev:1;) alert tcp $HOME_NET any -> [154.219.151.236] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251693; rev:1;) alert tcp $HOME_NET any -> [154.219.151.239] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251692; rev:1;) alert tcp $HOME_NET any -> [156.232.186.202] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251691; rev:1;) alert tcp $HOME_NET any -> [156.232.186.216] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251690; rev:1;) alert tcp $HOME_NET any -> [154.219.163.91] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251689; rev:1;) alert tcp $HOME_NET any -> [154.219.163.88] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251688; rev:1;) alert tcp $HOME_NET any -> [43.240.48.121] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251687; rev:1;) alert tcp $HOME_NET any -> [45.156.217.9] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251686; rev:1;) alert tcp $HOME_NET any -> [154.219.177.132] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251685; rev:1;) alert tcp $HOME_NET any -> [154.219.177.139] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251684; rev:1;) alert tcp $HOME_NET any -> [156.232.186.195] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251683; rev:1;) alert tcp $HOME_NET any -> [154.219.177.157] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251682; rev:1;) alert tcp $HOME_NET any -> [154.219.177.153] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251681; rev:1;) alert tcp $HOME_NET any -> [154.219.163.92] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251680; rev:1;) alert tcp $HOME_NET any -> [156.232.186.203] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251679; rev:1;) alert tcp $HOME_NET any -> [154.219.177.145] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251678; rev:1;) alert tcp $HOME_NET any -> [156.232.192.107] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251677; rev:1;) alert tcp $HOME_NET any -> [154.219.145.82] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251676; rev:1;) alert tcp $HOME_NET any -> [154.219.177.152] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251675; rev:1;) alert tcp $HOME_NET any -> [154.219.145.86] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251674; rev:1;) alert tcp $HOME_NET any -> [156.232.186.211] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"ezshipsy.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"ezshipsy.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"edulokam.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251434; rev:1;) alert tcp $HOME_NET any -> [5.181.156.5] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"jsluna.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"jsluna.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251437; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 5491 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251652/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"registration-nil.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251653/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251653; rev:1;) alert tcp $HOME_NET any -> [154.219.177.149] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251672; rev:1;) alert tcp $HOME_NET any -> [156.232.192.118] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251671; rev:1;) alert tcp $HOME_NET any -> [154.219.154.79] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251670; rev:1;) alert tcp $HOME_NET any -> [156.232.192.108] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251669; rev:1;) alert tcp $HOME_NET any -> [122.10.78.230] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251668; rev:1;) alert tcp $HOME_NET any -> [154.219.151.251] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251667; rev:1;) alert tcp $HOME_NET any -> [154.219.151.234] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251666; rev:1;) alert tcp $HOME_NET any -> [154.219.163.83] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251665; rev:1;) alert tcp $HOME_NET any -> [156.232.192.119] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251664; rev:1;) alert tcp $HOME_NET any -> [45.156.217.2] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251663; rev:1;) alert tcp $HOME_NET any -> [156.232.186.218] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251662; rev:1;) alert tcp $HOME_NET any -> [43.240.48.67] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251661; rev:1;) alert tcp $HOME_NET any -> [156.232.186.221] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251660; rev:1;) alert tcp $HOME_NET any -> [154.219.163.93] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251659; rev:1;) alert tcp $HOME_NET any -> [154.219.151.237] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251658; rev:1;) alert tcp $HOME_NET any -> [154.219.145.66] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251657; rev:1;) alert tcp $HOME_NET any -> [154.219.151.246] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251656; rev:1;) alert tcp $HOME_NET any -> [154.219.151.233] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251655; rev:1;) alert tcp $HOME_NET any -> [154.219.163.71] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmtojssqldblinuxtrafficlocal.php"; depth:33; nocase; http.host; content:"131217cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251651; rev:1;) alert tcp $HOME_NET any -> [8.218.29.187] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251431/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91251431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.140.188.212"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.90.13.125"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.141.202.78"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.90.12.98"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.140.188.152"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.137.207.144"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.141.202.71"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.140.188.19"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.128.232.85"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//84.54.51.144:7070"; depth:19; nocase; http.host; content:"http"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.205"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.208"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.207"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.107"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.195"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.132"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.206"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"2.58.95.55"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1251322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.128.232.138"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.81.230.244"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"54.39.67.23"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"15.204.132.100"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"15.204.211.81"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.196.162.3"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.222.196.58"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.59.65.43"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"15.204.22.165"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"144.172.73.5"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.196.244.80"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"142.44.236.7"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"144.172.73.44"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"144.172.73.9"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"144.172.73.8"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.91.127.66"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"144.172.73.20"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.53"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.200"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.41"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.2"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1251343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.7"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1251345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.37"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.160.193.4"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.160.194.10"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"158.51.96.17"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.160.193.106"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"198.98.57.36"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"198.98.58.246"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"199.195.251.103"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1251351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"209.141.35.229"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.71.51"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.255.74"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.71.193"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"79.137.203.236"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.103.253.34"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"41.216.182.208"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"195.58.39.34"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"103.82.135.217"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"86.104.194.180"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"216.107.139.159"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1251363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"103.4.235.175"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"93.123.85.59"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.148.241.107"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1251366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"92.249.48.147"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.64"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.171.121.161"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1251369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"betaproxy.herios-stresser.space"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251370/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chrysler.vip"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251371/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chryslernetwork.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251372/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gorillaproxy.cloud"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251375/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kane.kingswoklongwood.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251373/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"proxys.herios-stress.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251374/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gorillaproxy.su"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251376/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"balkanskiskidovi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251377/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blyndz.icu"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251378/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"egirls.tech"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251379/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"holding.homes"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251380/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"santa.army"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251381/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"seized.icu"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251382/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stitch.army"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251383/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"caovh.lol"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251384/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ddos.nekofish.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251385/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"metis-kill-faggots.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251386/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"niggakilla.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251387/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"proxy.iswearimnotgay.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251388/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.140.141.160"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.90.13.164"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.141.202.162"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"poggo-proxy.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251392/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tomware.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251389/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dash.authillusion.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251391/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eternalservices.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251390/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"frostedfamily.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251393/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aeicjslvodjfklllf.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251394/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aemvieudjkscbbb.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251395/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aenbcisbflkdjjjccc.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251396/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aeocidkcsjxxcxcc.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251397/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xs.ooxxoxox.win"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251398/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"a.refusal.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251399/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bl.refusal.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251400/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cafe.refusal.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251401/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"info.refusal.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251402/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"refusal.biz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251403/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"report.refusal.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251404/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sb.refusal.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251405/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alo.taxido.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251407/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wyng.whiting.io"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251406/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fleurs-parfaites.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251408/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cdnet-web.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251409/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.254.198.211"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1251410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"royalparac2.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"royalparadisec2.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"madeyourbackup.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251413; rev:1;) alert tcp $HOME_NET any -> [103.173.178.208] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251428/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ap.akdns.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251429/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251429; rev:1;) alert tcp $HOME_NET any -> [91.92.253.144] 7888 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251427; rev:1;) alert tcp $HOME_NET any -> [47.120.13.85] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.218.29.187"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251425; rev:1;) alert tcp $HOME_NET any -> [185.172.128.120] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faqpage.js"; depth:11; nocase; http.host; content:"averatechsolutions.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"averatechsolutions.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"212.129.223.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251421; rev:1;) alert tcp $HOME_NET any -> [3.133.159.129] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"3.133.159.129"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipv6test/test"; depth:14; nocase; http.host; content:"47.113.179.177"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251418; rev:1;) alert tcp $HOME_NET any -> [92.63.193.141] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"gays.egorvlasov.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251416; rev:1;) alert tcp $HOME_NET any -> [170.64.236.133] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"170.64.236.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251414; rev:1;) alert tcp $HOME_NET any -> [43.240.48.124] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251301; rev:1;) alert tcp $HOME_NET any -> [154.219.164.198] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251300; rev:1;) alert tcp $HOME_NET any -> [154.219.151.253] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251299; rev:1;) alert tcp $HOME_NET any -> [154.219.164.204] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251298; rev:1;) alert tcp $HOME_NET any -> [154.219.154.74] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251297; rev:1;) alert tcp $HOME_NET any -> [156.232.186.222] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251296; rev:1;) alert tcp $HOME_NET any -> [154.219.151.241] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251295; rev:1;) alert tcp $HOME_NET any -> [43.240.49.188] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251293; rev:1;) alert tcp $HOME_NET any -> [154.219.154.94] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251292; rev:1;) alert tcp $HOME_NET any -> [43.240.48.97] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251291; rev:1;) alert tcp $HOME_NET any -> [156.232.192.124] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251290; rev:1;) alert tcp $HOME_NET any -> [154.219.145.94] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251289; rev:1;) alert tcp $HOME_NET any -> [154.219.163.82] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251288; rev:1;) alert tcp $HOME_NET any -> [156.232.192.112] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251287; rev:1;) alert tcp $HOME_NET any -> [154.219.154.87] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251286; rev:1;) alert tcp $HOME_NET any -> [43.240.48.111] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251285; rev:1;) alert tcp $HOME_NET any -> [43.240.49.183] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251284; rev:1;) alert tcp $HOME_NET any -> [156.232.192.110] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251283; rev:1;) alert tcp $HOME_NET any -> [45.156.217.49] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251282; rev:1;) alert tcp $HOME_NET any -> [156.232.186.205] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251281; rev:1;) alert tcp $HOME_NET any -> [156.232.192.126] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251280; rev:1;) alert tcp $HOME_NET any -> [154.219.177.133] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251279; rev:1;) alert tcp $HOME_NET any -> [154.219.151.232] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251278; rev:1;) alert tcp $HOME_NET any -> [156.232.192.116] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251277; rev:1;) alert tcp $HOME_NET any -> [154.219.151.249] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251276; rev:1;) alert tcp $HOME_NET any -> [154.219.145.74] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251275; rev:1;) alert tcp $HOME_NET any -> [154.219.145.85] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251274; rev:1;) alert tcp $HOME_NET any -> [154.219.145.91] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251273; rev:1;) alert tcp $HOME_NET any -> [154.219.177.135] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251272; rev:1;) alert tcp $HOME_NET any -> [43.240.49.154] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251271; rev:1;) alert tcp $HOME_NET any -> [154.219.145.76] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251270; rev:1;) alert tcp $HOME_NET any -> [156.232.192.111] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251269; rev:1;) alert tcp $HOME_NET any -> [92.63.193.141] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gays.egorvlasov.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"gays.egorvlasov.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251266; rev:1;) alert tcp $HOME_NET any -> [154.219.145.92] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251265; rev:1;) alert tcp $HOME_NET any -> [156.232.192.105] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251264; rev:1;) alert tcp $HOME_NET any -> [154.219.177.147] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251263; rev:1;) alert tcp $HOME_NET any -> [154.219.151.230] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251262; rev:1;) alert tcp $HOME_NET any -> [154.219.177.137] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251261; rev:1;) alert tcp $HOME_NET any -> [154.219.145.69] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251260; rev:1;) alert tcp $HOME_NET any -> [43.240.49.141] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251259; rev:1;) alert tcp $HOME_NET any -> [43.240.49.176] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251258; rev:1;) alert tcp $HOME_NET any -> [154.219.163.66] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251257; rev:1;) alert tcp $HOME_NET any -> [43.240.48.126] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251256; rev:1;) alert tcp $HOME_NET any -> [154.219.177.150] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251255; rev:1;) alert tcp $HOME_NET any -> [43.240.49.184] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251254; rev:1;) alert tcp $HOME_NET any -> [45.156.217.12] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251253; rev:1;) alert tcp $HOME_NET any -> [154.219.151.248] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251252; rev:1;) alert tcp $HOME_NET any -> [154.219.164.219] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251251; rev:1;) alert tcp $HOME_NET any -> [154.219.154.68] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251250; rev:1;) alert tcp $HOME_NET any -> [45.156.217.42] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251249; rev:1;) alert tcp $HOME_NET any -> [43.240.49.132] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251248; rev:1;) alert tcp $HOME_NET any -> [156.232.186.199] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251247; rev:1;) alert tcp $HOME_NET any -> [156.232.186.217] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251246; rev:1;) alert tcp $HOME_NET any -> [154.219.163.68] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251245; rev:1;) alert tcp $HOME_NET any -> [154.219.154.77] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251244; rev:1;) alert tcp $HOME_NET any -> [156.232.186.219] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251243; rev:1;) alert tcp $HOME_NET any -> [43.240.49.147] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251242; rev:1;) alert tcp $HOME_NET any -> [154.219.145.70] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251241; rev:1;) alert tcp $HOME_NET any -> [43.240.48.71] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251240; rev:1;) alert tcp $HOME_NET any -> [154.219.145.89] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251239; rev:1;) alert tcp $HOME_NET any -> [154.219.151.247] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251238; rev:1;) alert tcp $HOME_NET any -> [156.232.186.204] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251237; rev:1;) alert tcp $HOME_NET any -> [154.219.145.79] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251236; rev:1;) alert tcp $HOME_NET any -> [154.219.154.66] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251235; rev:1;) alert tcp $HOME_NET any -> [156.232.186.208] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251234; rev:1;) alert tcp $HOME_NET any -> [154.219.145.90] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251233; rev:1;) alert tcp $HOME_NET any -> [154.219.154.69] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251232; rev:1;) alert tcp $HOME_NET any -> [154.219.177.151] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251231; rev:1;) alert tcp $HOME_NET any -> [43.240.49.145] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251230; rev:1;) alert tcp $HOME_NET any -> [154.219.154.92] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251229; rev:1;) alert tcp $HOME_NET any -> [154.219.154.83] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251228; rev:1;) alert tcp $HOME_NET any -> [154.219.151.254] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251227; rev:1;) alert tcp $HOME_NET any -> [154.219.154.90] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"82.157.44.254"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251225; rev:1;) alert tcp $HOME_NET any -> [43.240.48.98] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251224; rev:1;) alert tcp $HOME_NET any -> [154.219.177.138] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251223; rev:1;) alert tcp $HOME_NET any -> [156.232.186.207] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251222; rev:1;) alert tcp $HOME_NET any -> [154.219.154.76] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251221; rev:1;) alert tcp $HOME_NET any -> [154.219.145.83] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251220; rev:1;) alert tcp $HOME_NET any -> [156.232.186.209] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251219; rev:1;) alert tcp $HOME_NET any -> [154.219.154.72] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251218; rev:1;) alert tcp $HOME_NET any -> [154.219.145.87] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251217; rev:1;) alert tcp $HOME_NET any -> [156.232.192.98] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251216; rev:1;) alert tcp $HOME_NET any -> [154.219.145.78] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251215; rev:1;) alert tcp $HOME_NET any -> [154.219.151.226] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251214; rev:1;) alert tcp $HOME_NET any -> [154.219.177.136] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251213; rev:1;) alert tcp $HOME_NET any -> [43.240.49.135] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251212; rev:1;) alert tcp $HOME_NET any -> [156.232.192.114] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251211; rev:1;) alert tcp $HOME_NET any -> [154.219.145.93] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251210; rev:1;) alert tcp $HOME_NET any -> [154.219.177.144] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251209; rev:1;) alert tcp $HOME_NET any -> [154.219.163.75] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"161.35.168.216"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251207; rev:1;) alert tcp $HOME_NET any -> [156.232.192.123] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251206; rev:1;) alert tcp $HOME_NET any -> [154.219.154.78] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251205; rev:1;) alert tcp $HOME_NET any -> [43.240.49.185] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251204; rev:1;) alert tcp $HOME_NET any -> [156.232.192.102] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251203; rev:1;) alert tcp $HOME_NET any -> [45.156.217.5] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251202; rev:1;) alert tcp $HOME_NET any -> [154.219.177.154] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251201; rev:1;) alert tcp $HOME_NET any -> [43.240.48.83] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251200; rev:1;) alert tcp $HOME_NET any -> [156.232.186.213] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251199; rev:1;) alert tcp $HOME_NET any -> [45.156.217.37] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251198; rev:1;) alert tcp $HOME_NET any -> [154.219.151.229] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251197; rev:1;) alert tcp $HOME_NET any -> [154.219.154.88] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251196; rev:1;) alert tcp $HOME_NET any -> [154.219.177.158] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251195; rev:1;) alert tcp $HOME_NET any -> [154.219.177.146] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251194; rev:1;) alert tcp $HOME_NET any -> [43.240.49.177] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251193; rev:1;) alert tcp $HOME_NET any -> [154.219.145.68] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.43.191.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.136.218.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251190; rev:1;) alert tcp $HOME_NET any -> [154.219.145.71] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251189; rev:1;) alert tcp $HOME_NET any -> [154.219.151.244] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251188; rev:1;) alert tcp $HOME_NET any -> [156.232.186.220] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251187; rev:1;) alert tcp $HOME_NET any -> [43.240.49.163] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251186; rev:1;) alert tcp $HOME_NET any -> [156.232.192.106] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251185; rev:1;) alert tcp $HOME_NET any -> [154.219.177.141] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251158; rev:1;) alert tcp $HOME_NET any -> [154.219.145.88] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251183; rev:1;) alert tcp $HOME_NET any -> [156.232.186.196] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rawapi.nekololis.ovh"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tomhxhk.cc"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cnc.hxhk.cc"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hxhk.cc"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251151; rev:1;) alert tcp $HOME_NET any -> [77.73.68.225] 1688 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251147; rev:1;) alert tcp $HOME_NET any -> [193.35.18.62] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251149; rev:1;) alert tcp $HOME_NET any -> [84.54.51.103] 56999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251138/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251138; rev:1;) alert tcp $HOME_NET any -> [147.78.103.94] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251140/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251140; rev:1;) alert tcp $HOME_NET any -> [197.253.114.16] 37215 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251137/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251137; rev:1;) alert tcp $HOME_NET any -> [177.165.108.44] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251139/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251139; rev:1;) alert tcp $HOME_NET any -> [162.20.184.46] 37215 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251136/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251136; rev:1;) alert tcp $HOME_NET any -> [154.219.151.240] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251181; rev:1;) alert tcp $HOME_NET any -> [193.35.18.56] 65490 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251115; rev:1;) alert tcp $HOME_NET any -> [45.13.226.34] 9932 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251123; rev:1;) alert tcp $HOME_NET any -> [185.117.3.184] 3569 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251124; rev:1;) alert tcp $HOME_NET any -> [34.125.17.32] 6668 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251125; rev:1;) alert tcp $HOME_NET any -> [213.129.216.207] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251126; rev:1;) alert tcp $HOME_NET any -> [93.123.85.73] 6789 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251127; rev:1;) alert tcp $HOME_NET any -> [67.217.60.78] 7854 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251128; rev:1;) alert tcp $HOME_NET any -> [118.227.92.21] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251129; rev:1;) alert tcp $HOME_NET any -> [185.196.8.213] 6789 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jhbaghjbasdg.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cnc.nekololis.ovh"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subphattai.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"161.35.249.113"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251162/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nt.zua6.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"103.173.178.208"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1251163/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bt.zoml.cc"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abc.anti-ddos.io.vn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fw1.anti-ddos.io.vn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fw.anti-ddos.io.vn"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anti-ddos.io.vn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mainnetwork.sysromeu.eu.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdh32fsdfhs.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251171; rev:1;) alert tcp $HOME_NET any -> [156.232.192.125] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251180; rev:1;) alert tcp $HOME_NET any -> [154.219.154.73] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251179; rev:1;) alert tcp $HOME_NET any -> [154.219.164.201] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251178; rev:1;) alert tcp $HOME_NET any -> [43.240.49.140] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251177; rev:1;) alert tcp $HOME_NET any -> [154.219.145.84] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251176; rev:1;) alert tcp $HOME_NET any -> [154.219.177.140] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251175; rev:1;) alert tcp $HOME_NET any -> [154.219.145.81] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251174; rev:1;) alert tcp $HOME_NET any -> [156.232.186.197] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sares.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.102.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.125.250"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251144; rev:1;) alert tcp $HOME_NET any -> [49.13.125.250] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251142; rev:1;) alert tcp $HOME_NET any -> [159.69.102.165] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sares.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blogs/skinny/bleat/index.php"; depth:29; nocase; http.host; content:"gammaproject.dev"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251135/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/medical/plan/oslo/posting/index.php"; depth:36; nocase; http.host; content:"somakop.app"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/traffic/link/posting/index.php"; depth:31; nocase; http.host; content:"muagol.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251133; rev:1;) alert tcp $HOME_NET any -> [121.40.119.94] 8087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251130/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91251130; rev:1;) alert tcp $HOME_NET any -> [95.216.41.236] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251122; rev:1;) alert tcp $HOME_NET any -> [86.106.20.179] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91251121; rev:1;) alert tcp $HOME_NET any -> [47.99.177.59] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91251120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"somakop.app"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dumingas.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iseberkis.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"musarno.app"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251119; rev:1;) alert tcp $HOME_NET any -> [95.214.53.95] 57896 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250910; rev:1;) alert tcp $HOME_NET any -> [69.53.121.162] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250908; rev:1;) alert tcp $HOME_NET any -> [90.62.10.177] 2222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250909; rev:1;) alert tcp $HOME_NET any -> [46.39.224.38] 9876 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250906; rev:1;) alert tcp $HOME_NET any -> [47.97.41.73] 6000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250907; rev:1;) alert tcp $HOME_NET any -> [1.9.177.252] 9876 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250904; rev:1;) alert tcp $HOME_NET any -> [5.102.157.70] 4872 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250905; rev:1;) alert tcp $HOME_NET any -> [101.43.109.204] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250894; rev:1;) alert tcp $HOME_NET any -> [106.53.213.253] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250895; rev:1;) alert tcp $HOME_NET any -> [62.234.55.243] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250896; rev:1;) alert tcp $HOME_NET any -> [81.71.153.127] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250897; rev:1;) alert tcp $HOME_NET any -> [101.34.93.112] 40045 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250898; rev:1;) alert tcp $HOME_NET any -> [192.227.177.214] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250899; rev:1;) alert tcp $HOME_NET any -> [172.214.98.73] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250900; rev:1;) alert tcp $HOME_NET any -> [170.130.55.130] 445 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250901; rev:1;) alert tcp $HOME_NET any -> [82.156.211.202] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250902; rev:1;) alert tcp $HOME_NET any -> [80.77.23.102] 48129 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250903; rev:1;) alert tcp $HOME_NET any -> [43.139.21.199] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250892; rev:1;) alert tcp $HOME_NET any -> [43.143.112.156] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250893; rev:1;) alert tcp $HOME_NET any -> [1.13.169.95] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250891; rev:1;) alert tcp $HOME_NET any -> [119.29.238.196] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250890; rev:1;) alert tcp $HOME_NET any -> [111.231.18.116] 84 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250888; rev:1;) alert tcp $HOME_NET any -> [106.55.225.79] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250889; rev:1;) alert tcp $HOME_NET any -> [124.220.148.63] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250885; rev:1;) alert tcp $HOME_NET any -> [111.231.18.116] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250886; rev:1;) alert tcp $HOME_NET any -> [111.231.18.116] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250887; rev:1;) alert tcp $HOME_NET any -> [123.60.79.118] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250882; rev:1;) alert tcp $HOME_NET any -> [1.94.132.240] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250883; rev:1;) alert tcp $HOME_NET any -> [212.129.223.49] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250884; rev:1;) alert tcp $HOME_NET any -> [139.9.193.13] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250881; rev:1;) alert tcp $HOME_NET any -> [93.123.39.57] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250966; rev:1;) alert tcp $HOME_NET any -> [45.67.230.75] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250965; rev:1;) alert tcp $HOME_NET any -> [185.216.70.211] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250964; rev:1;) alert tcp $HOME_NET any -> [124.13.185.107] 9876 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250911; rev:1;) alert tcp $HOME_NET any -> [124.223.48.86] 4285 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250912; rev:1;) alert tcp $HOME_NET any -> [161.97.162.173] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250913; rev:1;) alert tcp $HOME_NET any -> [172.111.148.62] 19933 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250914; rev:1;) alert tcp $HOME_NET any -> [172.111.148.69] 19933 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250915; rev:1;) alert tcp $HOME_NET any -> [184.107.123.217] 1990 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250916; rev:1;) alert tcp $HOME_NET any -> [189.78.187.139] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250917; rev:1;) alert tcp $HOME_NET any -> [191.82.209.29] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250918; rev:1;) alert tcp $HOME_NET any -> [198.167.201.212] 19132 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250919; rev:1;) alert tcp $HOME_NET any -> [43.129.74.117] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250963; rev:1;) alert tcp $HOME_NET any -> [1.92.98.76] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm"; depth:17; nocase; http.host; content:"kamalankaranda.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250853/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250853; rev:1;) alert tcp $HOME_NET any -> [104.194.9.116] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"kanardansaydan1.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250851/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"sayankarakam2.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250852/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odlimzblmgq5oguz/"; depth:18; nocase; http.host; content:"prizurisaby.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250849/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"kamanbarsayan.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250850/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odlimzblmgq5oguz/"; depth:18; nocase; http.host; content:"iakyanalica.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250848/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250848; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 15422 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250847/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91250847; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 15422 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250846/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91250846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"zero.bbxstresser.cloud"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1250837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cnc.bbxstresser.cloud"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1250838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"api.ngocphong.space"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1250839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"stress.ngocphong.space"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1250840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ramagans.id"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1250841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.211"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.223"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.226"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.228"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250845; rev:1;) alert tcp $HOME_NET any -> [107.175.35.40] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250962; rev:1;) alert tcp $HOME_NET any -> [38.6.190.122] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"secure01-redirect.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250599/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91250599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servicehelper.oss"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250594; rev:1;) alert tcp $HOME_NET any -> [34.162.170.92] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250598/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91250598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amandaxthomas.dyn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cynthiaoperez.geek"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wowyoursocute.oss"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peterhware.dyn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sydneyrmartinez.geek"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ashleyobyrd.oss"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"richardpjones.oss"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"luiseryan.oss"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"robertmlewis.dyn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aliciacmorton.oss"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hailbot.geek"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jiggaboo.oss"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kimberlyngomez.geek"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoursocuteong.dyn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brianystafford.geek"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sfdopospdofpsdo.dyn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.226"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250577/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91250577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"haytoplokezdolezdominec.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hakolgemezedod.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250921; rev:1;) alert tcp $HOME_NET any -> [104.21.50.30] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250927/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91250927; rev:1;) alert tcp $HOME_NET any -> [46.246.82.4] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250960; rev:1;) alert tcp $HOME_NET any -> [72.27.97.198] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250959; rev:1;) alert tcp $HOME_NET any -> [41.97.143.89] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250958; rev:1;) alert tcp $HOME_NET any -> [64.227.25.183] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250957; rev:1;) alert tcp $HOME_NET any -> [101.33.35.171] 10000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250956; rev:1;) alert tcp $HOME_NET any -> [52.173.131.28] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250955; rev:1;) alert tcp $HOME_NET any -> [192.52.166.37] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webstat.page"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"softkey.app"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sweetapp.page"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8polldbvoiddb/datalifeflowerwp/processbasemariadb1/defaultbigloadpython/generator/videolowupdatedbasync.php"; depth:108; nocase; http.host; content:"89.23.98.225"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250931; rev:1;) alert tcp $HOME_NET any -> [119.91.209.244] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250930/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250930; rev:1;) alert tcp $HOME_NET any -> [101.32.37.92] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250929/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250929; rev:1;) alert tcp $HOME_NET any -> [39.100.86.42] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250928/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"spencerstuartllc.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250926; rev:1;) alert tcp $HOME_NET any -> [160.176.152.91] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/five/fre.php"; depth:22; nocase; http.host; content:"spencerstuartllc.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250924; rev:1;) alert tcp $HOME_NET any -> [41.216.183.150] 32356 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"ct22043.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250922; rev:1;) alert tcp $HOME_NET any -> [154.219.151.242] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250880; rev:1;) alert tcp $HOME_NET any -> [45.156.217.3] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250878; rev:1;) alert tcp $HOME_NET any -> [91.92.243.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"91.92.243.149"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250876; rev:1;) alert tcp $HOME_NET any -> [45.156.217.25] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250875; rev:1;) alert tcp $HOME_NET any -> [45.156.217.29] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250874; rev:1;) alert tcp $HOME_NET any -> [43.240.48.84] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250873; rev:1;) alert tcp $HOME_NET any -> [154.219.164.197] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250872; rev:1;) alert tcp $HOME_NET any -> [43.240.49.146] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250871; rev:1;) alert tcp $HOME_NET any -> [45.156.217.21] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250870; rev:1;) alert tcp $HOME_NET any -> [120.46.152.202] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250869; rev:1;) alert tcp $HOME_NET any -> [45.156.217.47] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~zadmin/ptr5/mono.php"; depth:22; nocase; http.host; content:"31.220.1.194"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e64f36763e423a50.php"; depth:21; nocase; http.host; content:"193.233.132.241"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250865; rev:1;) alert tcp $HOME_NET any -> [188.120.248.175] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250864; rev:1;) alert tcp $HOME_NET any -> [139.180.218.26] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250863; rev:1;) alert tcp $HOME_NET any -> [202.182.107.193] 666 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250862/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250862; rev:1;) alert tcp $HOME_NET any -> [39.101.70.82] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250861/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250861; rev:1;) alert tcp $HOME_NET any -> [70.31.125.206] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250860/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250860; rev:1;) alert tcp $HOME_NET any -> [184.20.220.17] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250859/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250859; rev:1;) alert tcp $HOME_NET any -> [3.86.233.198] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250858/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250858; rev:1;) alert tcp $HOME_NET any -> [92.116.36.212] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250857/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250857; rev:1;) alert tcp $HOME_NET any -> [192.121.162.196] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250856; rev:1;) alert tcp $HOME_NET any -> [151.236.16.211] 33367 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250855; rev:1;) alert tcp $HOME_NET any -> [64.176.80.227] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cowspidzu.pro"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250835/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"muratinue.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250836/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"certifacto.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250834/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bladisuka.red"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250833/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250833; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 15422 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250832; rev:1;) alert tcp $HOME_NET any -> [185.196.11.223] 1339 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.228"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bbxstresser.llc"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1250575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"brebes-bx.id"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerpipepythongeoupdatebigloaddownloads.php"; depth:48; nocase; http.host; content:"opratio.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"122.112.192.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250611; rev:1;) alert tcp $HOME_NET any -> [122.51.7.163] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-ps16whvt-1304800271.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-ps16whvt-1304800271.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/socialapiversion=1.1"; depth:21; nocase; http.host; content:"43.134.228.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250605; rev:1;) alert tcp $HOME_NET any -> [43.134.228.94] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"45.133.238.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250603; rev:1;) alert tcp $HOME_NET any -> [45.133.238.41] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"5.161.242.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250602; rev:1;) alert tcp $HOME_NET any -> [154.219.154.67] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"60.205.246.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.113.188.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"59.110.172.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.143.143.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250595; rev:1;) alert tcp $HOME_NET any -> [45.156.217.43] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250573; rev:1;) alert tcp $HOME_NET any -> [154.219.163.79] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250572; rev:1;) alert tcp $HOME_NET any -> [43.240.48.102] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250571; rev:1;) alert tcp $HOME_NET any -> [45.156.217.35] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250570; rev:1;) alert tcp $HOME_NET any -> [43.240.48.70] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250569; rev:1;) alert tcp $HOME_NET any -> [154.219.163.90] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250568; rev:1;) alert tcp $HOME_NET any -> [45.156.217.60] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250567; rev:1;) alert tcp $HOME_NET any -> [154.219.163.72] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250566; rev:1;) alert tcp $HOME_NET any -> [154.219.164.213] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250565; rev:1;) alert tcp $HOME_NET any -> [45.156.217.24] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250564; rev:1;) alert tcp $HOME_NET any -> [154.216.54.202] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250563; rev:1;) alert tcp $HOME_NET any -> [45.156.217.26] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250562; rev:1;) alert tcp $HOME_NET any -> [43.240.48.90] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250561; rev:1;) alert tcp $HOME_NET any -> [154.219.163.86] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250560; rev:1;) alert tcp $HOME_NET any -> [45.156.217.61] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250559; rev:1;) alert tcp $HOME_NET any -> [45.156.217.59] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250558; rev:1;) alert tcp $HOME_NET any -> [154.219.163.67] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250557; rev:1;) alert tcp $HOME_NET any -> [43.240.48.94] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250556; rev:1;) alert tcp $HOME_NET any -> [43.240.48.106] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250555; rev:1;) alert tcp $HOME_NET any -> [45.156.217.16] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250554; rev:1;) alert tcp $HOME_NET any -> [43.240.48.72] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250553; rev:1;) alert tcp $HOME_NET any -> [43.240.49.189] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250552; rev:1;) alert tcp $HOME_NET any -> [154.219.164.220] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250551; rev:1;) alert tcp $HOME_NET any -> [154.219.164.207] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250550; rev:1;) alert tcp $HOME_NET any -> [154.219.163.89] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250549; rev:1;) alert tcp $HOME_NET any -> [43.240.49.153] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250548; rev:1;) alert tcp $HOME_NET any -> [45.156.217.19] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250547; rev:1;) alert tcp $HOME_NET any -> [154.219.164.194] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250546; rev:1;) alert tcp $HOME_NET any -> [154.219.164.221] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250545; rev:1;) alert tcp $HOME_NET any -> [45.156.217.51] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250544; rev:1;) alert tcp $HOME_NET any -> [120.89.71.246] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250543; rev:1;) alert tcp $HOME_NET any -> [45.156.217.36] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250542; rev:1;) alert tcp $HOME_NET any -> [43.240.49.139] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250541; rev:1;) alert tcp $HOME_NET any -> [154.219.163.94] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250540; rev:1;) alert tcp $HOME_NET any -> [43.240.48.110] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250539; rev:1;) alert tcp $HOME_NET any -> [43.240.49.136] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250538; rev:1;) alert tcp $HOME_NET any -> [43.240.49.187] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250537; rev:1;) alert tcp $HOME_NET any -> [43.240.49.172] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250536; rev:1;) alert tcp $HOME_NET any -> [120.89.71.242] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250535; rev:1;) alert tcp $HOME_NET any -> [45.156.217.46] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250534; rev:1;) alert tcp $HOME_NET any -> [45.156.217.7] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250533; rev:1;) alert tcp $HOME_NET any -> [43.240.48.120] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250532; rev:1;) alert tcp $HOME_NET any -> [43.240.48.85] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250531; rev:1;) alert tcp $HOME_NET any -> [82.156.224.103] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user"; depth:5; nocase; http.host; content:"82.156.224.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250529; rev:1;) alert tcp $HOME_NET any -> [43.240.49.174] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250528; rev:1;) alert tcp $HOME_NET any -> [43.240.49.165] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250527; rev:1;) alert tcp $HOME_NET any -> [43.240.48.82] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250526; rev:1;) alert tcp $HOME_NET any -> [43.240.48.74] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250525; rev:1;) alert tcp $HOME_NET any -> [43.240.48.114] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250524; rev:1;) alert tcp $HOME_NET any -> [43.240.49.175] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250523; rev:1;) alert tcp $HOME_NET any -> [45.156.217.14] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250522; rev:1;) alert tcp $HOME_NET any -> [43.240.48.78] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250521; rev:1;) alert tcp $HOME_NET any -> [45.156.217.17] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250520; rev:1;) alert tcp $HOME_NET any -> [43.240.49.143] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250519; rev:1;) alert tcp $HOME_NET any -> [154.219.164.216] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250518; rev:1;) alert tcp $HOME_NET any -> [43.240.48.100] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250517; rev:1;) alert tcp $HOME_NET any -> [154.216.54.243] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250516; rev:1;) alert tcp $HOME_NET any -> [45.156.217.13] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250515; rev:1;) alert tcp $HOME_NET any -> [43.240.49.181] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250514; rev:1;) alert tcp $HOME_NET any -> [43.240.48.105] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250513; rev:1;) alert tcp $HOME_NET any -> [154.219.164.215] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250512; rev:1;) alert tcp $HOME_NET any -> [43.240.49.133] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250511; rev:1;) alert tcp $HOME_NET any -> [43.240.48.68] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250510; rev:1;) alert tcp $HOME_NET any -> [43.240.49.162] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250509; rev:1;) alert tcp $HOME_NET any -> [43.240.48.76] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"106.53.213.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250507; rev:1;) alert tcp $HOME_NET any -> [154.219.163.69] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250506; rev:1;) alert tcp $HOME_NET any -> [45.156.217.39] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250505; rev:1;) alert tcp $HOME_NET any -> [43.240.49.178] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250504; rev:1;) alert tcp $HOME_NET any -> [43.240.48.79] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250503; rev:1;) alert tcp $HOME_NET any -> [154.219.163.74] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250502; rev:1;) alert tcp $HOME_NET any -> [43.240.48.95] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250501; rev:1;) alert tcp $HOME_NET any -> [45.156.217.52] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250500; rev:1;) alert tcp $HOME_NET any -> [154.216.54.230] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250499; rev:1;) alert tcp $HOME_NET any -> [154.219.164.208] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250498; rev:1;) alert tcp $HOME_NET any -> [154.219.164.222] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250497; rev:1;) alert tcp $HOME_NET any -> [43.240.49.130] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250496; rev:1;) alert tcp $HOME_NET any -> [43.240.49.157] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250495; rev:1;) alert tcp $HOME_NET any -> [43.240.48.87] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250494; rev:1;) alert tcp $HOME_NET any -> [43.240.49.155] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250493; rev:1;) alert tcp $HOME_NET any -> [45.156.217.40] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250492; rev:1;) alert tcp $HOME_NET any -> [45.156.217.50] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250491; rev:1;) alert tcp $HOME_NET any -> [43.240.48.123] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250490; rev:1;) alert tcp $HOME_NET any -> [43.240.49.156] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250489; rev:1;) alert tcp $HOME_NET any -> [45.156.217.32] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250488; rev:1;) alert tcp $HOME_NET any -> [45.156.217.4] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250487; rev:1;) alert tcp $HOME_NET any -> [43.240.48.92] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250486; rev:1;) alert tcp $HOME_NET any -> [43.240.48.113] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250485; rev:1;) alert tcp $HOME_NET any -> [120.89.71.245] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250484; rev:1;) alert tcp $HOME_NET any -> [43.240.49.167] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250483; rev:1;) alert tcp $HOME_NET any -> [43.240.49.131] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250482; rev:1;) alert tcp $HOME_NET any -> [120.89.71.244] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250481; rev:1;) alert tcp $HOME_NET any -> [43.240.49.166] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250480; rev:1;) alert tcp $HOME_NET any -> [43.240.48.116] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250479; rev:1;) alert tcp $HOME_NET any -> [43.240.48.75] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250478; rev:1;) alert tcp $HOME_NET any -> [154.219.163.87] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250477; rev:1;) alert tcp $HOME_NET any -> [43.240.49.151] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250476; rev:1;) alert tcp $HOME_NET any -> [43.240.49.169] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250475; rev:1;) alert tcp $HOME_NET any -> [154.219.163.84] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250474; rev:1;) alert tcp $HOME_NET any -> [43.240.48.101] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250473; rev:1;) alert tcp $HOME_NET any -> [43.240.49.137] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250472; rev:1;) alert tcp $HOME_NET any -> [45.156.217.38] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250471; rev:1;) alert tcp $HOME_NET any -> [43.240.49.160] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250470; rev:1;) alert tcp $HOME_NET any -> [154.216.54.240] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250469; rev:1;) alert tcp $HOME_NET any -> [43.240.49.190] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250468; rev:1;) alert tcp $HOME_NET any -> [45.156.217.41] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250467; rev:1;) alert tcp $HOME_NET any -> [45.156.217.48] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250466; rev:1;) alert tcp $HOME_NET any -> [154.219.164.218] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250465; rev:1;) alert tcp $HOME_NET any -> [154.219.164.214] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250464; rev:1;) alert tcp $HOME_NET any -> [154.219.163.78] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250463; rev:1;) alert tcp $HOME_NET any -> [43.240.49.138] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250462; rev:1;) alert tcp $HOME_NET any -> [43.240.49.142] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250461; rev:1;) alert tcp $HOME_NET any -> [154.219.164.202] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250460; rev:1;) alert tcp $HOME_NET any -> [43.240.49.173] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250459; rev:1;) alert tcp $HOME_NET any -> [43.240.49.134] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250458; rev:1;) alert tcp $HOME_NET any -> [43.240.49.144] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250457; rev:1;) alert tcp $HOME_NET any -> [43.240.48.118] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250456; rev:1;) alert tcp $HOME_NET any -> [43.240.48.122] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250455; rev:1;) alert tcp $HOME_NET any -> [43.240.48.112] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250454; rev:1;) alert tcp $HOME_NET any -> [43.240.48.86] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250453; rev:1;) alert tcp $HOME_NET any -> [45.156.217.8] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250452; rev:1;) alert tcp $HOME_NET any -> [45.156.217.20] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250451; rev:1;) alert tcp $HOME_NET any -> [45.156.217.10] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250450; rev:1;) alert tcp $HOME_NET any -> [154.219.164.212] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250449; rev:1;) alert tcp $HOME_NET any -> [154.219.163.80] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250448; rev:1;) alert tcp $HOME_NET any -> [154.219.163.73] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250447; rev:1;) alert tcp $HOME_NET any -> [45.156.217.23] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250446; rev:1;) alert tcp $HOME_NET any -> [45.156.217.15] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250445; rev:1;) alert tcp $HOME_NET any -> [43.240.49.179] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250444; rev:1;) alert tcp $HOME_NET any -> [43.240.49.170] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250443; rev:1;) alert tcp $HOME_NET any -> [43.240.48.119] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250442; rev:1;) alert tcp $HOME_NET any -> [45.156.217.54] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250441; rev:1;) alert tcp $HOME_NET any -> [43.240.49.159] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250440; rev:1;) alert tcp $HOME_NET any -> [154.219.163.77] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250439; rev:1;) alert tcp $HOME_NET any -> [43.240.49.158] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250438; rev:1;) alert tcp $HOME_NET any -> [45.156.217.34] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250437; rev:1;) alert tcp $HOME_NET any -> [45.156.217.22] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250436; rev:1;) alert tcp $HOME_NET any -> [43.240.48.109] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250435; rev:1;) alert tcp $HOME_NET any -> [43.240.49.182] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250434; rev:1;) alert tcp $HOME_NET any -> [154.216.54.232] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250433; rev:1;) alert tcp $HOME_NET any -> [45.156.217.58] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250432; rev:1;) alert tcp $HOME_NET any -> [43.240.48.117] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250431; rev:1;) alert tcp $HOME_NET any -> [43.240.49.148] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250430; rev:1;) alert tcp $HOME_NET any -> [154.219.164.199] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250429; rev:1;) alert tcp $HOME_NET any -> [45.156.217.55] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250428; rev:1;) alert tcp $HOME_NET any -> [45.156.217.57] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250427; rev:1;) alert tcp $HOME_NET any -> [43.240.48.77] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250426; rev:1;) alert tcp $HOME_NET any -> [45.156.217.18] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250425; rev:1;) alert tcp $HOME_NET any -> [43.240.48.125] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250424; rev:1;) alert tcp $HOME_NET any -> [43.240.49.150] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250423; rev:1;) alert tcp $HOME_NET any -> [45.156.217.28] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250422; rev:1;) alert tcp $HOME_NET any -> [43.240.49.186] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250421; rev:1;) alert tcp $HOME_NET any -> [43.240.49.161] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250420; rev:1;) alert tcp $HOME_NET any -> [43.240.49.152] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250419; rev:1;) alert tcp $HOME_NET any -> [154.219.163.81] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250418; rev:1;) alert tcp $HOME_NET any -> [45.156.217.33] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250417; rev:1;) alert tcp $HOME_NET any -> [43.240.48.80] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250416; rev:1;) alert tcp $HOME_NET any -> [43.240.48.99] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250415; rev:1;) alert tcp $HOME_NET any -> [43.240.48.89] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250414; rev:1;) alert tcp $HOME_NET any -> [45.156.217.53] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250413; rev:1;) alert tcp $HOME_NET any -> [43.240.48.93] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250412; rev:1;) alert tcp $HOME_NET any -> [45.156.217.31] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250411; rev:1;) alert tcp $HOME_NET any -> [45.156.217.11] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250410; rev:1;) alert tcp $HOME_NET any -> [154.219.164.195] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250409; rev:1;) alert tcp $HOME_NET any -> [43.240.48.73] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250408; rev:1;) alert tcp $HOME_NET any -> [45.156.217.44] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250407; rev:1;) alert tcp $HOME_NET any -> [45.156.217.6] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250406; rev:1;) alert tcp $HOME_NET any -> [45.156.217.56] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250405; rev:1;) alert tcp $HOME_NET any -> [43.240.48.107] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250404; rev:1;) alert tcp $HOME_NET any -> [43.240.48.108] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250403; rev:1;) alert tcp $HOME_NET any -> [154.219.164.211] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250402; rev:1;) alert tcp $HOME_NET any -> [43.240.48.91] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250401; rev:1;) alert tcp $HOME_NET any -> [43.240.49.180] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250400; rev:1;) alert tcp $HOME_NET any -> [45.156.217.45] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250399; rev:1;) alert tcp $HOME_NET any -> [154.216.54.222] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250398; rev:1;) alert tcp $HOME_NET any -> [45.156.217.62] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250397; rev:1;) alert tcp $HOME_NET any -> [43.240.48.96] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250396; rev:1;) alert tcp $HOME_NET any -> [154.219.164.209] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250395; rev:1;) alert tcp $HOME_NET any -> [45.156.217.30] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250394; rev:1;) alert tcp $HOME_NET any -> [43.240.49.168] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250393; rev:1;) alert tcp $HOME_NET any -> [43.240.49.171] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250392; rev:1;) alert tcp $HOME_NET any -> [43.240.48.88] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250391; rev:1;) alert tcp $HOME_NET any -> [154.216.54.215] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250390; rev:1;) alert tcp $HOME_NET any -> [154.219.164.200] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250389; rev:1;) alert tcp $HOME_NET any -> [154.219.163.76] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250388; rev:1;) alert tcp $HOME_NET any -> [154.216.54.233] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250387; rev:1;) alert tcp $HOME_NET any -> [154.219.164.206] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250386; rev:1;) alert tcp $HOME_NET any -> [154.219.164.196] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250385; rev:1;) alert tcp $HOME_NET any -> [43.240.49.149] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250384; rev:1;) alert tcp $HOME_NET any -> [43.240.48.115] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250383; rev:1;) alert tcp $HOME_NET any -> [43.240.48.81] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250382; rev:1;) alert tcp $HOME_NET any -> [43.240.48.104] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250381; rev:1;) alert tcp $HOME_NET any -> [43.240.49.164] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250380; rev:1;) alert tcp $HOME_NET any -> [154.219.163.70] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250379; rev:1;) alert tcp $HOME_NET any -> [154.216.54.214] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250378; rev:1;) alert tcp $HOME_NET any -> [120.89.71.243] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250377; rev:1;) alert tcp $HOME_NET any -> [154.219.164.217] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250376; rev:1;) alert tcp $HOME_NET any -> [45.156.217.27] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250375; rev:1;) alert tcp $HOME_NET any -> [5.188.88.177] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250374; rev:1;) alert tcp $HOME_NET any -> [15.204.223.49] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250372/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250372; rev:1;) alert tcp $HOME_NET any -> [93.123.85.8] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250373/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250373; rev:1;) alert tcp $HOME_NET any -> [34.168.202.91] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/localtestgeo/flower20flower/_packetwindowsvm/httpasyncbetterpacket/1/windows87downloads/temporarytraffic82/uploads/serverasyncvideoserver/geo/7/lowasyncserver/traffic66db/python/to/protonprivate3/gamegenerator/datalifedle/secure/topollhttpgeosqltestuniversaltempdownloads.php"; depth:276; nocase; http.host; content:"80.66.84.71"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250370; rev:1;) alert tcp $HOME_NET any -> [194.147.140.219] 4040 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250369; rev:1;) alert tcp $HOME_NET any -> [35.243.180.101] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250368; rev:1;) alert tcp $HOME_NET any -> [34.77.22.163] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250367; rev:1;) alert tcp $HOME_NET any -> [8.222.178.224] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250366; rev:1;) alert tcp $HOME_NET any -> [34.22.151.45] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baseuniversaluploads.php"; depth:25; nocase; http.host; content:"531995cl.nyashtop.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250364; rev:1;) alert tcp $HOME_NET any -> [79.133.51.234] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250363/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250363; rev:1;) alert tcp $HOME_NET any -> [54.248.193.226] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250362/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250362; rev:1;) alert tcp $HOME_NET any -> [101.32.37.92] 65532 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250361/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250361; rev:1;) alert tcp $HOME_NET any -> [142.171.62.107] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250360/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250360; rev:1;) alert tcp $HOME_NET any -> [34.92.107.200] 8012 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250359/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250359; rev:1;) alert tcp $HOME_NET any -> [41.96.114.1] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250358/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250358; rev:1;) alert tcp $HOME_NET any -> [76.19.90.99] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250357/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gammaproject.dev"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250356/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250356; rev:1;) alert tcp $HOME_NET any -> [77.232.143.114] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250355/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250355; rev:1;) alert tcp $HOME_NET any -> [185.94.165.191] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250354/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250354; rev:1;) alert tcp $HOME_NET any -> [81.43.22.249] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250353/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250353; rev:1;) alert tcp $HOME_NET any -> [43.198.243.210] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250352/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250352; rev:1;) alert tcp $HOME_NET any -> [172.218.112.83] 8080 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250351/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bulaintel.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.bsdeboomgaard.be"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kayoanime.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.althaus-innenausbau.de"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"growthworks.io"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"taronews.tw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"outdoorgearshub.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mcintoshdaily.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"buckcenter.edu.ec"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ffteducationdatalab.org.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.cuinescalaf.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cityhomesedmonton.ca"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"aurory.io"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wildundhund.de"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"convertkit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"celeritastransporte.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"overbeekphotos.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cumm.co.uk"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250329; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250307; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250308; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250309; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250310; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250311; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250312; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250313; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250314; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250315; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 2174 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250316; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250317; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250306; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250305; rev:1;) alert tcp $HOME_NET any -> [187.135.93.207] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250304; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250303; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2188 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250302; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250301; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250300; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250299; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250298; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250297; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250296; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250295; rev:1;) alert tcp $HOME_NET any -> [43.138.0.70] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250292; rev:1;) alert tcp $HOME_NET any -> [43.139.101.86] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250291; rev:1;) alert tcp $HOME_NET any -> [49.235.174.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250290; rev:1;) alert tcp $HOME_NET any -> [101.43.164.28] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250289; rev:1;) alert tcp $HOME_NET any -> [124.220.80.206] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250288; rev:1;) alert tcp $HOME_NET any -> [150.158.19.54] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250287; rev:1;) alert tcp $HOME_NET any -> [159.75.80.31] 6699 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250286; rev:1;) alert tcp $HOME_NET any -> [38.180.92.22] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250285; rev:1;) alert tcp $HOME_NET any -> [89.163.221.180] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250284; rev:1;) alert tcp $HOME_NET any -> [89.163.221.180] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250283; rev:1;) alert tcp $HOME_NET any -> [104.243.37.110] 6667 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250282; rev:1;) alert tcp $HOME_NET any -> [109.199.120.42] 2023 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250281; rev:1;) alert tcp $HOME_NET any -> [128.90.122.170] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250280; rev:1;) alert tcp $HOME_NET any -> [142.11.201.124] 8712 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250279; rev:1;) alert tcp $HOME_NET any -> [142.11.201.124] 8714 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250278; rev:1;) alert tcp $HOME_NET any -> [172.94.9.23] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250274; rev:1;) alert tcp $HOME_NET any -> [172.94.125.164] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250262; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 54056 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250293/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"results-outdoors.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250294/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mangacrab.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"catherinefoundation.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kinosait24.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"theyogainstitute.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bodylift.si"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"digitalmarketingcompany.me"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"prozhedownload.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"telegramguru.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"matchtime.co"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.215.113.32"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1250318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.233.132.56"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1250319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250319; rev:1;) alert tcp $HOME_NET any -> [194.156.90.112] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250261; rev:1;) alert tcp $HOME_NET any -> [206.123.132.165] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250260; rev:1;) alert tcp $HOME_NET any -> [38.180.121.8] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1222548548235558974/1222550773380943902/mauqes.rar"; depth:63; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250233; rev:1;) alert tcp $HOME_NET any -> [45.145.42.90] 6969 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250349/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"111.231.18.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"111.231.18.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250347; rev:1;) alert tcp $HOME_NET any -> [154.216.54.250] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250277; rev:1;) alert tcp $HOME_NET any -> [154.216.54.239] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250276; rev:1;) alert tcp $HOME_NET any -> [154.216.54.247] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"154.12.29.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250273; rev:1;) alert tcp $HOME_NET any -> [154.216.54.211] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250272; rev:1;) alert tcp $HOME_NET any -> [154.216.54.216] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250271; rev:1;) alert tcp $HOME_NET any -> [154.216.54.237] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250270; rev:1;) alert tcp $HOME_NET any -> [154.216.54.228] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250269; rev:1;) alert tcp $HOME_NET any -> [154.216.54.254] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"111.231.18.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250267; rev:1;) alert tcp $HOME_NET any -> [154.216.54.198] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250266; rev:1;) alert tcp $HOME_NET any -> [154.216.54.194] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250265; rev:1;) alert tcp $HOME_NET any -> [154.216.54.238] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250264; rev:1;) alert tcp $HOME_NET any -> [154.216.54.231] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250263; rev:1;) alert tcp $HOME_NET any -> [5.75.211.135] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250255; rev:1;) alert tcp $HOME_NET any -> [88.99.122.130] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250256; rev:1;) alert tcp $HOME_NET any -> [95.217.31.143] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250257; rev:1;) alert tcp $HOME_NET any -> [80.66.84.68] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"alexanderalbie.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250252; rev:1;) alert tcp $HOME_NET any -> [88.99.122.130] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250253; rev:1;) alert tcp $HOME_NET any -> [78.46.229.36] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"suggst.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hepialid.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pvasms.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"alexanderarthur.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"80.66.84.68"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.31.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.99.122.130"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.211.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.46.229.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.243.191"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sa9ok"; depth:6; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199658817715"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alexanderarthur.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pvasms.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hepialid.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suggst.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alexanderalbie.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0934723.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250232; rev:1;) alert tcp $HOME_NET any -> [88.119.175.92] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250231/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250231; rev:1;) alert tcp $HOME_NET any -> [88.119.175.92] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250230/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250230; rev:1;) alert tcp $HOME_NET any -> [20.2.234.76] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250229/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250229; rev:1;) alert tcp $HOME_NET any -> [20.199.87.153] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250228/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250228; rev:1;) alert tcp $HOME_NET any -> [154.247.228.146] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250227/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250227; rev:1;) alert tcp $HOME_NET any -> [78.168.3.237] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250226/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250226; rev:1;) alert tcp $HOME_NET any -> [194.67.103.231] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250225/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250225; rev:1;) alert tcp $HOME_NET any -> [54.84.224.146] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250224/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250224; rev:1;) alert tcp $HOME_NET any -> [77.232.143.114] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250223/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250223; rev:1;) alert tcp $HOME_NET any -> [92.116.37.117] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250222/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250222; rev:1;) alert tcp $HOME_NET any -> [64.23.140.175] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250221/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250221; rev:1;) alert tcp $HOME_NET any -> [192.64.86.243] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250220/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250220; rev:1;) alert tcp $HOME_NET any -> [87.120.204.101] 16053 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250219/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250219; rev:1;) alert tcp $HOME_NET any -> [185.130.45.147] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250218/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250218; rev:1;) alert tcp $HOME_NET any -> [185.130.45.147] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250217/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"prior-gently.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250216/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250216; rev:1;) alert tcp $HOME_NET any -> [91.92.252.225] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250213; rev:1;) alert tcp $HOME_NET any -> [91.92.252.224] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250214; rev:1;) alert tcp $HOME_NET any -> [147.185.221.19] 5585 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-aws-amazon.nbcnews.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bm.css"; depth:7; nocase; http.host; content:"cdn-aws-amazon.nbcnews.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.113.188.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"154.221.17.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"38.207.178.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"www.assamjatiyabidyalay.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"designtoolsnetwork.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"vsenews.kr.ua"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"compose.ly"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gridlocktable.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wlmedia.co.uk"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"animalvictory.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"brokensilenze.one"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hidethatfat.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"timesit.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"amittiwari.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"abumarketrc.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.dizikonusu.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"astrolady.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"phongthuyphunggia.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ryver.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"smokeshopdelivers.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hmidarjeeling.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"titikdua.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.feekstokandy.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250160/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.nemchaprues.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250161/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.fustindor.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250162/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.trondisaup.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250163/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.trentimarsop.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250164/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.carsruitkan.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250165/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.boskajean.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250166/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.triopahom.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250167/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.illboardinj.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250168/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.transautomanf.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250169/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.minesotkarpid.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250170/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.dionaolesjob.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250171/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.skansnekssky.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250172/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.kevinbrawiewu.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250173/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.troffyfrutlot.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250174/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.skazifrant.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250175/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.neelsmagofter.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250176/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.qtargumanikar.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250177/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.strastkamenhoop.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250178/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.lergochatep.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250179/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.clainsrimauto.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250180/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.kaspimension.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250181/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.askamoshopsi.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250182/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.majzolimka.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250183/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.spakernakurs.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250184/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"adobeshare.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250185/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"adobeshare.blog"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250186/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250186; rev:1;) alert tcp $HOME_NET any -> [216.250.253.35] 2356 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250159; rev:1;) alert tcp $HOME_NET any -> [5.42.65.0] 29587 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"soneypaly.club"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250157/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250157; rev:1;) alert tcp $HOME_NET any -> [51.77.167.59] 5951 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250128; rev:1;) alert tcp $HOME_NET any -> [185.130.46.168] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"38.207.178.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249911; rev:1;) alert tcp $HOME_NET any -> [114.115.157.144] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"114.115.157.144"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs.buidu.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"cs.buidu.site"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"60.204.133.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"38.47.101.176"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249904; rev:1;) alert tcp $HOME_NET any -> [38.47.101.176] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"38.207.178.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249903; rev:1;) alert tcp $HOME_NET any -> [185.130.46.168] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"tools.trtyr.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tools.trtyr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"8.130.43.95"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"123.60.181.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"43.142.183.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249897; rev:1;) alert tcp $HOME_NET any -> [45.207.58.79] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nimappche.buzz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"nimappche.buzz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/collector/2.0/settings/"; depth:24; nocase; http.host; content:"endpointinfrart.azureedge.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"endpointinfrart.azureedge.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"60.205.246.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mariyel-therapy.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/693775226584039476/1222130104944033792/mariyeltherapy_launcher.exe"; depth:79; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"camps.topgunnbaseball.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"146.19.254.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249887; rev:1;) alert tcp $HOME_NET any -> [103.153.69.114] 56999 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249881; rev:1;) alert tcp $HOME_NET any -> [103.188.244.189] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249882; rev:1;) alert tcp $HOME_NET any -> [103.67.196.77] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249883; rev:1;) alert tcp $HOME_NET any -> [45.128.232.82] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249884; rev:1;) alert tcp $HOME_NET any -> [74.50.85.233] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"www.apol.eu"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"williesimpson.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249833; rev:1;) alert tcp $HOME_NET any -> [139.59.88.74] 667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249880/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249880; rev:1;) alert tcp $HOME_NET any -> [154.216.54.241] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249879; rev:1;) alert tcp $HOME_NET any -> [154.216.54.209] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249878; rev:1;) alert tcp $HOME_NET any -> [154.216.54.224] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249877; rev:1;) alert tcp $HOME_NET any -> [154.216.54.205] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249876; rev:1;) alert tcp $HOME_NET any -> [154.216.54.249] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249875; rev:1;) alert tcp $HOME_NET any -> [154.216.54.225] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249874; rev:1;) alert tcp $HOME_NET any -> [154.216.54.210] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249873; rev:1;) alert tcp $HOME_NET any -> [154.216.54.236] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249872; rev:1;) alert tcp $HOME_NET any -> [154.216.54.212] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249871; rev:1;) alert tcp $HOME_NET any -> [154.216.54.219] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249870; rev:1;) alert tcp $HOME_NET any -> [154.216.54.229] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249869; rev:1;) alert tcp $HOME_NET any -> [154.216.54.227] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249868; rev:1;) alert tcp $HOME_NET any -> [154.216.54.195] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249867; rev:1;) alert tcp $HOME_NET any -> [154.216.54.213] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249866; rev:1;) alert tcp $HOME_NET any -> [154.216.54.218] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249865; rev:1;) alert tcp $HOME_NET any -> [154.216.54.203] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249864; rev:1;) alert tcp $HOME_NET any -> [154.216.54.234] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249863; rev:1;) alert tcp $HOME_NET any -> [154.216.54.201] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249862; rev:1;) alert tcp $HOME_NET any -> [154.216.54.251] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249861; rev:1;) alert tcp $HOME_NET any -> [154.216.54.253] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249860; rev:1;) alert tcp $HOME_NET any -> [154.216.54.235] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249859; rev:1;) alert tcp $HOME_NET any -> [154.216.54.226] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249858; rev:1;) alert tcp $HOME_NET any -> [154.216.54.217] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249857; rev:1;) alert tcp $HOME_NET any -> [154.216.54.223] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249856; rev:1;) alert tcp $HOME_NET any -> [154.216.54.220] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249855; rev:1;) alert tcp $HOME_NET any -> [154.216.54.242] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249854; rev:1;) alert tcp $HOME_NET any -> [154.216.54.248] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249853; rev:1;) alert tcp $HOME_NET any -> [154.216.54.206] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249852; rev:1;) alert tcp $HOME_NET any -> [154.216.54.208] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-2saemj0p-1319375115.bj.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249849; rev:1;) alert tcp $HOME_NET any -> [107.173.144.77] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"service-2saemj0p-1319375115.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249848; rev:1;) alert tcp $HOME_NET any -> [154.216.54.200] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249847; rev:1;) alert tcp $HOME_NET any -> [154.216.54.252] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249846; rev:1;) alert tcp $HOME_NET any -> [154.216.54.244] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249845; rev:1;) alert tcp $HOME_NET any -> [154.216.54.204] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249844; rev:1;) alert tcp $HOME_NET any -> [154.216.54.196] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249843; rev:1;) alert tcp $HOME_NET any -> [154.216.54.207] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249842; rev:1;) alert tcp $HOME_NET any -> [154.216.54.197] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249841; rev:1;) alert tcp $HOME_NET any -> [154.216.54.245] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249840; rev:1;) alert tcp $HOME_NET any -> [154.216.54.221] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249839; rev:1;) alert tcp $HOME_NET any -> [154.216.54.246] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.105.69.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"service-20ww8i3o-1300612713.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-20ww8i3o-1300612713.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"content.microsoft.com.w.kunlunca.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"120.78.155.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"139.9.41.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"154.3.8.55"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dakee.ir"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.carercn.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"darmanet.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"empiretaxusa.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"daarine.ir"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"boulangeriebezencon.ch"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rickwire.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"selekta.fi"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lollipophouse.ir"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.elgreco-sindlingen.de"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249827; rev:1;) alert tcp $HOME_NET any -> [74.50.85.233] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249816/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"voidc2.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249817/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249817; rev:1;) alert tcp $HOME_NET any -> [47.105.69.34] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.105.69.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249814; rev:1;) alert tcp $HOME_NET any -> [47.105.69.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"www.flash-update.info"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.flash-update.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249812; rev:1;) alert tcp $HOME_NET any -> [43.156.21.230] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.156.21.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.115.203.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"74.50.85.233"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1249805/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.128.232.82"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1249806/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"versenet.lol"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1249807/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apijsonparserkit.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249665; rev:1;) alert tcp $HOME_NET any -> [1.94.11.195] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249783; rev:1;) alert tcp $HOME_NET any -> [120.46.128.5] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249782; rev:1;) alert tcp $HOME_NET any -> [120.26.169.152] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249780; rev:1;) alert tcp $HOME_NET any -> [123.60.181.152] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249781; rev:1;) alert tcp $HOME_NET any -> [118.190.147.246] 13443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249778; rev:1;) alert tcp $HOME_NET any -> [120.26.105.94] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249779; rev:1;) alert tcp $HOME_NET any -> [118.178.125.8] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249777; rev:1;) alert tcp $HOME_NET any -> [47.109.60.225] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249774; rev:1;) alert tcp $HOME_NET any -> [47.113.188.133] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249775; rev:1;) alert tcp $HOME_NET any -> [60.205.246.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249776; rev:1;) alert tcp $HOME_NET any -> [139.199.77.120] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249767; rev:1;) alert tcp $HOME_NET any -> [8.138.26.50] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249772; rev:1;) alert tcp $HOME_NET any -> [8.130.34.85] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249771; rev:1;) alert tcp $HOME_NET any -> [47.106.122.50] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249773; rev:1;) alert tcp $HOME_NET any -> [129.211.26.3] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249766; rev:1;) alert tcp $HOME_NET any -> [122.51.27.35] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249764; rev:1;) alert tcp $HOME_NET any -> [124.221.102.26] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249765; rev:1;) alert tcp $HOME_NET any -> [82.157.71.34] 7898 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249763; rev:1;) alert tcp $HOME_NET any -> [43.136.99.149] 5000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249761; rev:1;) alert tcp $HOME_NET any -> [43.138.72.70] 8011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backupitfirst.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"withupdate.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249760; rev:1;) alert tcp $HOME_NET any -> [179.60.147.91] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"arku.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249736/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249736; rev:1;) alert tcp $HOME_NET any -> [3.33.130.190] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249735/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249735; rev:1;) alert tcp $HOME_NET any -> [179.60.147.94] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"usersync.tiqcdn.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249734; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 19387 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249804/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249804; rev:1;) alert tcp $HOME_NET any -> [117.41.187.235] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249506; rev:1;) alert tcp $HOME_NET any -> [176.123.169.32] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249803/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249803; rev:1;) alert tcp $HOME_NET any -> [45.151.44.159] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249802/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249802; rev:1;) alert tcp $HOME_NET any -> [77.221.154.236] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249801/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249801; rev:1;) alert tcp $HOME_NET any -> [117.72.9.31] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249800/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249800; rev:1;) alert tcp $HOME_NET any -> [103.165.81.103] 1145 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249799/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249799; rev:1;) alert tcp $HOME_NET any -> [46.246.84.23] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249798/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249798; rev:1;) alert tcp $HOME_NET any -> [70.31.125.114] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249797/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249797; rev:1;) alert tcp $HOME_NET any -> [68.32.77.99] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249796/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249796; rev:1;) alert tcp $HOME_NET any -> [41.96.10.172] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249795/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249795; rev:1;) alert tcp $HOME_NET any -> [52.173.131.28] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249794/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249794; rev:1;) alert tcp $HOME_NET any -> [54.84.224.146] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249793/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249793; rev:1;) alert tcp $HOME_NET any -> [92.116.36.151] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249792/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249792; rev:1;) alert tcp $HOME_NET any -> [134.209.171.201] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249791/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249791; rev:1;) alert tcp $HOME_NET any -> [92.118.112.155] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249790/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249790; rev:1;) alert tcp $HOME_NET any -> [54.145.56.118] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249789/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a7b6ac9c.php"; depth:13; nocase; http.host; content:"fire-studio.000webhostapp.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249788; rev:1;) alert tcp $HOME_NET any -> [194.147.140.158] 2323 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f993692117a3fda2.php"; depth:21; nocase; http.host; content:"185.172.128.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oudowibspr"; depth:11; nocase; http.host; content:"withupdate.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wgfqneerod"; depth:11; nocase; http.host; content:"backupitfirst.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c16/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249770/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249770; rev:1;) alert tcp $HOME_NET any -> [45.11.182.29] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c16/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1063894486901587979/1221860531594596433/2_npp.8.6.4.portable.x64.zip"; depth:81; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/operational-resources"; depth:22; nocase; http.host; content:"apllicam.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/corporate-financial"; depth:20; nocase; http.host; content:"apllicam.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/pam8oa.php"; depth:45; nocase; http.host; content:"lurdyvanafernandesmkd.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentyten/b9un4f.php"; depth:39; nocase; http.host; content:"www.amysinger.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/n2gd2t.php"; depth:45; nocase; http.host; content:"www.yukon.de"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/c9wfar.php"; depth:46; nocase; http.host; content:"alternativetracks.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/t51kkf.php"; depth:47; nocase; http.host; content:"13300.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/34uo7s.php"; depth:46; nocase; http.host; content:"www.alabamacarhorns.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assumendaipsam/point.exe"; depth:25; nocase; http.host; content:"ingatecsus.com.br"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249749; rev:1;) alert tcp $HOME_NET any -> [172.232.208.90] 2223 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249744; rev:1;) alert tcp $HOME_NET any -> [213.199.41.33] 13721 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249745; rev:1;) alert tcp $HOME_NET any -> [194.233.91.144] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249746; rev:1;) alert tcp $HOME_NET any -> [158.220.95.215] 5242 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249747; rev:1;) alert tcp $HOME_NET any -> [84.247.157.112] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249748; rev:1;) alert tcp $HOME_NET any -> [158.220.95.214] 5243 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249742; rev:1;) alert tcp $HOME_NET any -> [64.23.199.206] 1194 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"g.fyss888.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249740; rev:1;) alert tcp $HOME_NET any -> [154.219.163.85] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"g.fyss888.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249739; rev:1;) alert tcp $HOME_NET any -> [77.238.249.17] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249516/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249516; rev:1;) alert tcp $HOME_NET any -> [20.205.173.250] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249515/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249515; rev:1;) alert tcp $HOME_NET any -> [122.10.10.100] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249514/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249514; rev:1;) alert tcp $HOME_NET any -> [122.10.5.85] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249513; rev:1;) alert tcp $HOME_NET any -> [47.236.244.14] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249512; rev:1;) alert tcp $HOME_NET any -> [34.92.107.200] 8011 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249511/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249511; rev:1;) alert tcp $HOME_NET any -> [91.102.163.73] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249510; rev:1;) alert tcp $HOME_NET any -> [154.246.204.189] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249509; rev:1;) alert tcp $HOME_NET any -> [39.40.187.88] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249508/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249508; rev:1;) alert tcp $HOME_NET any -> [123.247.80.47] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249507; rev:1;) alert tcp $HOME_NET any -> [91.92.254.140] 562 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249505/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rosenfeldmedia.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"1poclimaty.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mindfulsearching.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"psdkits.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"porusski.me"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ketabpedia.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cultureroadtravel.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"nzdcr.co.nz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mythictherapy.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249496; rev:1;) alert tcp $HOME_NET any -> [46.226.164.82] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249495; rev:1;) alert tcp $HOME_NET any -> [74.50.65.52] 7855 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249494; rev:1;) alert tcp $HOME_NET any -> [91.92.252.207] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249492; rev:1;) alert tcp $HOME_NET any -> [91.92.252.218] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.srryontop.fr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srryontop.fr"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"129.204.201.114"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249489; rev:1;) alert tcp $HOME_NET any -> [47.94.241.49] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.20.16.192"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"121.36.255.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.99.162.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249484; rev:1;) alert tcp $HOME_NET any -> [47.99.162.137] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lionos.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axz.lionos.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pda.lionos.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ml.lionos.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goweqmcsa.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wwea.goweqmcsa.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xza.goweqmcsa.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.virtue.ltd"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"networkbn.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.work.gd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.layer4.bf"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hiyl7.hilariocolche.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metis-info.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"40.83.122.109"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1249467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"42.112.76.107"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1249468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"metis-black.com"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1249469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249470; rev:1;) alert tcp $HOME_NET any -> [91.92.253.201] 6996 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249464; rev:1;) alert tcp $HOME_NET any -> [103.116.52.207] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249465; rev:1;) alert tcp $HOME_NET any -> [91.92.251.65] 6996 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"120.78.155.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"36.25.254.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"42.194.199.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"39.107.89.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"service-cedqvyh7-1322145958.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"123.207.45.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sessionannoucemenwj.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cleartotalfisherwo.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"worryfillvolcawoi.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"enthusiasimtitleow.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"dismissalcylinderhostw.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"affordcharmcropwo.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"diskretainvigorousiw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"communicationgenerwo.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pillowbrocccolipe.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249456; rev:1;) alert tcp $HOME_NET any -> [43.156.21.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.156.21.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249446; rev:1;) alert tcp $HOME_NET any -> [43.136.59.13] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"154.221.17.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vogxhf/panel/five/fre.php"; depth:26; nocase; http.host; content:"www.dobiamfollollc.online"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249441/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.8design.se"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"prokeypc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"madalynsklar.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hortonhighschool.ca"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"richardvanhooijdonk.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.adventurewallcoverings.co.za"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gundrymd.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"g8education.edu.au"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"makestories.io"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"abtenau-info.at"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"laptop.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"voluntariosenelmundo.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"greveclimaticaestudantil.pt"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"beginagaininstitute.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"leadershipmanagement.com.au"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"3axis.co"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"academieairespace.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bollywoodtadka.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ccspaintingllc.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.carlhansensolv.dk"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rondesantis.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sitesrip.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ambitiouswithcards.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"zarmes.ir"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"blackdiamondbjj.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cnsmaryland.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bearnutscomic.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"psychosfera.kz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.assenmacher-koeln.de"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"shiroutowiki.work"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gadgetstouse.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sim-unlock.blog"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dailyshepursues.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rg-adguard.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"peacerivervet.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kitchenofdebjani.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"xn--80ajgpcpbhkds4a4g.xn--p1ai"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"toptorials.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"xn--ngbeab6ar43f.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"discovermass.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"grundens.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.bienenzucht-villachland.at"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"openloadmovies.live"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"businessforfilipinos.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/list/xmlrpc.php"; depth:16; nocase; http.host; content:"www.doctorsacademy.org"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"tiodonghua.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"tobano.pl"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"eastnaija.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"travelperi.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gribnik.info"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hentai-witch.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"paydo.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"irpp.org"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249388; rev:1;) alert tcp $HOME_NET any -> [8.220.195.197] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249072; rev:1;) alert tcp $HOME_NET any -> [46.30.191.245] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249068; rev:1;) alert tcp $HOME_NET any -> [197.82.164.175] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249065; rev:1;) alert tcp $HOME_NET any -> [54.39.29.90] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249067; rev:1;) alert tcp $HOME_NET any -> [45.140.146.58] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249074; rev:1;) alert tcp $HOME_NET any -> [82.153.138.25] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249075; rev:1;) alert tcp $HOME_NET any -> [54.39.29.90] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249066; rev:1;) alert tcp $HOME_NET any -> [82.153.138.222] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249076; rev:1;) alert tcp $HOME_NET any -> [91.215.85.18] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249077; rev:1;) alert tcp $HOME_NET any -> [104.225.238.192] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249078; rev:1;) alert tcp $HOME_NET any -> [141.255.167.251] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249079; rev:1;) alert tcp $HOME_NET any -> [168.100.8.112] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249080; rev:1;) alert tcp $HOME_NET any -> [185.219.84.231] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249081; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2036 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249105; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249104; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249103; rev:1;) alert tcp $HOME_NET any -> [105.98.12.207] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249101; rev:1;) alert tcp $HOME_NET any -> [187.135.130.176] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249100; rev:1;) alert tcp $HOME_NET any -> [191.233.252.23] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249083; rev:1;) alert tcp $HOME_NET any -> [188.166.177.25] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249082; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249106; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249107; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249108; rev:1;) alert tcp $HOME_NET any -> [187.135.117.144] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249109; rev:1;) alert tcp $HOME_NET any -> [105.98.67.41] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249110; rev:1;) alert tcp $HOME_NET any -> [193.233.132.231] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249122/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249122; rev:1;) alert tcp $HOME_NET any -> [45.63.31.37] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nonlinearcomms.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249131; rev:1;) alert tcp $HOME_NET any -> [15.235.131.20] 39206 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249387; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 19282 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249372/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goingupdate.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249386; rev:1;) alert tcp $HOME_NET any -> [80.209.238.116] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249385/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249385; rev:1;) alert tcp $HOME_NET any -> [111.92.243.236] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249384/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249384; rev:1;) alert tcp $HOME_NET any -> [124.70.143.234] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249383/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249383; rev:1;) alert tcp $HOME_NET any -> [172.245.81.143] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249382/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249382; rev:1;) alert tcp $HOME_NET any -> [47.116.192.169] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249381/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249381; rev:1;) alert tcp $HOME_NET any -> [189.177.5.229] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249380/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249380; rev:1;) alert tcp $HOME_NET any -> [41.99.6.82] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249379/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249379; rev:1;) alert tcp $HOME_NET any -> [46.101.94.83] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249378/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249378; rev:1;) alert tcp $HOME_NET any -> [20.79.165.186] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249377/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249377; rev:1;) alert tcp $HOME_NET any -> [46.101.81.127] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249376/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249376; rev:1;) alert tcp $HOME_NET any -> [103.40.161.185] 54321 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249375/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249375; rev:1;) alert tcp $HOME_NET any -> [47.93.103.60] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249374/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249374; rev:1;) alert tcp $HOME_NET any -> [47.93.103.60] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249373/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"froggysnow.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apiasyncpromise.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apieventemitter.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apifetchmethod.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"incachespace.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lyddemper.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249098; rev:1;) alert tcp $HOME_NET any -> [173.44.141.131] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xjp.xinjiangworker.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249070/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249070; rev:1;) alert tcp $HOME_NET any -> [93.123.85.11] 35769 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249069/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249069; rev:1;) alert tcp $HOME_NET any -> [194.87.107.145] 10480 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249371; rev:1;) alert tcp $HOME_NET any -> [185.222.58.38] 8088 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c13/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c13/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249368/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249368; rev:1;) alert tcp $HOME_NET any -> [178.236.46.118] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dist/css/bootstrap.min.css"; depth:27; nocase; http.host; content:"178.236.46.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.240.48.66"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249126; rev:1;) alert tcp $HOME_NET any -> [154.216.54.199] 809 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249125; rev:1;) alert tcp $HOME_NET any -> [124.71.75.199] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"124.71.75.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249123; rev:1;) alert tcp $HOME_NET any -> [193.233.132.109] 80 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_25; classtype:trojan-activity; sid:91249121; rev:1;) alert tcp $HOME_NET any -> [129.159.131.26] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_25; classtype:trojan-activity; sid:91249120; rev:1;) alert tcp $HOME_NET any -> [23.227.198.236] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_25; classtype:trojan-activity; sid:91249119; rev:1;) alert tcp $HOME_NET any -> [4.227.54.178] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_25; classtype:trojan-activity; sid:91249118; rev:1;) alert tcp $HOME_NET any -> [103.200.29.109] 1364 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c19/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249114; rev:1;) alert tcp $HOME_NET any -> [194.147.140.180] 1987 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249102; rev:1;) alert tcp $HOME_NET any -> [188.120.239.6] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249097; rev:1;) alert tcp $HOME_NET any -> [200.234.232.196] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249096/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249096; rev:1;) alert tcp $HOME_NET any -> [217.196.98.138] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249095/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249095; rev:1;) alert tcp $HOME_NET any -> [34.92.107.200] 8001 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249094/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249094; rev:1;) alert tcp $HOME_NET any -> [103.209.129.94] 1145 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249093/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249093; rev:1;) alert tcp $HOME_NET any -> [39.40.158.94] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249092/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249092; rev:1;) alert tcp $HOME_NET any -> [154.246.154.178] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249091/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249091; rev:1;) alert tcp $HOME_NET any -> [41.96.255.221] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249090/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249090; rev:1;) alert tcp $HOME_NET any -> [92.38.176.164] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249089/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249089; rev:1;) alert tcp $HOME_NET any -> [45.134.9.140] 41056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249088/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249088; rev:1;) alert tcp $HOME_NET any -> [45.134.9.139] 41056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249087/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249087; rev:1;) alert tcp $HOME_NET any -> [92.116.37.99] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249086/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249086; rev:1;) alert tcp $HOME_NET any -> [96.9.225.129] 19701 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249085/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249085; rev:1;) alert tcp $HOME_NET any -> [38.60.254.215] 2112 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249084/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/edf04ce5e57d0f66.php"; depth:21; nocase; http.host; content:"193.163.7.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249064; rev:1;) alert tcp $HOME_NET any -> [91.92.247.97] 2505 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249063/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91249063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn.next2.cx"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249061; rev:1;) alert tcp $HOME_NET any -> [107.150.18.202] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249062/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91249062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsytvkb9"; depth:9; nocase; http.host; content:"eeatgoodx.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/257kcwfj"; depth:9; nocase; http.host; content:"searchgear.pro"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mxn9mb9h"; depth:9; nocase; http.host; content:"devqeury.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/min.main.js"; depth:15; nocase; http.host; content:"sarcoma.space"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hvclbyck"; depth:9; nocase; http.host; content:"backendjs.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ielts.com.au"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"thetip.co.kr"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"panang.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"restaurant-riva.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sirfresh.co.za"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bilyonaryo.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"portalebambini.it"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ware2go.co"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"configurelaptop.eu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"alternative-tibetaine.org"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spml.exe"; depth:9; nocase; http.host; content:"twizt.net"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/async/"; depth:7; nocase; http.host; content:"cdn-serveq.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.128.207.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"welcome.visionaryyouth.org"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"162.33.177.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249042; rev:1;) alert tcp $HOME_NET any -> [193.233.132.109] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249044/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249044; rev:1;) alert tcp $HOME_NET any -> [62.234.90.4] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c17/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249038/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91249038; rev:1;) alert tcp $HOME_NET any -> [193.233.132.109] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249037; rev:1;) alert tcp $HOME_NET any -> [147.78.47.83] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"116.62.242.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249035; rev:1;) alert tcp $HOME_NET any -> [52.76.173.97] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"52.76.173.97"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249033; rev:1;) alert tcp $HOME_NET any -> [101.36.126.189] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"185.130.46.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249030; rev:1;) alert tcp $HOME_NET any -> [185.130.46.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"1.14.206.72"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.106.89.225"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"39.106.5.215"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fr.html"; depth:8; nocase; http.host; content:"101.32.37.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"39.100.86.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249025; rev:1;) alert tcp $HOME_NET any -> [152.32.131.118] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"205.185.118.120"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cf907cd9e8f94a93937a6360363420b2.apig.cn-east-3.huaweicloudapis.com"; depth:67; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249021; rev:1;) alert tcp $HOME_NET any -> [101.36.121.188] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d69b6834b7eb46fcb7bbcaa60f9f0f2d.apig.cn-east-3.huaweicloudapis.com"; depth:67; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/askbob"; depth:14; nocase; http.host; content:"cf907cd9e8f94a93937a6360363420b2.apig.cn-east-3.huaweicloudapis.com"; depth:67; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/askbob"; depth:14; nocase; http.host; content:"d69b6834b7eb46fcb7bbcaa60f9f0f2d.apig.cn-east-3.huaweicloudapis.com"; depth:67; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/askbob"; depth:14; nocase; http.host; content:"f6d2b014a8664ddd8d859ce64f3741ad.apig.cn-east-3.huaweicloudapis.com"; depth:67; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f6d2b014a8664ddd8d859ce64f3741ad.apig.cn-east-3.huaweicloudapis.com"; depth:67; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249017; rev:1;) alert tcp $HOME_NET any -> [74.249.43.255] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/v2.5/pisz5tos7v"; depth:20; nocase; http.host; content:"74.249.43.255"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"121.36.213.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"52.76.173.97"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"81.17.22.42"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249011; rev:1;) alert tcp $HOME_NET any -> [195.181.245.38] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"195.181.245.38"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"119.91.209.244"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249008; rev:1;) alert tcp $HOME_NET any -> [62.72.185.90] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248999; rev:1;) alert tcp $HOME_NET any -> [5.181.80.130] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"billions.ooguy.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248992/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248992; rev:1;) alert tcp $HOME_NET any -> [45.131.111.159] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248993/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248993; rev:1;) alert tcp $HOME_NET any -> [5.181.80.140] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248997; rev:1;) alert tcp $HOME_NET any -> [62.72.185.15] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248998; rev:1;) alert tcp $HOME_NET any -> [91.92.249.225] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.113.188.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.71.222.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"124.222.97.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etc.clientlibs/base.min.acshash29ccd0207f7ce847c.js"; depth:52; nocase; http.host; content:"119.3.12.54"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"8.130.48.46"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248994; rev:1;) alert tcp $HOME_NET any -> [94.131.122.80] 5009 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248991; rev:1;) alert tcp $HOME_NET any -> [185.196.10.155] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248987/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temp/spp/rf/installer.zip"; depth:26; nocase; http.host; content:"www.efesmarble.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248986; rev:1;) alert tcp $HOME_NET any -> [92.249.48.114] 1337 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248988/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pipe2/0javascript2private/vmgameapi/pythonprocessor/providerpollprocesslinuxuploads.php"; depth:88; nocase; http.host; content:"212.109.198.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c6/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248985/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalpythonpollhttpgamepubliccdncentral.php"; depth:46; nocase; http.host; content:"878497cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248984; rev:1;) alert tcp $HOME_NET any -> [107.175.245.109] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"www.10086cn.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248982; rev:1;) alert tcp $HOME_NET any -> [107.175.245.109] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"www.10086cn.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.149.95"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.141.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.212.236"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"135.181.97.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.125.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248975; rev:1;) alert tcp $HOME_NET any -> [5.75.212.236] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248972; rev:1;) alert tcp $HOME_NET any -> [78.47.141.20] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248973; rev:1;) alert tcp $HOME_NET any -> [49.13.149.95] 9001 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248974; rev:1;) alert tcp $HOME_NET any -> [135.181.97.113] 8888 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248970; rev:1;) alert tcp $HOME_NET any -> [128.140.125.116] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e1d1eda2.php"; depth:13; nocase; http.host; content:"a0881216.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248969; rev:1;) alert tcp $HOME_NET any -> [109.107.182.168] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248968; rev:1;) alert tcp $HOME_NET any -> [193.233.255.105] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248967; rev:1;) alert tcp $HOME_NET any -> [64.176.81.234] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248966; rev:1;) alert tcp $HOME_NET any -> [209.236.16.248] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248965; rev:1;) alert tcp $HOME_NET any -> [64.23.230.161] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248964; rev:1;) alert tcp $HOME_NET any -> [81.43.23.68] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248963; rev:1;) alert tcp $HOME_NET any -> [104.200.72.22] 2373 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248962; rev:1;) alert tcp $HOME_NET any -> [1.117.72.174] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248961; rev:1;) alert tcp $HOME_NET any -> [193.233.132.56] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248960; rev:1;) alert tcp $HOME_NET any -> [64.23.206.87] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248864; rev:1;) alert tcp $HOME_NET any -> [104.236.193.50] 2443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248865; rev:1;) alert tcp $HOME_NET any -> [128.199.141.212] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248866; rev:1;) alert tcp $HOME_NET any -> [143.198.210.118] 60060 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248867; rev:1;) alert tcp $HOME_NET any -> [167.71.61.64] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248868; rev:1;) alert tcp $HOME_NET any -> [167.71.141.159] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248869; rev:1;) alert tcp $HOME_NET any -> [178.128.59.129] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248870; rev:1;) alert tcp $HOME_NET any -> [106.38.201.196] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248871; rev:1;) alert tcp $HOME_NET any -> [116.196.113.95] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248872; rev:1;) alert tcp $HOME_NET any -> [117.50.47.141] 47346 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248873; rev:1;) alert tcp $HOME_NET any -> [117.50.179.195] 7091 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248874; rev:1;) alert tcp $HOME_NET any -> [45.63.120.203] 57383 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248875; rev:1;) alert tcp $HOME_NET any -> [64.176.168.194] 62253 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248876; rev:1;) alert tcp $HOME_NET any -> [70.34.221.86] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248877; rev:1;) alert tcp $HOME_NET any -> [107.191.49.250] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248878; rev:1;) alert tcp $HOME_NET any -> [108.160.137.199] 49933 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248879; rev:1;) alert tcp $HOME_NET any -> [20.5.43.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248881; rev:1;) alert tcp $HOME_NET any -> [167.179.84.218] 35567 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248880; rev:1;) alert tcp $HOME_NET any -> [20.239.165.111] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248882; rev:1;) alert tcp $HOME_NET any -> [104.46.214.150] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248883; rev:1;) alert tcp $HOME_NET any -> [168.61.180.98] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248884; rev:1;) alert tcp $HOME_NET any -> [168.61.180.98] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248885; rev:1;) alert tcp $HOME_NET any -> [64.69.41.141] 12306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248886; rev:1;) alert tcp $HOME_NET any -> [148.135.67.47] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248887; rev:1;) alert tcp $HOME_NET any -> [39.109.113.130] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248888; rev:1;) alert tcp $HOME_NET any -> [154.221.16.176] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248889; rev:1;) alert tcp $HOME_NET any -> [45.152.64.2] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248890; rev:1;) alert tcp $HOME_NET any -> [45.144.136.14] 51150 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248891; rev:1;) alert tcp $HOME_NET any -> [149.104.29.151] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248892; rev:1;) alert tcp $HOME_NET any -> [38.207.178.141] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248893; rev:1;) alert tcp $HOME_NET any -> [38.207.178.141] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248894; rev:1;) alert tcp $HOME_NET any -> [149.104.30.191] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248895; rev:1;) alert tcp $HOME_NET any -> [139.159.145.242] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248862; rev:1;) alert tcp $HOME_NET any -> [124.70.180.22] 65089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248860; rev:1;) alert tcp $HOME_NET any -> [124.71.75.199] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248861; rev:1;) alert tcp $HOME_NET any -> [123.60.159.23] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248859; rev:1;) alert tcp $HOME_NET any -> [121.36.255.43] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248856; rev:1;) alert tcp $HOME_NET any -> [121.37.45.205] 6443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248857; rev:1;) alert tcp $HOME_NET any -> [121.37.208.189] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248858; rev:1;) alert tcp $HOME_NET any -> [121.36.203.14] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248855; rev:1;) alert tcp $HOME_NET any -> [121.36.33.53] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248853; rev:1;) alert tcp $HOME_NET any -> [121.36.67.21] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248854; rev:1;) alert tcp $HOME_NET any -> [60.204.222.75] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248851; rev:1;) alert tcp $HOME_NET any -> [60.204.222.75] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248852; rev:1;) alert tcp $HOME_NET any -> [60.204.133.143] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248849; rev:1;) alert tcp $HOME_NET any -> [60.204.208.32] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248850; rev:1;) alert tcp $HOME_NET any -> [175.178.0.88] 33890 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248833; rev:1;) alert tcp $HOME_NET any -> [175.178.103.238] 3389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248834; rev:1;) alert tcp $HOME_NET any -> [192.144.234.75] 60050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248835; rev:1;) alert tcp $HOME_NET any -> [175.27.137.15] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248831; rev:1;) alert tcp $HOME_NET any -> [175.27.159.169] 55555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248832; rev:1;) alert tcp $HOME_NET any -> [159.75.170.201] 42586 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248829; rev:1;) alert tcp $HOME_NET any -> [175.27.137.15] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248830; rev:1;) alert tcp $HOME_NET any -> [150.158.135.188] 49227 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248827; rev:1;) alert tcp $HOME_NET any -> [152.136.174.196] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248828; rev:1;) alert tcp $HOME_NET any -> [139.155.94.15] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248826; rev:1;) alert tcp $HOME_NET any -> [124.223.180.89] 58808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248825; rev:1;) alert tcp $HOME_NET any -> [124.222.220.126] 10086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248824; rev:1;) alert tcp $HOME_NET any -> [124.221.184.239] 54321 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248821; rev:1;) alert tcp $HOME_NET any -> [124.222.24.208] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248822; rev:1;) alert tcp $HOME_NET any -> [124.222.186.209] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248823; rev:1;) alert tcp $HOME_NET any -> [124.220.182.36] 38927 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248818; rev:1;) alert tcp $HOME_NET any -> [124.221.15.74] 50520 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248819; rev:1;) alert tcp $HOME_NET any -> [124.221.66.75] 6000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248820; rev:1;) alert tcp $HOME_NET any -> [124.220.163.73] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248817; rev:1;) alert tcp $HOME_NET any -> [121.5.66.186] 1082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248814; rev:1;) alert tcp $HOME_NET any -> [122.51.133.143] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248815; rev:1;) alert tcp $HOME_NET any -> [123.207.50.191] 43252 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248816; rev:1;) alert tcp $HOME_NET any -> [121.5.66.186] 1083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248813; rev:1;) alert tcp $HOME_NET any -> [119.45.216.34] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248811; rev:1;) alert tcp $HOME_NET any -> [121.4.94.121] 65335 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248812; rev:1;) alert tcp $HOME_NET any -> [119.45.187.65] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248810; rev:1;) alert tcp $HOME_NET any -> [118.25.182.25] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248809; rev:1;) alert tcp $HOME_NET any -> [115.159.102.112] 8933 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248808; rev:1;) alert tcp $HOME_NET any -> [114.132.252.93] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248807; rev:1;) alert tcp $HOME_NET any -> [111.230.111.186] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248806; rev:1;) alert tcp $HOME_NET any -> [106.55.181.95] 4488 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248803; rev:1;) alert tcp $HOME_NET any -> [111.230.30.197] 61234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248804; rev:1;) alert tcp $HOME_NET any -> [106.54.227.54] 5566 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248802; rev:1;) alert tcp $HOME_NET any -> [101.43.215.118] 65530 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248800; rev:1;) alert tcp $HOME_NET any -> [106.52.94.23] 6001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248801; rev:1;) alert tcp $HOME_NET any -> [101.43.211.190] 5003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248798; rev:1;) alert tcp $HOME_NET any -> [101.43.211.190] 60050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248799; rev:1;) alert tcp $HOME_NET any -> [101.43.2.116] 10086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248796; rev:1;) alert tcp $HOME_NET any -> [101.43.16.149] 10086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248797; rev:1;) alert tcp $HOME_NET any -> [82.157.154.247] 54321 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248794; rev:1;) alert tcp $HOME_NET any -> [101.35.108.141] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248795; rev:1;) alert tcp $HOME_NET any -> [82.157.153.82] 7979 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248793; rev:1;) alert tcp $HOME_NET any -> [82.157.17.183] 4418 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248792; rev:1;) alert tcp $HOME_NET any -> [82.156.147.236] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248790; rev:1;) alert tcp $HOME_NET any -> [82.156.174.51] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248791; rev:1;) alert tcp $HOME_NET any -> [81.71.140.170] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248788; rev:1;) alert tcp $HOME_NET any -> [82.156.29.211] 40089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248789; rev:1;) alert tcp $HOME_NET any -> [43.143.103.235] 8989 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248785; rev:1;) alert tcp $HOME_NET any -> [43.143.216.15] 4434 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248786; rev:1;) alert tcp $HOME_NET any -> [81.68.198.185] 55555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248787; rev:1;) alert tcp $HOME_NET any -> [43.138.150.136] 4488 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248783; rev:1;) alert tcp $HOME_NET any -> [43.139.219.102] 65360 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248784; rev:1;) alert tcp $HOME_NET any -> [43.138.77.115] 54666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248782; rev:1;) alert tcp $HOME_NET any -> [43.136.71.208] 9856 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248780; rev:1;) alert tcp $HOME_NET any -> [43.136.242.247] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248781; rev:1;) alert tcp $HOME_NET any -> [42.193.178.194] 65530 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248778; rev:1;) alert tcp $HOME_NET any -> [43.136.14.250] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248779; rev:1;) alert tcp $HOME_NET any -> [42.193.141.172] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248775; rev:1;) alert tcp $HOME_NET any -> [42.193.170.176] 37019 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248776; rev:1;) alert tcp $HOME_NET any -> [42.193.175.123] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248777; rev:1;) alert tcp $HOME_NET any -> [42.193.98.44] 4488 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248774; rev:1;) alert tcp $HOME_NET any -> [1.15.248.225] 8084 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248772; rev:1;) alert tcp $HOME_NET any -> [42.193.16.213] 65520 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248773; rev:1;) alert tcp $HOME_NET any -> [1.14.204.208] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248770; rev:1;) alert tcp $HOME_NET any -> [1.14.205.73] 10086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248771; rev:1;) alert tcp $HOME_NET any -> [1.14.69.16] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248769; rev:1;) alert tcp $HOME_NET any -> [1.14.46.128] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248768; rev:1;) alert tcp $HOME_NET any -> [182.92.67.197] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248765; rev:1;) alert tcp $HOME_NET any -> [120.79.225.52] 4567 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248762; rev:1;) alert tcp $HOME_NET any -> [123.57.193.197] 50051 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248763; rev:1;) alert tcp $HOME_NET any -> [139.224.188.165] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248764; rev:1;) alert tcp $HOME_NET any -> [120.78.83.129] 51120 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248761; rev:1;) alert tcp $HOME_NET any -> [120.55.64.157] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248759; rev:1;) alert tcp $HOME_NET any -> [120.76.158.54] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248760; rev:1;) alert tcp $HOME_NET any -> [120.55.64.157] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248758; rev:1;) alert tcp $HOME_NET any -> [120.25.1.52] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248757; rev:1;) alert tcp $HOME_NET any -> [114.55.234.67] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248755; rev:1;) alert tcp $HOME_NET any -> [116.62.242.109] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248756; rev:1;) alert tcp $HOME_NET any -> [101.201.155.239] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248753; rev:1;) alert tcp $HOME_NET any -> [112.126.80.83] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248754; rev:1;) alert tcp $HOME_NET any -> [47.123.7.206] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248752; rev:1;) alert tcp $HOME_NET any -> [47.106.89.225] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248750; rev:1;) alert tcp $HOME_NET any -> [47.119.19.34] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248751; rev:1;) alert tcp $HOME_NET any -> [47.100.229.207] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248749; rev:1;) alert tcp $HOME_NET any -> [47.94.196.29] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248747; rev:1;) alert tcp $HOME_NET any -> [47.100.182.88] 1266 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248748; rev:1;) alert tcp $HOME_NET any -> [39.106.5.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248744; rev:1;) alert tcp $HOME_NET any -> [39.106.74.90] 8899 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248745; rev:1;) alert tcp $HOME_NET any -> [47.92.75.135] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248746; rev:1;) alert tcp $HOME_NET any -> [8.147.132.135] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248741; rev:1;) alert tcp $HOME_NET any -> [39.101.198.2] 8446 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248743; rev:1;) alert tcp $HOME_NET any -> [8.147.132.135] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248742; rev:1;) alert tcp $HOME_NET any -> [8.130.101.106] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248739; rev:1;) alert tcp $HOME_NET any -> [8.130.122.185] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248740; rev:1;) alert tcp $HOME_NET any -> [91.92.245.111] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248733; rev:1;) alert tcp $HOME_NET any -> [8.130.43.95] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248737; rev:1;) alert tcp $HOME_NET any -> [8.130.81.128] 8786 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pneh2sxqk0/index.php"; depth:21; nocase; http.host; content:"193.233.132.56"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248844; rev:1;) alert tcp $HOME_NET any -> [149.104.30.191] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248896; rev:1;) alert tcp $HOME_NET any -> [118.193.62.169] 16379 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248897; rev:1;) alert tcp $HOME_NET any -> [114.115.203.114] 46123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248898; rev:1;) alert tcp $HOME_NET any -> [111.67.195.152] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248899; rev:1;) alert tcp $HOME_NET any -> [172.233.84.174] 3306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248900; rev:1;) alert tcp $HOME_NET any -> [139.144.96.187] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248901; rev:1;) alert tcp $HOME_NET any -> [5.199.168.141] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248902; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 12377 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248907/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248907; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 12377 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248908; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 12377 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248909/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248909; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 11326 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248910/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248910; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 18001 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248911/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248911; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 64479 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248912/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"share-introduced.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248913/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248913; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 14622 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248914/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248914; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 14622 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248915; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 14622 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248916; rev:1;) alert tcp $HOME_NET any -> [24.42.98.153] 195 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248917/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"h2cker.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248918/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248918; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 9626 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248919/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"low-feeding.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248920/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248920; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 52522 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"limited-architect.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"profaj.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"aphcareerconnect.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"passikuvasuomi.fi"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"stamyn.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"freeupscmaterials.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dermcollective.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"samsebeastrolog.online"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"prestigiousmassage.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wakafmu.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wildaid.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ozanisguvenligi.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.celinabostic.de"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.annehemgard.se"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"nematinuts.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mega-mkv.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"somersetpizzamd.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wislah.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"diabetesstrong.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cartoongayporn.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"toivolanpiha.fi"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.anordestdiche.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"egylgs.info"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"phoenixair.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gustancho.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ancestralfindings.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"arduino-projects4u.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"equinox-hotels.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bilgisebili.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"egvisaservices.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.atlantabarbellgym.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"good2bsocial.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"nokohome.se"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"eddie-hernandez.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"recetascocinaperuana.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.appleluxurycar.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"swemed.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eclipseofmasters.zip"; depth:21; nocase; http.host; content:"eclipseofmasters.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248846; rev:1;) alert tcp $HOME_NET any -> [1.94.101.65] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eclipseofmasters.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1131608743935758472/1221211365121855640/mariyeltherapyinstaller.rar"; depth:80; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cpudlemulti/downloadsjs8/update7/cpuwp/dump48/2_public/pythondefaultdbbasetestcdn.php"; depth:86; nocase; http.host; content:"213.171.8.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248906; rev:1;) alert tcp $HOME_NET any -> [193.233.132.67] 5000 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248905; rev:1;) alert tcp $HOME_NET any -> [8.130.9.110] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"8.130.9.110"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248903; rev:1;) alert tcp $HOME_NET any -> [193.233.133.152] 35515 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248863; rev:1;) alert tcp $HOME_NET any -> [91.240.85.51] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248843/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248843; rev:1;) alert tcp $HOME_NET any -> [77.221.148.13] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248842; rev:1;) alert tcp $HOME_NET any -> [94.156.10.121] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248841/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248841; rev:1;) alert tcp $HOME_NET any -> [120.26.224.87] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248840; rev:1;) alert tcp $HOME_NET any -> [34.92.107.200] 8002 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248839; rev:1;) alert tcp $HOME_NET any -> [154.247.80.100] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248838; rev:1;) alert tcp $HOME_NET any -> [104.237.233.103] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248837; rev:1;) alert tcp $HOME_NET any -> [193.169.245.94] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248836; rev:1;) alert tcp $HOME_NET any -> [134.122.129.173] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4223af25.php"; depth:13; nocase; http.host; content:"a0933702.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/async/externaljavascriptsecurepacketcpugameprotectdefaultdbpublic.php"; depth:70; nocase; http.host; content:"176.124.220.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248732; rev:1;) alert tcp $HOME_NET any -> [5.161.242.2] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248727; rev:1;) alert tcp $HOME_NET any -> [110.34.30.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248728; rev:1;) alert tcp $HOME_NET any -> [206.217.139.231] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248729; rev:1;) alert tcp $HOME_NET any -> [47.92.173.240] 8787 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248730; rev:1;) alert tcp $HOME_NET any -> [81.70.232.50] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248731; rev:1;) alert tcp $HOME_NET any -> [123.56.251.159] 18099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248717; rev:1;) alert tcp $HOME_NET any -> [74.48.183.150] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248718; rev:1;) alert tcp $HOME_NET any -> [1.14.206.72] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248719; rev:1;) alert tcp $HOME_NET any -> [119.91.192.220] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248720; rev:1;) alert tcp $HOME_NET any -> [120.46.130.73] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248721; rev:1;) alert tcp $HOME_NET any -> [47.113.219.193] 11333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248722; rev:1;) alert tcp $HOME_NET any -> [47.109.148.62] 1003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248723; rev:1;) alert tcp $HOME_NET any -> [47.96.229.84] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248724; rev:1;) alert tcp $HOME_NET any -> [47.113.179.177] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248725; rev:1;) alert tcp $HOME_NET any -> [167.71.205.181] 44133 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248726; rev:1;) alert tcp $HOME_NET any -> [52.76.173.97] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248696; rev:1;) alert tcp $HOME_NET any -> [43.142.183.159] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248697; rev:1;) alert tcp $HOME_NET any -> [172.111.218.218] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248698; rev:1;) alert tcp $HOME_NET any -> [38.47.226.69] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248700; rev:1;) alert tcp $HOME_NET any -> [124.222.173.69] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248699; rev:1;) alert tcp $HOME_NET any -> [123.56.215.15] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248701; rev:1;) alert tcp $HOME_NET any -> [150.158.51.99] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trad-einmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248704/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"tradein-myus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248705/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trade-inmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248706/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trad-einmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248707/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"tradein-myus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248708/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248708; rev:1;) alert tcp $HOME_NET any -> [115.159.195.80] 8161 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trade-inmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248709/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248709; rev:1;) alert tcp $HOME_NET any -> [67.230.163.18] 3389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248711; rev:1;) alert tcp $HOME_NET any -> [114.55.74.79] 8975 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"himalware.cn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248713; rev:1;) alert tcp $HOME_NET any -> [64.23.174.92] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sketchcolor.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248715; rev:1;) alert tcp $HOME_NET any -> [91.194.160.156] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bb0afc50.php"; depth:13; nocase; http.host; content:"a0917913.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248702; rev:1;) alert tcp $HOME_NET any -> [8.140.251.152] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248694; rev:1;) alert tcp $HOME_NET any -> [154.12.29.59] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248693; rev:1;) alert tcp $HOME_NET any -> [8.140.251.152] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nblcc.co"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thpataa.chat"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aane.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azmmhh.tech"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyedr.art"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fboadbns.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hygxq.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"us17.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"js-min.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stickloader.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.localadswidget.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assets.watchasync.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.jsdevlvr.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.wt-api.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"js.abc-cdn.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"js.opttracker.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"js.schema-forms.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l.js-assets.cloud"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"load.365analytics.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"page.24supportkit.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spf.js-min.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stat.counter247.live"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"streaming.jsonmediapacks.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stylesheet.webstaticcdn.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tags.stickloader.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"helpoton.quest"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"looptic.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"shtelpenstec.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"picktoc.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"sandton.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"starlanded.click"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.helpoton.quest"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.looptic.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.picktoc.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.sandton.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.shtelpenstec.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.starlanded.click"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flonea.live"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"pvcfencingwarehouse.com.au"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"systemtranslation.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"atalyadis.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wordpress.itrip.ro"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"seva-ese.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hethooghuis.nl"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wheelz.me"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kbjporn.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"onlinemoneyspy.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grasping.oss-me-east-1.aliyuncs.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248543; rev:1;) alert tcp $HOME_NET any -> [172.86.75.208] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"360sec.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248587/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248587; rev:1;) alert tcp $HOME_NET any -> [94.156.64.122] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248588; rev:1;) alert tcp $HOME_NET any -> [185.73.124.238] 30956 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248589; rev:1;) alert tcp $HOME_NET any -> [128.90.122.92] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248590; rev:1;) alert tcp $HOME_NET any -> [194.147.140.239] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248591; rev:1;) alert tcp $HOME_NET any -> [142.11.201.123] 8714 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248592; rev:1;) alert tcp $HOME_NET any -> [45.83.31.113] 2004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248598; rev:1;) alert tcp $HOME_NET any -> [45.83.31.113] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248599; rev:1;) alert tcp $HOME_NET any -> [45.83.31.113] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248600; rev:1;) alert tcp $HOME_NET any -> [207.32.217.101] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248601; rev:1;) alert tcp $HOME_NET any -> [186.168.67.211] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248603; rev:1;) alert tcp $HOME_NET any -> [38.180.91.75] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248602; rev:1;) alert tcp $HOME_NET any -> [186.168.67.211] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248604; rev:1;) alert tcp $HOME_NET any -> [89.163.221.170] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248605; rev:1;) alert tcp $HOME_NET any -> [142.11.201.122] 8712 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248606; rev:1;) alert tcp $HOME_NET any -> [193.26.115.42] 100 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248607; rev:1;) alert tcp $HOME_NET any -> [104.243.34.3] 2003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248608; rev:1;) alert tcp $HOME_NET any -> [104.243.34.3] 2004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248609; rev:1;) alert tcp $HOME_NET any -> [104.243.34.3] 4016 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248610; rev:1;) alert tcp $HOME_NET any -> [66.135.22.80] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248611; rev:1;) alert tcp $HOME_NET any -> [66.135.22.80] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248612; rev:1;) alert tcp $HOME_NET any -> [66.135.22.80] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248613; rev:1;) alert tcp $HOME_NET any -> [207.32.218.138] 2002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248614; rev:1;) alert tcp $HOME_NET any -> [207.32.218.138] 2003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248615; rev:1;) alert tcp $HOME_NET any -> [47.76.218.123] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248683; rev:1;) alert tcp $HOME_NET any -> [207.32.218.138] 2004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248616; rev:1;) alert tcp $HOME_NET any -> [207.32.218.138] 2005 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248617; rev:1;) alert tcp $HOME_NET any -> [107.148.49.57] 39632 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248618; rev:1;) alert tcp $HOME_NET any -> [213.195.124.90] 4001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248619; rev:1;) alert tcp $HOME_NET any -> [213.195.124.90] 4002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248620; rev:1;) alert tcp $HOME_NET any -> [213.195.124.90] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248621; rev:1;) alert tcp $HOME_NET any -> [142.11.201.126] 8712 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248622; rev:1;) alert tcp $HOME_NET any -> [142.11.201.126] 8714 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248623; rev:1;) alert tcp $HOME_NET any -> [147.124.212.80] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248624; rev:1;) alert tcp $HOME_NET any -> [147.124.212.80] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248625; rev:1;) alert tcp $HOME_NET any -> [147.124.212.80] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248626; rev:1;) alert tcp $HOME_NET any -> [147.124.212.80] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248627; rev:1;) alert tcp $HOME_NET any -> [147.124.212.80] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248628; rev:1;) alert tcp $HOME_NET any -> [46.246.4.5] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248630; rev:1;) alert tcp $HOME_NET any -> [88.232.116.241] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248631; rev:1;) alert tcp $HOME_NET any -> [88.232.116.241] 3007 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248632; rev:1;) alert tcp $HOME_NET any -> [51.195.231.121] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248633; rev:1;) alert tcp $HOME_NET any -> [51.195.231.121] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248634; rev:1;) alert tcp $HOME_NET any -> [51.195.231.121] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248635; rev:1;) alert tcp $HOME_NET any -> [115.79.233.243] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248636; rev:1;) alert tcp $HOME_NET any -> [115.79.233.243] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248637; rev:1;) alert tcp $HOME_NET any -> [172.86.66.57] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248638; rev:1;) alert tcp $HOME_NET any -> [121.36.213.92] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248639; rev:1;) alert tcp $HOME_NET any -> [139.159.253.121] 1544 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248640; rev:1;) alert tcp $HOME_NET any -> [139.159.253.121] 1300 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248641; rev:1;) alert tcp $HOME_NET any -> [123.60.222.67] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248642; rev:1;) alert tcp $HOME_NET any -> [192.3.12.139] 1433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vviill.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mosc.vviill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mos4.vviill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mos2.vviill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mos1.vviill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mos5.vviill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248649; rev:1;) alert tcp $HOME_NET any -> [60.204.242.181] 7015 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248650; rev:1;) alert tcp $HOME_NET any -> [60.204.242.181] 7016 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248651; rev:1;) alert tcp $HOME_NET any -> [106.38.201.39] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248652; rev:1;) alert tcp $HOME_NET any -> [106.38.201.39] 8555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cristech.space"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jelint.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"olynoo.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"seletec.fun"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"stelitech.site"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"teolydigi.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"tolinfore.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"tucton.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"veltefre.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"yelubin.cfd"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"yostek.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.hopefor.space"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.jelint.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.treimob.cfd"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.tucton.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248668; rev:1;) alert tcp $HOME_NET any -> [47.103.46.108] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248669; rev:1;) alert tcp $HOME_NET any -> [144.168.61.188] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248670; rev:1;) alert tcp $HOME_NET any -> [175.178.47.86] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248671; rev:1;) alert tcp $HOME_NET any -> [43.159.58.81] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"connachttribune.ie"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"themodestwallet.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"xlights.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.0939it.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"promixacademy.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"aarch.dk"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"michiganumc.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"susanin.fun"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.ama-studio.it"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"themeatandwineco.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0869574.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"find-ball.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248596; rev:1;) alert tcp $HOME_NET any -> [45.149.172.87] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ch"; depth:3; nocase; http.host; content:"find-ball.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/sendmsg"; depth:12; nocase; http.host; content:"service-lidgmacv-1317471912.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-lidgmacv-1317471912.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.138.72.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.72.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.138.72.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"185.130.46.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248581; rev:1;) alert tcp $HOME_NET any -> [195.62.32.227] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248539/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-75oa09db-1317471892.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/sendmsg"; depth:12; nocase; http.host; content:"service-75oa09db-1317471892.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apwpnhwkyh.php"; depth:15; nocase; http.host; content:"mars.mhsorteio.app.br"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248540; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 18335 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248508/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"zahiraccounting.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"parentingisnteasy.co"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"shemshad.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gochat247.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"travel2next.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m/xmlrpc.php"; depth:13; nocase; http.host; content:"www.atemberaubende-akzente.de"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248512; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 13241 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248506/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248506; rev:1;) alert tcp $HOME_NET any -> [160.177.59.183] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248505/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248505; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 18335 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248507/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"eshraghbook.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.elbepokal.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"pointerclicker.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"swingandbeyond.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248518; rev:1;) alert tcp $HOME_NET any -> [35.198.215.67] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"35.198.215.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248523; rev:1;) alert tcp $HOME_NET any -> [34.65.140.140] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248538; rev:1;) alert tcp $HOME_NET any -> [35.221.12.2] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248537; rev:1;) alert tcp $HOME_NET any -> [34.73.147.86] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248536; rev:1;) alert tcp $HOME_NET any -> [35.228.143.142] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248535; rev:1;) alert tcp $HOME_NET any -> [103.25.61.30] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248534/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248534; rev:1;) alert tcp $HOME_NET any -> [103.25.61.30] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248533/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248533; rev:1;) alert tcp $HOME_NET any -> [45.128.96.101] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248532/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248532; rev:1;) alert tcp $HOME_NET any -> [185.203.117.32] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248531/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248531; rev:1;) alert tcp $HOME_NET any -> [45.128.96.103] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248530/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248530; rev:1;) alert tcp $HOME_NET any -> [92.116.36.5] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248529/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248529; rev:1;) alert tcp $HOME_NET any -> [45.134.9.138] 41056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248528/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248528; rev:1;) alert tcp $HOME_NET any -> [124.106.197.167] 4242 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248527/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248527; rev:1;) alert tcp $HOME_NET any -> [84.246.85.147] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248526/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248526; rev:1;) alert tcp $HOME_NET any -> [88.119.174.117] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248525/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"27.106.156.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248524/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248524; rev:1;) alert tcp $HOME_NET any -> [91.92.248.117] 65012 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.90.181"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248520; rev:1;) alert tcp $HOME_NET any -> [175.42.16.2] 4784 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.guerrilladefense.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248504; rev:1;) alert tcp $HOME_NET any -> [5.42.65.67] 48396 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248503; rev:1;) alert tcp $HOME_NET any -> [105.158.47.40] 10000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248502; rev:1;) alert tcp $HOME_NET any -> [23.95.6.204] 1604 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"paulrdp02.duckdns.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248499; rev:1;) alert tcp $HOME_NET any -> [51.75.74.92] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248498; rev:1;) alert tcp $HOME_NET any -> [104.131.185.229] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248497; rev:1;) alert tcp $HOME_NET any -> [4.175.178.149] 443 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248496; rev:1;) alert tcp $HOME_NET any -> [45.148.244.175] 9191 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248495; rev:1;) alert tcp $HOME_NET any -> [119.29.249.217] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248494; rev:1;) alert tcp $HOME_NET any -> [46.246.86.15] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248493; rev:1;) alert tcp $HOME_NET any -> [189.177.47.82] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248492; rev:1;) alert tcp $HOME_NET any -> [190.134.48.89] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248491; rev:1;) alert tcp $HOME_NET any -> [187.170.224.77] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248490; rev:1;) alert tcp $HOME_NET any -> [52.39.217.122] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248489; rev:1;) alert tcp $HOME_NET any -> [172.178.112.227] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248488; rev:1;) alert tcp $HOME_NET any -> [159.65.212.61] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248487; rev:1;) alert tcp $HOME_NET any -> [193.239.86.163] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248486; rev:1;) alert tcp $HOME_NET any -> [92.116.39.103] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248485/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248485; rev:1;) alert tcp $HOME_NET any -> [104.234.254.98] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248484/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpcpu.php"; depth:12; nocase; http.host; content:"a0583448.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248483; rev:1;) alert tcp $HOME_NET any -> [45.11.183.78] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248480/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248480; rev:1;) alert tcp $HOME_NET any -> [80.77.23.52] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248481/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248481; rev:1;) alert tcp $HOME_NET any -> [185.158.251.76] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248482/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mariyeltherapy.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1220454717306572985/1220735355087486986/mariyelstherapy.rar"; depth:72; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linnisgood.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.cliniquecomputer.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newiasc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tesgdtgugdugd.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"designerskinclinic.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"applegrowersnc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.securecloudmanage.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geotechprotect.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"legionenterprises.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecoplantssales.uk"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goldensoftware.co.uk"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giaker.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.oneblackwood.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.shopmoneyweb.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"albarakahhalalfood.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orderhalalfoodsonline.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"talesfromthedoghouse.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"citadelsecurityservices.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bb.markerbio.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bb.myserv012.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248458; rev:1;) alert tcp $HOME_NET any -> [103.254.75.120] 13307 (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248456/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248456; rev:1;) alert tcp $HOME_NET any -> [91.92.251.30] 2025 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248455/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"big-walls.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app.wiurezende.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"storage.wiurezende.site"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chat.wiurezende.site"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meyer-when.dpvnzorwtl.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpsqlwordpressdlepublic.php"; depth:30; nocase; http.host; content:"926388cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"121.36.33.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248448; rev:1;) alert tcp $HOME_NET any -> [35.226.178.85] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"43.138.72.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"1.14.46.128"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248444; rev:1;) alert tcp $HOME_NET any -> [3.125.52.194] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"office365.press"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"office365.press"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248442; rev:1;) alert tcp $HOME_NET any -> [207.148.99.69] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"207.148.99.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"81.71.140.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248438; rev:1;) alert tcp $HOME_NET any -> [43.198.84.164] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"203.86.255.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248435; rev:1;) alert tcp $HOME_NET any -> [203.86.255.47] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"23.94.87.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248433; rev:1;) alert tcp $HOME_NET any -> [23.94.87.135] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"121.40.119.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"118.190.147.246"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.139.101.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"search.zfly.fun"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248428; rev:1;) alert tcp $HOME_NET any -> [8.137.117.105] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.6.0.min.js"; depth:20; nocase; http.host; content:"search.zfly.fun"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248427; rev:1;) alert tcp $HOME_NET any -> [109.104.152.24] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tab_home.js"; depth:12; nocase; http.host; content:"shehasgone.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shehasgone.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getusername"; depth:38; nocase; http.host; content:"119.45.45.138"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248422; rev:1;) alert tcp $HOME_NET any -> [119.45.45.138] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemrecordscreen/autodata/phprulemobilerule/preflocal/_secureprocesstraffic.php"; depth:82; nocase; http.host; content:"212.109.193.246"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panelweb.equi-hosting.fr"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whoevenareyou.equi-hosting.fr"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plesk.equi-hosting.fr"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"equi-hosting.fr"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javascriptprocessorlongpolldbtempcentraltemporary.php"; depth:54; nocase; http.host; content:"585196cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gamerforyou.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.gamerforyou.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.67.138.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"104.21.56.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248407; rev:1;) alert tcp $HOME_NET any -> [148.135.103.71] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"148.135.103.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248405; rev:1;) alert tcp $HOME_NET any -> [37.120.235.114] 2269 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248404/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248404; rev:1;) alert tcp $HOME_NET any -> [94.156.10.254] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248348; rev:1;) alert tcp $HOME_NET any -> [91.92.245.111] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248349; rev:1;) alert tcp $HOME_NET any -> [91.92.250.41] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sharkagency.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"91.92.250.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"webipal.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"helpsarkari.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.cittadifondazione.it"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"irannihon.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"shywolfsanctuary.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cathedrale-nantes.fr"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"goldco.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dgtread.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kresy.pl"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.emeliew.se"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248362; rev:1;) alert tcp $HOME_NET any -> [192.121.102.205] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"smartai.com.au"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.djurskyddetvastervik.se"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"thechutneylife.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apiframeworknode.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"healthcares.life"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apistoragecache.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"faneuilhallmarketplace.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mycashtree.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gradecam.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sheffi-tours.co.il"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lascebrassalen.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.drzewkonaprezent.pl"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248381; rev:1;) alert tcp $HOME_NET any -> [91.92.242.57] 8989 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248388; rev:1;) alert tcp $HOME_NET any -> [128.254.207.82] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248403/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248403; rev:1;) alert tcp $HOME_NET any -> [128.254.207.82] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248402/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248402; rev:1;) alert tcp $HOME_NET any -> [62.109.21.73] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248401; rev:1;) alert tcp $HOME_NET any -> [77.105.167.115] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248400; rev:1;) alert tcp $HOME_NET any -> [89.23.101.233] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248399; rev:1;) alert tcp $HOME_NET any -> [109.120.184.203] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248398; rev:1;) alert tcp $HOME_NET any -> [137.184.41.246] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248397; rev:1;) alert tcp $HOME_NET any -> [34.81.83.87] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248396; rev:1;) alert tcp $HOME_NET any -> [120.48.99.76] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248395; rev:1;) alert tcp $HOME_NET any -> [46.246.14.3] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248394/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248394; rev:1;) alert tcp $HOME_NET any -> [187.132.244.4] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248393; rev:1;) alert tcp $HOME_NET any -> [70.31.125.53] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248392; rev:1;) alert tcp $HOME_NET any -> [92.116.39.245] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248391; rev:1;) alert tcp $HOME_NET any -> [194.87.71.43] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g9jjjbnadshz/index.php"; depth:23; nocase; http.host; content:"194.87.71.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248389; rev:1;) alert tcp $HOME_NET any -> [185.164.163.66] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248387/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248387; rev:1;) alert tcp $HOME_NET any -> [216.83.40.187] 7777 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updateeternallongpoll/javascript6updateuniversal/linedatalife/uploadsapiauth/processphpwindows1/videodlebase/protectpublic/0/public8defaultexternal/pipedownloads/2voiddbdle/toapigenerator.php"; depth:192; nocase; http.host; content:"195.20.16.119"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248385; rev:1;) alert tcp $HOME_NET any -> [45.142.214.240] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c68ae6a6.php"; depth:13; nocase; http.host; content:"cf31000.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmjavascriptcpuprocessorbigloadserverwindowstestlocaldownloads.php"; depth:67; nocase; http.host; content:"181571cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248382; rev:1;) alert tcp $HOME_NET any -> [91.92.253.74] 14982 (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.143.110.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"niceburlat.me"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"ganstaeraop.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"grunzalom.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"titnovacrion.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248363; rev:1;) alert tcp $HOME_NET any -> [45.86.86.29] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248338/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_22; classtype:trojan-activity; sid:91248338; rev:1;) alert tcp $HOME_NET any -> [5.255.115.172] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248339/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_22; classtype:trojan-activity; sid:91248339; rev:1;) alert tcp $HOME_NET any -> [104.129.20.71] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248340/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_22; classtype:trojan-activity; sid:91248340; rev:1;) alert tcp $HOME_NET any -> [104.237.252.28] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248345/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248345; rev:1;) alert tcp $HOME_NET any -> [83.166.150.213] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248347/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248347; rev:1;) alert tcp $HOME_NET any -> [144.91.93.153] 4444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248346/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248346; rev:1;) alert tcp $HOME_NET any -> [5.75.221.51] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248343; rev:1;) alert tcp $HOME_NET any -> [65.109.241.165] 8888 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.221.51"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248341; rev:1;) alert tcp $HOME_NET any -> [23.92.208.54] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248337/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248337; rev:1;) alert tcp $HOME_NET any -> [23.92.208.54] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248336/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248336; rev:1;) alert tcp $HOME_NET any -> [37.128.207.92] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248335; rev:1;) alert tcp $HOME_NET any -> [37.128.207.92] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248334/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248334; rev:1;) alert tcp $HOME_NET any -> [185.158.251.240] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248333/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248333; rev:1;) alert tcp $HOME_NET any -> [89.208.107.232] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248332/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248332; rev:1;) alert tcp $HOME_NET any -> [104.161.32.84] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248331/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248331; rev:1;) alert tcp $HOME_NET any -> [104.161.32.84] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248330/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248330; rev:1;) alert tcp $HOME_NET any -> [217.195.153.158] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248329/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248329; rev:1;) alert tcp $HOME_NET any -> [217.195.153.158] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248328/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248328; rev:1;) alert tcp $HOME_NET any -> [147.45.68.67] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248326/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248326; rev:1;) alert tcp $HOME_NET any -> [147.45.68.67] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248327/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248327; rev:1;) alert tcp $HOME_NET any -> [146.19.254.43] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248325/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248325; rev:1;) alert tcp $HOME_NET any -> [146.19.254.43] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248324/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248324; rev:1;) alert tcp $HOME_NET any -> [213.252.232.161] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248322/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248322; rev:1;) alert tcp $HOME_NET any -> [213.252.232.161] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248323/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248323; rev:1;) alert tcp $HOME_NET any -> [193.26.115.80] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248321/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248321; rev:1;) alert tcp $HOME_NET any -> [193.26.115.80] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248320/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248320; rev:1;) alert tcp $HOME_NET any -> [54.145.152.164] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248319/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248319; rev:1;) alert tcp $HOME_NET any -> [54.145.152.164] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248318/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248318; rev:1;) alert tcp $HOME_NET any -> [185.217.197.52] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248317/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248317; rev:1;) alert tcp $HOME_NET any -> [166.1.173.27] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248316/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248316; rev:1;) alert tcp $HOME_NET any -> [43.128.5.46] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248315/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248315; rev:1;) alert tcp $HOME_NET any -> [108.61.202.34] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248314/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248314; rev:1;) alert tcp $HOME_NET any -> [5.42.106.164] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248313/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248313; rev:1;) alert tcp $HOME_NET any -> [107.172.209.239] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248312/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248312; rev:1;) alert tcp $HOME_NET any -> [72.27.170.148] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248311/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248311; rev:1;) alert tcp $HOME_NET any -> [39.40.180.234] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248310/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248310; rev:1;) alert tcp $HOME_NET any -> [191.112.21.160] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248309/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248309; rev:1;) alert tcp $HOME_NET any -> [64.23.181.57] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248308/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248308; rev:1;) alert tcp $HOME_NET any -> [114.130.36.121] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248307/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248307; rev:1;) alert tcp $HOME_NET any -> [4.153.122.111] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248306/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248306; rev:1;) alert tcp $HOME_NET any -> [64.23.185.215] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248305/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248305; rev:1;) alert tcp $HOME_NET any -> [185.225.70.160] 10810 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248304/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248304; rev:1;) alert tcp $HOME_NET any -> [192.169.7.83] 64499 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248303/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248303; rev:1;) alert tcp $HOME_NET any -> [97.154.97.29] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248302/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248302; rev:1;) alert tcp $HOME_NET any -> [198.252.107.164] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248301/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248301; rev:1;) alert tcp $HOME_NET any -> [198.252.107.164] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248300/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"outsidespace.co.nz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"smwroclaw.pl"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"jt.my"; depth:5; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rahatupu.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"typhoontv.in"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"nitrobilisim.com.tr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.balanceanddizzinessphysicaltherapy.com"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"divipeople.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"articuly.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"consulheartinc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248290; rev:1;) alert tcp $HOME_NET any -> [91.92.242.227] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248289; rev:1;) alert tcp $HOME_NET any -> [91.210.106.47] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248288; rev:1;) alert tcp $HOME_NET any -> [52.160.82.19] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248279; rev:1;) alert tcp $HOME_NET any -> [31.129.99.52] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248280; rev:1;) alert tcp $HOME_NET any -> [172.208.59.226] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248281; rev:1;) alert tcp $HOME_NET any -> [93.123.85.74] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248282; rev:1;) alert tcp $HOME_NET any -> [166.88.61.219] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248283; rev:1;) alert tcp $HOME_NET any -> [207.180.202.241] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248284; rev:1;) alert tcp $HOME_NET any -> [87.120.84.22] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248285; rev:1;) alert tcp $HOME_NET any -> [172.214.139.124] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/game6/6videoprocess5/track/5generator/test/asynclongpolldownloadspublic/jswindows/generatorcentralcdn/wordpressvmserverto/cpuprotectbigloadwp/1external7/js00/83cpulongpoll/async0vm/pollcdn/5eternalhttphttp/towp/trafficupdate/secure6/imagejavascriptdefaultasync.php"; depth:265; nocase; http.host; content:"80.78.243.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248286; rev:1;) alert tcp $HOME_NET any -> [104.168.33.31] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248278/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248278; rev:1;) alert tcp $HOME_NET any -> [143.198.30.16] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support.zodo.tech"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"view.msedge.live"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.winget-east.us"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aka.akadns.us"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abc.anti-ddos.io.vn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fw.anti-ddos.io.vn"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248262; rev:1;) alert tcp $HOME_NET any -> [87.98.228.243] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shop.amazon-aws.fr"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248264; rev:1;) alert tcp $HOME_NET any -> [94.23.121.241] 63420 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248265; rev:1;) alert tcp $HOME_NET any -> [40.83.122.109] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248269; rev:1;) alert tcp $HOME_NET any -> [89.44.9.238] 3790 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248266; rev:1;) alert tcp $HOME_NET any -> [89.44.9.238] 11112 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248267; rev:1;) alert tcp $HOME_NET any -> [113.22.74.126] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248270; rev:1;) alert tcp $HOME_NET any -> [91.92.243.188] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248271/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newssssssssssssss.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akamaicute.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pboc.online"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248216; rev:1;) alert tcp $HOME_NET any -> [115.134.90.74] 9876 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248217; rev:1;) alert tcp $HOME_NET any -> [62.72.185.175] 1475 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248218; rev:1;) alert tcp $HOME_NET any -> [62.72.185.201] 1451 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248222; rev:1;) alert tcp $HOME_NET any -> [62.72.185.39] 1463 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248219; rev:1;) alert tcp $HOME_NET any -> [62.72.185.65] 1760 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248220; rev:1;) alert tcp $HOME_NET any -> [62.72.185.35] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248221; rev:1;) alert tcp $HOME_NET any -> [62.72.185.20] 1581 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248223; rev:1;) alert tcp $HOME_NET any -> [62.72.185.42] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.srryontop.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srryontop.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdfsdfhhps.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hailnet.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dgsf.cat"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248215; rev:1;) alert tcp $HOME_NET any -> [185.150.26.253] 123 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248210; rev:1;) alert tcp $HOME_NET any -> [187.35.7.19] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248211; rev:1;) alert tcp $HOME_NET any -> [194.68.32.11] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248209; rev:1;) alert tcp $HOME_NET any -> [172.94.54.167] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"165.22.225.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248256; rev:1;) alert tcp $HOME_NET any -> [154.81.35.71] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"admin.usaid2.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"admin.usaid2.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"119.45.187.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248251; rev:1;) alert tcp $HOME_NET any -> [119.45.187.65] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248252; rev:1;) alert tcp $HOME_NET any -> [119.45.187.65] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"119.45.187.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"121.40.40.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248247; rev:1;) alert tcp $HOME_NET any -> [121.40.40.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248248; rev:1;) alert tcp $HOME_NET any -> [8.134.89.221] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/users/123/1"; depth:12; nocase; http.host; content:"8.134.89.221"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248245; rev:1;) alert tcp $HOME_NET any -> [121.40.40.101] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"121.40.40.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"152.136.174.196"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.143.103.235"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248241; rev:1;) alert tcp $HOME_NET any -> [117.50.192.107] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"117.50.192.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248239; rev:1;) alert tcp $HOME_NET any -> [43.198.84.164] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248238; rev:1;) alert tcp $HOME_NET any -> [103.146.179.119] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index"; depth:6; nocase; http.host; content:"49.233.94.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ur"; depth:3; nocase; http.host; content:"49.233.94.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248235; rev:1;) alert tcp $HOME_NET any -> [156.232.7.236] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"156.232.7.236"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"45.14.245.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.109.148.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.87.142"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.87.142"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.3.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248228; rev:1;) alert tcp $HOME_NET any -> [116.202.3.93] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248225; rev:1;) alert tcp $HOME_NET any -> [49.13.87.142] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248226; rev:1;) alert tcp $HOME_NET any -> [49.13.87.142] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248227; rev:1;) alert tcp $HOME_NET any -> [143.110.191.139] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248207; rev:1;) alert tcp $HOME_NET any -> [111.90.143.125] 8921 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248208; rev:1;) alert tcp $HOME_NET any -> [181.162.133.144] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248202; rev:1;) alert tcp $HOME_NET any -> [8.218.71.187] 8443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248205; rev:1;) alert tcp $HOME_NET any -> [5.181.80.127] 3090 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248203; rev:1;) alert tcp $HOME_NET any -> [91.150.120.14] 25565 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248204; rev:1;) alert tcp $HOME_NET any -> [190.205.241.70] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248206; rev:1;) alert tcp $HOME_NET any -> [187.59.70.10] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248199; rev:1;) alert tcp $HOME_NET any -> [47.243.49.209] 8443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248200; rev:1;) alert tcp $HOME_NET any -> [172.111.148.93] 19933 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248201; rev:1;) alert tcp $HOME_NET any -> [139.28.36.39] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248198; rev:1;) alert tcp $HOME_NET any -> [95.216.117.153] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248183; rev:1;) alert tcp $HOME_NET any -> [141.105.130.87] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248184; rev:1;) alert tcp $HOME_NET any -> [141.105.130.87] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"delabfactory.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"delabfactory.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.139.219.102"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248195; rev:1;) alert tcp $HOME_NET any -> [2.58.15.44] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"2.58.15.44"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248193; rev:1;) alert tcp $HOME_NET any -> [43.143.110.110] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.143.110.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mht_image/"; depth:11; nocase; http.host; content:"8.141.95.164"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248190; rev:1;) alert tcp $HOME_NET any -> [84.38.183.148] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"10.127.254.209"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248188; rev:1;) alert tcp $HOME_NET any -> [82.65.203.196] 7474 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"nocomp.freeboxos.fr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"som.edu.vn"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"testiran.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"brainsoulsuccess.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lasik2020.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.artisebio.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"charltonbrown.edu.au"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"weissenbach-pr.de"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"fuzionproscooter.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"shtourval.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"allfridaystudio.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248181; rev:1;) alert tcp $HOME_NET any -> [37.197.57.116] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248182; rev:1;) alert tcp $HOME_NET any -> [193.36.119.77] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248171; rev:1;) alert tcp $HOME_NET any -> [185.196.9.234] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248160; rev:1;) alert tcp $HOME_NET any -> [185.196.9.234] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248161; rev:1;) alert tcp $HOME_NET any -> [185.196.10.224] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248163; rev:1;) alert tcp $HOME_NET any -> [81.17.22.42] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248164; rev:1;) alert tcp $HOME_NET any -> [185.229.237.51] 2000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248169; rev:1;) alert tcp $HOME_NET any -> [185.196.9.63] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248170; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 13241 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248168; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 13241 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248167; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 13241 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248166; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 13241 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248165; rev:1;) alert tcp $HOME_NET any -> [45.128.96.133] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248162/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"my.nimade.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ck.aj05.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"breckenridge-vacation-homes.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.cultus.dk"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"darolvakil.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ansoffs.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"moaetscandg.org.ng"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/xmlrpc.php"; depth:21; nocase; http.host; content:"www.cheapandbestshopforlife.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"charchiinet.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mcws.org"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"goodklei.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"tamilcinetalk.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dansport.is"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"schematherapyinstitute.com.au"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"geekville.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.back-zeit.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"smokersplanet.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.belvederebenidorm.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ragmcloud.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"52poke.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dme.gr"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"saint-augustin.ch"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"specialeventservices.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.calzaturificioliberty.it"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"games-up.fr"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"snyk.io"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"auxiliaryenergy.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/xmlrpc.php"; depth:21; nocase; http.host; content:"www.abako.se"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"playgroundbaron.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"amida.se"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mundoalbiceleste.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"prokirpich76.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rushradar.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"barn2.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"yekdoa.ir"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"geekhacker.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"luxurylaunches.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hkcapsule.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"natbooks.com.au"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/xmlrpc.php"; depth:16; nocase; http.host; content:"www.boxhaus.de"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248121; rev:1;) alert tcp $HOME_NET any -> [45.76.125.214] 50131 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.brandweeravenhorn.nl"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248118; rev:1;) alert tcp $HOME_NET any -> [172.94.105.163] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248116; rev:1;) alert tcp $HOME_NET any -> [192.210.201.57] 62289 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248115/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248115; rev:1;) alert tcp $HOME_NET any -> [176.31.196.206] 2024 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248114/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248114; rev:1;) alert tcp $HOME_NET any -> [41.216.182.215] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248113/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248113; rev:1;) alert tcp $HOME_NET any -> [86.104.194.182] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248112/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248112; rev:1;) alert tcp $HOME_NET any -> [194.169.175.20] 35342 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248111/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248111; rev:1;) alert tcp $HOME_NET any -> [212.57.118.90] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248110/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248110; rev:1;) alert tcp $HOME_NET any -> [77.238.251.130] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248109/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248109; rev:1;) alert tcp $HOME_NET any -> [45.32.62.242] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248108; rev:1;) alert tcp $HOME_NET any -> [147.45.71.249] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248107; rev:1;) alert tcp $HOME_NET any -> [103.161.224.131] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248106; rev:1;) alert tcp $HOME_NET any -> [38.6.190.16] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248105/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248105; rev:1;) alert tcp $HOME_NET any -> [222.112.93.163] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248104/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248104; rev:1;) alert tcp $HOME_NET any -> [43.129.190.150] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248103/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248103; rev:1;) alert tcp $HOME_NET any -> [46.246.4.5] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248102/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248102; rev:1;) alert tcp $HOME_NET any -> [46.246.6.21] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248101/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248101; rev:1;) alert tcp $HOME_NET any -> [38.166.64.167] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248100/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248100; rev:1;) alert tcp $HOME_NET any -> [187.213.241.182] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248099/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248099; rev:1;) alert tcp $HOME_NET any -> [41.129.178.57] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248098/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248098; rev:1;) alert tcp $HOME_NET any -> [162.33.177.165] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248097; rev:1;) alert tcp $HOME_NET any -> [92.116.37.169] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248096/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248096; rev:1;) alert tcp $HOME_NET any -> [45.140.188.133] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248095/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248095; rev:1;) alert tcp $HOME_NET any -> [89.116.32.177] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248094/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248094; rev:1;) alert tcp $HOME_NET any -> [95.164.45.31] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248093/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure/imagepythonmulti/uploadsmultisql/packet/1authprovider4/downloadstracklowtest/api/processjavascriptproviderbetter/imageprovider/sqlcentral/processorbasehttptraffic/0_bettertraffic/game/pythonasynccentral2/eternal6async5/pipemultitest.php"; depth:244; nocase; http.host; content:"185.173.36.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248092; rev:1;) alert tcp $HOME_NET any -> [185.216.70.192] 60195 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247782/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91247782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sjdkghsdughpowieugh8932.griefcube.cc"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247783/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91247783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonsecuredefaultcentral.php"; depth:31; nocase; http.host; content:"839860cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248091; rev:1;) alert tcp $HOME_NET any -> [107.173.30.114] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247548; rev:1;) alert tcp $HOME_NET any -> [23.224.196.53] 16271 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247550; rev:1;) alert tcp $HOME_NET any -> [47.113.227.139] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247546; rev:1;) alert tcp $HOME_NET any -> [198.46.226.224] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247547; rev:1;) alert tcp $HOME_NET any -> [8.134.249.167] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247543; rev:1;) alert tcp $HOME_NET any -> [120.55.65.99] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247544; rev:1;) alert tcp $HOME_NET any -> [172.245.110.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247545; rev:1;) alert tcp $HOME_NET any -> [79.132.135.149] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247542; rev:1;) alert tcp $HOME_NET any -> [94.172.154.134] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247538; rev:1;) alert tcp $HOME_NET any -> [94.172.154.134] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247541; rev:1;) alert tcp $HOME_NET any -> [94.172.154.134] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247539; rev:1;) alert tcp $HOME_NET any -> [94.172.154.134] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247540; rev:1;) alert tcp $HOME_NET any -> [20.212.232.53] 30500 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247536; rev:1;) alert tcp $HOME_NET any -> [36.69.72.106] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247537; rev:1;) alert tcp $HOME_NET any -> [91.92.245.110] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247533; rev:1;) alert tcp $HOME_NET any -> [91.92.245.111] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247534; rev:1;) alert tcp $HOME_NET any -> [89.148.44.245] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247535; rev:1;) alert tcp $HOME_NET any -> [192.227.249.230] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247549; rev:1;) alert tcp $HOME_NET any -> [117.50.199.153] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247551; rev:1;) alert tcp $HOME_NET any -> [104.234.254.98] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247552; rev:1;) alert tcp $HOME_NET any -> [154.40.45.37] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247553; rev:1;) alert tcp $HOME_NET any -> [23.95.90.77] 11451 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247554; rev:1;) alert tcp $HOME_NET any -> [111.231.71.122] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247555; rev:1;) alert tcp $HOME_NET any -> [93.123.85.100] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247556/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91247556; rev:1;) alert tcp $HOME_NET any -> [87.251.79.15] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c18/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248090/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c18/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248089; rev:1;) alert tcp $HOME_NET any -> [173.254.204.77] 8123 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248088; rev:1;) alert tcp $HOME_NET any -> [45.76.232.247] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cm3thejmzhlxpvowsv2dk4ybpovmoaqal7o7gqirhgvj24l4ww7w7zid.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bkc56e3jgy5zlfq7ialxyppztuh4dgranlyauupid4uc2ze5hg2cshqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nwgj3ux4huyfgbrwj5i2uwbxdu2ddd33eqrpq44dwooaoqo4ntmpc6qd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obqdy2u226qjiavs42z4z6zgcf6tefsoxaqzjvohmoy7kafdwgqgjkqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lvyowbbwycqoqwjmpmnpfyhzdcvxthuuabmcsocjamvzfgwzdat5wwid.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vbd3hiruwgcquiwrhpvaxann2ieo3tw3iznqlrp2z6mqyaonh4rswjqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7sbl4dpbubwjjghdquwg47fyq7rookd4bgm2ypm2kjzkivd7tomvczqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jocker02.linkpc.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"best.supportredirect.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gotti.ddnsgeek.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elevenpaths.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bitrat.nsupdate.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hureseyd.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amazonservices.onthewifi.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vslt.info"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"postal-23.ioomoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dopeonlineforwarding.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serverclient.sytes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"firewall.publicvm.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mfocuz.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns16-microsoft-health.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onlyforbit.blogdns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pvstub.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atdf.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"godcheatfn.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bitratfanboy2-45086.portmap.io"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nig.jalenscoonwog.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hopyboss.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bitrtdollars.itsaol.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mianoffice221.kozow.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs50.publicvm.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0b1.duckdns.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omeno.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hailisbetter.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"felixgodis.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dreamz.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"encrypted-channel.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"888myrat.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paintedkitty.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imen.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eewe.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"19008198.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yatzufn.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serviceop091.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httptemp.php"; depth:13; nocase; http.host; content:"onedrivepack.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248042; rev:1;) alert tcp $HOME_NET any -> [94.237.49.140] 2222 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248039; rev:1;) alert tcp $HOME_NET any -> [139.28.219.45] 443 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248040; rev:1;) alert tcp $HOME_NET any -> [178.20.40.235] 5555 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248041; rev:1;) alert tcp $HOME_NET any -> [111.90.158.139] 1234 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248034; rev:1;) alert tcp $HOME_NET any -> [51.89.205.208] 5506 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248035; rev:1;) alert tcp $HOME_NET any -> [194.33.45.3] 4898 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248036; rev:1;) alert tcp $HOME_NET any -> [139.28.219.47] 64576 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248037; rev:1;) alert tcp $HOME_NET any -> [185.140.53.55] 5506 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248038; rev:1;) alert tcp $HOME_NET any -> [95.252.122.216] 1900 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248027; rev:1;) alert tcp $HOME_NET any -> [27.124.20.145] 8082 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248028; rev:1;) alert tcp $HOME_NET any -> [103.153.182.89] 1234 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248029; rev:1;) alert tcp $HOME_NET any -> [204.77.8.221] 5506 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248030; rev:1;) alert tcp $HOME_NET any -> [185.244.36.230] 1240 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248031; rev:1;) alert tcp $HOME_NET any -> [162.33.178.83] 6969 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248032; rev:1;) alert tcp $HOME_NET any -> [23.105.131.237] 1734 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248033; rev:1;) alert tcp $HOME_NET any -> [173.44.50.140] 4550 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248023; rev:1;) alert tcp $HOME_NET any -> [202.182.106.243] 12341 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248024; rev:1;) alert tcp $HOME_NET any -> [47.75.99.242] 1234 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248025; rev:1;) alert tcp $HOME_NET any -> [79.134.225.73] 19099 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248026; rev:1;) alert tcp $HOME_NET any -> [103.153.182.247] 6161 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248019; rev:1;) alert tcp $HOME_NET any -> [194.5.98.46] 1180 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248020; rev:1;) alert tcp $HOME_NET any -> [109.70.236.80] 53166 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248021; rev:1;) alert tcp $HOME_NET any -> [65.21.3.192] 1234 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"joscramp.top"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1248016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"rewe-coupouns.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1248017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"arthurmaes.top"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1248018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"46.29.234.95"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1248012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"larsvanderwal.top"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1248013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.7.160"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1248014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.108.240.151"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1248015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.143.1.226"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1248008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.159.248.242"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1248009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mariles.top"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1248010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.75.232.223"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1248011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.210"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1248005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.8.100"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1248006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"79.137.206.15"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1248007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.254.245"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1248003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.27.52.220"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1248004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"65.109.226.91"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1248000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"147.45.47.72"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1248001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.105.132.208"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1248002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.145"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1247997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"normanhoffman.top"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1247998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.27.52.241"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1247999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.161.248.78"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1247993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.201.132"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1247994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.75.240.249"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1247995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"172.86.77.102"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1247996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.28.157.3"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1247991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.246.192"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1247992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"147.45.47.71"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1247988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.7.129"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1247989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.7.20"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1247990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"michaeljohnson.top"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1247985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"publisherget.top"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1247986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.227.202.68"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1247987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"jeffmorales.top"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1247982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.65.61"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1247983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.64.6"; depth:9; nocase; reference:url, threatfox.abuse.ch/ioc/1247984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"216.98.13.202"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1247979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"216.98.9.109"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1247980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.42.32.206"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1247981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ser.nrovn.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyesterbill.chickenkiller.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hassan.webhop.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sosob9ta.line.pm"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mydogis.onthewifi.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newhost.dyndns.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"volam2.club"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"interstellar.onthewifi.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.worldxw.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"allay.x3322.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bofa.su"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trbe.mentality.cloud"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asegurarasyncrat.4cloud.click"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"popo.office-on-the.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mytestdns123.mooo.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1hitler.accesscam.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stormx.dynu.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hitler55.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yy.webhop.me"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nso1.nsolau.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"milan.giize.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hitler55.dvrdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sis.is-a-blogger.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asdofugugja883.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webjava.mywire.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nasser.is-found.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"podejrzanylink.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shailputrimt1.publicvm.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testdns.ydns.eu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"28febnde.dynv6.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wandering-field-84417.pktriot.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asdugvua37vhax.cn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibrant-frost-53467.pktriot.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoputer.crabdance.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sis.4cloud.click"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spiffy-balloon.auto.playit.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azurecloud-bridge.cn"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alerts.linkpc.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rat2024.e3.luyouxia.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osso.camdvr.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scrubloader.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"koradon.giize.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webtool.publicvm.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drax2023.run.place"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"999triana999.1cooldns.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"470krlio.shenzhuo.vip"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proxy-shady.cloud"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lemback.dns.navy"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aliveafterguard.icu"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bg1.heztak.pro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usaugen.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"torenta2.vpndns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cn-wh-plc-1.openfrp.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adad3.casacam.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5ra.webredirect.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kapobiko1.mooo.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rat.loseyourip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rawy.ooguy.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jksdghfsd.loseyourip.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reyfelipeborbon.loseyourip.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"love1.loseyourip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vx2sw7soh8ds5.hopto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"roolingstone.sytes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cartel.theworkpc.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ekuroak.hopto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ggghmn8766vg.hopto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tanta.theworkpc.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icant.theworkpc.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hsm.theworkpc.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ech0.theworkpc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buike.kozow.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"win0090.theworkpc.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"non.theworkpc.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boty.theworkpc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utorrent.theworkpc.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ancy2024.kozow.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quepasa2024.kozow.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hoes-truth.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sunday-survivors.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"italy-completed.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"com-bg.gl.at.ply.gg"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mono2024.kozow.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"budget-whose.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loan-mode.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fl-survivor.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"copyright-sofa.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"richard-foods.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"movie-responses.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"six-fleece.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trying-shirts.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"patients-councils.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"danielballesterosdominper.con-ip.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"should-nutritional.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shoes-truth.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"government-program.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"horse-undertake.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"contodapug.con-ip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reverseproxy.con-ip.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myryam.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cryptojoke.con-ip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rtx.con-ip.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"armandocastillodominio.con-ip.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aobertoferndomip.con-ip.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sebastianmindioladomini.con-ip.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"davidricardodom.con-ip.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sandraferreirodominiopersonal.con-ip.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vendjksld.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"littlenerd.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkys.duckdns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jossmaybs.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testdamahe.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"momenttoday550.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dohavevictem2024.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subdominiodesub.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rem-new-2.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magarodriajhsdbajifuqwe12341safqdv.duckdns.org"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nagerproxysinintercavi8464perringuta.duckdns.org"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bebefiin.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"febvenom8.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"window10.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"23preguntas.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bestcoder.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cocomelondc.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"selldrugs.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mariarizazapata09.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"febrerososte.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tularz.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pooldiaz14.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chichichi01.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"markvenm2.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diciembre12.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smoney.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrrxr.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finessebitcoin.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hmnms.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xfreddy2751.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helprxr.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vrnmmondays.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"martingonzalessoto09.duckdns.org"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"merthamurc.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"momentdhs.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"krallarcarding.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jojomo.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratdeniyoz7386.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wassgoodmane-46736.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swifty123-23089.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loliletnotnoobonf-28917.portmap.host"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wassgoodmane-45751.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fearme-45002.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"404nothere5-52195.portmap.io"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cutecat-46661.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"404nothere5-62048.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nezo123-21027.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swifty123-48281.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lolzpopbob-31243.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"okaa0-60956.portmap.host"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meowpc-33643.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"404nothere5-63469.portmap.io"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcehonline-48303.portmap.io"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chingyen-23182.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e7team-54210.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fearme-55506.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fearme-62451.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nabeellasdfasdf-52048.portmap.host"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"torbrowser-39837.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"travisway-41408.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mankemane-47945.portmap.io"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tobacos.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mznhr.ddns.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"waytovwmk40.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kreyze.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a0979283148.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fat7ola0077.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2hitler.ddnsgeek.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"talapain.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h2mhost123ontop.ddns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ndichinnenanna0110.ddns.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rqwonderworld.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spongethug.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spidermanbaba.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whiteshadows.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdd4514136100juciywrldl.ddns.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w3llsfarg0h0st.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cringelord6969.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"46tochristmas15dec.ddns.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rat34.ddns.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"g6666lrd10424346129.ddns.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eaxhost.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"roscript.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sfclog.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1tapfinn.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t3fakpraf.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"powellfrank.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yubarats.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkstorm275991.ddns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247785; rev:1;) alert tcp $HOME_NET any -> [123.99.200.175] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247780; rev:1;) alert tcp $HOME_NET any -> [123.99.200.184] 2140 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247781; rev:1;) alert tcp $HOME_NET any -> [45.15.143.164] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247779; rev:1;) alert tcp $HOME_NET any -> [79.134.225.82] 3004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247778; rev:1;) alert tcp $HOME_NET any -> [113.207.105.200] 3201 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247776; rev:1;) alert tcp $HOME_NET any -> [154.48.237.186] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247777; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 4040 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247774; rev:1;) alert tcp $HOME_NET any -> [154.91.65.153] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247775; rev:1;) alert tcp $HOME_NET any -> [212.129.30.248] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247772; rev:1;) alert tcp $HOME_NET any -> [47.94.3.159] 4455 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247773; rev:1;) alert tcp $HOME_NET any -> [47.94.3.159] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247770; rev:1;) alert tcp $HOME_NET any -> [79.134.225.35] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247771; rev:1;) alert tcp $HOME_NET any -> [20.98.80.51] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247768; rev:1;) alert tcp $HOME_NET any -> [39.103.129.63] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247769; rev:1;) alert tcp $HOME_NET any -> [38.54.1.41] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247766; rev:1;) alert tcp $HOME_NET any -> [20.69.96.235] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247767; rev:1;) alert tcp $HOME_NET any -> [79.134.225.49] 1984 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247765; rev:1;) alert tcp $HOME_NET any -> [91.92.246.52] 4789 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247763; rev:1;) alert tcp $HOME_NET any -> [81.249.25.228] 1605 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247764; rev:1;) alert tcp $HOME_NET any -> [13.36.174.17] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247762; rev:1;) alert tcp $HOME_NET any -> [109.248.201.153] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247761; rev:1;) alert tcp $HOME_NET any -> [159.146.14.122] 18068 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247759; rev:1;) alert tcp $HOME_NET any -> [192.177.111.46] 18200 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247760; rev:1;) alert tcp $HOME_NET any -> [192.161.193.99] 5228 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247758; rev:1;) alert tcp $HOME_NET any -> [45.15.143.164] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247757; rev:1;) alert tcp $HOME_NET any -> [45.94.31.248] 4447 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247756; rev:1;) alert tcp $HOME_NET any -> [139.99.86.164] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247755; rev:1;) alert tcp $HOME_NET any -> [192.161.193.99] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247754; rev:1;) alert tcp $HOME_NET any -> [113.207.105.241] 9803 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247752; rev:1;) alert tcp $HOME_NET any -> [154.221.22.54] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247753; rev:1;) alert tcp $HOME_NET any -> [52.59.51.24] 1932 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247751; rev:1;) alert tcp $HOME_NET any -> [103.74.172.94] 40288 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247750; rev:1;) alert tcp $HOME_NET any -> [45.131.111.98] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247749; rev:1;) alert tcp $HOME_NET any -> [185.234.247.30] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247747; rev:1;) alert tcp $HOME_NET any -> [20.98.80.51] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247748; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 43941 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247745; rev:1;) alert tcp $HOME_NET any -> [13.66.133.43] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247746; rev:1;) alert tcp $HOME_NET any -> [93.190.10.16] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247744; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 64023 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247743; rev:1;) alert tcp $HOME_NET any -> [43.240.221.130] 9833 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247742; rev:1;) alert tcp $HOME_NET any -> [198.44.167.139] 57321 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247741; rev:1;) alert tcp $HOME_NET any -> [113.207.105.229] 7302 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247740; rev:1;) alert tcp $HOME_NET any -> [124.166.95.10] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247738; rev:1;) alert tcp $HOME_NET any -> [61.14.233.111] 4404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247739; rev:1;) alert tcp $HOME_NET any -> [185.157.162.206] 2191 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247737; rev:1;) alert tcp $HOME_NET any -> [198.44.167.215] 38795 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247735; rev:1;) alert tcp $HOME_NET any -> [113.207.105.195] 15806 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247736; rev:1;) alert tcp $HOME_NET any -> [45.141.215.32] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247733; rev:1;) alert tcp $HOME_NET any -> [157.90.112.255] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247734; rev:1;) alert tcp $HOME_NET any -> [123.99.200.158] 7223 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247732; rev:1;) alert tcp $HOME_NET any -> [24.50.117.82] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247730; rev:1;) alert tcp $HOME_NET any -> [46.36.67.36] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247731; rev:1;) alert tcp $HOME_NET any -> [91.92.254.14] 58004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247728; rev:1;) alert tcp $HOME_NET any -> [45.76.155.94] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247729; rev:1;) alert tcp $HOME_NET any -> [45.145.224.55] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247727; rev:1;) alert tcp $HOME_NET any -> [86.153.66.129] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247726; rev:1;) alert tcp $HOME_NET any -> [124.248.66.160] 6422 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247725; rev:1;) alert tcp $HOME_NET any -> [91.134.150.150] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247723; rev:1;) alert tcp $HOME_NET any -> [78.186.152.249] 1938 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247724; rev:1;) alert tcp $HOME_NET any -> [95.164.3.135] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247722; rev:1;) alert tcp $HOME_NET any -> [13.66.221.58] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247720; rev:1;) alert tcp $HOME_NET any -> [50.29.244.5] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247721; rev:1;) alert tcp $HOME_NET any -> [13.66.133.43] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247719; rev:1;) alert tcp $HOME_NET any -> [194.33.191.245] 2405 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247718; rev:1;) alert tcp $HOME_NET any -> [159.146.14.122] 4040 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247717; rev:1;) alert tcp $HOME_NET any -> [43.138.156.178] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247715; rev:1;) alert tcp $HOME_NET any -> [8.140.33.34] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247716; rev:1;) alert tcp $HOME_NET any -> [76.70.94.161] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247714; rev:1;) alert tcp $HOME_NET any -> [45.138.99.2] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247713; rev:1;) alert tcp $HOME_NET any -> [134.19.177.59] 5003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247712; rev:1;) alert tcp $HOME_NET any -> [40.66.40.50] 4173 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247711; rev:1;) alert tcp $HOME_NET any -> [8.140.33.34] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247710; rev:1;) alert tcp $HOME_NET any -> [90.8.19.214] 7006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247709; rev:1;) alert tcp $HOME_NET any -> [39.103.129.63] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247708; rev:1;) alert tcp $HOME_NET any -> [217.64.31.3] 4871 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247707; rev:1;) alert tcp $HOME_NET any -> [192.177.111.46] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247706; rev:1;) alert tcp $HOME_NET any -> [139.99.86.164] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247705; rev:1;) alert tcp $HOME_NET any -> [8.140.33.34] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247704; rev:1;) alert tcp $HOME_NET any -> [26.199.97.56] 13377 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247703; rev:1;) alert tcp $HOME_NET any -> [5.9.194.71] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247702; rev:1;) alert tcp $HOME_NET any -> [79.134.225.35] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247701; rev:1;) alert tcp $HOME_NET any -> [45.76.155.94] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247700; rev:1;) alert tcp $HOME_NET any -> [123.99.200.157] 2802 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247699; rev:1;) alert tcp $HOME_NET any -> [147.189.161.48] 4839 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247698; rev:1;) alert tcp $HOME_NET any -> [109.248.201.153] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247696; rev:1;) alert tcp $HOME_NET any -> [154.91.65.150] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247697; rev:1;) alert tcp $HOME_NET any -> [149.127.237.203] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247693; rev:1;) alert tcp $HOME_NET any -> [141.95.84.40] 4291 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247694; rev:1;) alert tcp $HOME_NET any -> [144.208.127.116] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247695; rev:1;) alert tcp $HOME_NET any -> [43.248.140.94] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247692; rev:1;) alert tcp $HOME_NET any -> [46.36.67.36] 51566 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247690; rev:1;) alert tcp $HOME_NET any -> [96.9.215.146] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247691; rev:1;) alert tcp $HOME_NET any -> [193.233.132.186] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247689; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 49207 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247687; rev:1;) alert tcp $HOME_NET any -> [91.134.150.149] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247688; rev:1;) alert tcp $HOME_NET any -> [45.145.229.150] 9605 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247686; rev:1;) alert tcp $HOME_NET any -> [198.44.167.139] 38795 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247684; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247685; rev:1;) alert tcp $HOME_NET any -> [91.92.250.147] 5038 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247682; rev:1;) alert tcp $HOME_NET any -> [147.189.161.48] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247683; rev:1;) alert tcp $HOME_NET any -> [109.205.162.97] 4739 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247679; rev:1;) alert tcp $HOME_NET any -> [213.32.243.233] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247680; rev:1;) alert tcp $HOME_NET any -> [66.154.122.230] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247681; rev:1;) alert tcp $HOME_NET any -> [31.210.20.231] 200 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247677; rev:1;) alert tcp $HOME_NET any -> [217.64.31.3] 3819 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247678; rev:1;) alert tcp $HOME_NET any -> [159.146.14.122] 18840 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247674; rev:1;) alert tcp $HOME_NET any -> [45.15.143.164] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247675; rev:1;) alert tcp $HOME_NET any -> [50.29.244.5] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247676; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 63770 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247672; rev:1;) alert tcp $HOME_NET any -> [2.58.56.152] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247673; rev:1;) alert tcp $HOME_NET any -> [141.95.84.40] 6262 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247670; rev:1;) alert tcp $HOME_NET any -> [193.222.96.253] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247671; rev:1;) alert tcp $HOME_NET any -> [153.36.240.58] 15095 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247668; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 50732 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247669; rev:1;) alert tcp $HOME_NET any -> [76.70.94.161] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247665; rev:1;) alert tcp $HOME_NET any -> [117.18.12.59] 8880 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247666; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 4040 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247667; rev:1;) alert tcp $HOME_NET any -> [38.165.8.185] 7771 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247663; rev:1;) alert tcp $HOME_NET any -> [113.207.105.200] 8301 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247664; rev:1;) alert tcp $HOME_NET any -> [192.161.193.99] 5058 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247661; rev:1;) alert tcp $HOME_NET any -> [86.20.95.188] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247662; rev:1;) alert tcp $HOME_NET any -> [113.207.105.224] 16804 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247659; rev:1;) alert tcp $HOME_NET any -> [176.150.69.221] 42474 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247660; rev:1;) alert tcp $HOME_NET any -> [80.48.119.72] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247657; rev:1;) alert tcp $HOME_NET any -> [43.138.156.178] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247658; rev:1;) alert tcp $HOME_NET any -> [120.46.33.65] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247655; rev:1;) alert tcp $HOME_NET any -> [109.248.201.153] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247656; rev:1;) alert tcp $HOME_NET any -> [182.254.221.150] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247653; rev:1;) alert tcp $HOME_NET any -> [113.128.118.199] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247654; rev:1;) alert tcp $HOME_NET any -> [178.20.230.68] 4784 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247652; rev:1;) alert tcp $HOME_NET any -> [45.138.99.2] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247651; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247649; rev:1;) alert tcp $HOME_NET any -> [149.127.237.203] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247650; rev:1;) alert tcp $HOME_NET any -> [43.138.156.178] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247647; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 33732 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247648; rev:1;) alert tcp $HOME_NET any -> [31.214.240.57] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247645; rev:1;) alert tcp $HOME_NET any -> [45.138.99.2] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247646; rev:1;) alert tcp $HOME_NET any -> [74.81.52.179] 33643 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247643; rev:1;) alert tcp $HOME_NET any -> [47.104.236.243] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247644; rev:1;) alert tcp $HOME_NET any -> [198.44.167.231] 41352 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247641; rev:1;) alert tcp $HOME_NET any -> [50.29.244.5] 5753 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247642; rev:1;) alert tcp $HOME_NET any -> [96.9.215.146] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247639; rev:1;) alert tcp $HOME_NET any -> [146.70.129.19] 38371 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247640; rev:1;) alert tcp $HOME_NET any -> [163.5.215.225] 1602 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247638; rev:1;) alert tcp $HOME_NET any -> [39.103.129.63] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247637; rev:1;) alert tcp $HOME_NET any -> [113.128.118.199] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247634; rev:1;) alert tcp $HOME_NET any -> [43.248.140.96] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247635; rev:1;) alert tcp $HOME_NET any -> [124.248.69.96] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247636; rev:1;) alert tcp $HOME_NET any -> [45.76.155.94] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247633; rev:1;) alert tcp $HOME_NET any -> [64.56.68.144] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247631; rev:1;) alert tcp $HOME_NET any -> [198.44.165.35] 5602 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247632; rev:1;) alert tcp $HOME_NET any -> [195.213.0.34] 2008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247629; rev:1;) alert tcp $HOME_NET any -> [37.114.41.142] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247630; rev:1;) alert tcp $HOME_NET any -> [154.204.60.74] 6610 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247627; rev:1;) alert tcp $HOME_NET any -> [45.128.36.146] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247628; rev:1;) alert tcp $HOME_NET any -> [159.146.14.122] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247625; rev:1;) alert tcp $HOME_NET any -> [86.20.95.188] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247626; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 35708 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247622; rev:1;) alert tcp $HOME_NET any -> [45.145.229.147] 9606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247623; rev:1;) alert tcp $HOME_NET any -> [78.187.224.170] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247624; rev:1;) alert tcp $HOME_NET any -> [136.244.89.250] 3131 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247620; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 13997 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247621; rev:1;) alert tcp $HOME_NET any -> [50.29.244.5] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247618; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 7771 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247619; rev:1;) alert tcp $HOME_NET any -> [198.44.167.215] 41352 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247617; rev:1;) alert tcp $HOME_NET any -> [61.14.233.111] 5505 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247615; rev:1;) alert tcp $HOME_NET any -> [185.253.161.186] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247616; rev:1;) alert tcp $HOME_NET any -> [13.66.133.43] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247612; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 48347 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247613; rev:1;) alert tcp $HOME_NET any -> [91.92.247.161] 5531 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247614; rev:1;) alert tcp $HOME_NET any -> [146.56.230.174] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247610; rev:1;) alert tcp $HOME_NET any -> [109.205.162.97] 8361 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247611; rev:1;) alert tcp $HOME_NET any -> [198.44.167.215] 57321 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247607; rev:1;) alert tcp $HOME_NET any -> [91.92.247.123] 5531 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247608; rev:1;) alert tcp $HOME_NET any -> [149.127.237.203] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247609; rev:1;) alert tcp $HOME_NET any -> [198.44.167.139] 41352 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247606; rev:1;) alert tcp $HOME_NET any -> [15.237.210.97] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247604; rev:1;) alert tcp $HOME_NET any -> [43.251.17.199] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247605; rev:1;) alert tcp $HOME_NET any -> [159.146.14.122] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247602; rev:1;) alert tcp $HOME_NET any -> [91.92.247.96] 5531 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247603; rev:1;) alert tcp $HOME_NET any -> [45.145.229.148] 9604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247600; rev:1;) alert tcp $HOME_NET any -> [38.147.172.98] 6307 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247601; rev:1;) alert tcp $HOME_NET any -> [193.233.132.186] 4404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247598; rev:1;) alert tcp $HOME_NET any -> [23.105.131.217] 83 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247599; rev:1;) alert tcp $HOME_NET any -> [47.104.179.7] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247596; rev:1;) alert tcp $HOME_NET any -> [141.94.223.150] 6677 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247597; rev:1;) alert tcp $HOME_NET any -> [154.39.238.95] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247594; rev:1;) alert tcp $HOME_NET any -> [193.222.96.47] 4462 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247595; rev:1;) alert tcp $HOME_NET any -> [153.36.240.58] 15092 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247592; rev:1;) alert tcp $HOME_NET any -> [193.222.96.47] 9471 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247593; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 56236 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247590; rev:1;) alert tcp $HOME_NET any -> [79.134.225.21] 8646 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247591; rev:1;) alert tcp $HOME_NET any -> [64.44.167.67] 6900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247589; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 11800 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247588; rev:1;) alert tcp $HOME_NET any -> [139.99.86.164] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247586; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 41437 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247587; rev:1;) alert tcp $HOME_NET any -> [193.233.132.186] 5505 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247585; rev:1;) alert tcp $HOME_NET any -> [96.9.215.146] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247584; rev:1;) alert tcp $HOME_NET any -> [13.36.174.17] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247581; rev:1;) alert tcp $HOME_NET any -> [13.66.133.43] 6821 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247582; rev:1;) alert tcp $HOME_NET any -> [64.176.178.205] 1989 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247583; rev:1;) alert tcp $HOME_NET any -> [67.205.154.243] 4431 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247579; rev:1;) alert tcp $HOME_NET any -> [45.80.158.48] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247580; rev:1;) alert tcp $HOME_NET any -> [119.42.170.7] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247576; rev:1;) alert tcp $HOME_NET any -> [103.48.85.6] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247577; rev:1;) alert tcp $HOME_NET any -> [124.166.95.10] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247578; rev:1;) alert tcp $HOME_NET any -> [146.56.230.174] 1720 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247574; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 6080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247575; rev:1;) alert tcp $HOME_NET any -> [20.98.80.51] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247572; rev:1;) alert tcp $HOME_NET any -> [179.127.14.82] 29000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247573; rev:1;) alert tcp $HOME_NET any -> [198.44.167.231] 38795 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247570; rev:1;) alert tcp $HOME_NET any -> [113.128.118.199] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247571; rev:1;) alert tcp $HOME_NET any -> [103.74.172.94] 4499 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247568; rev:1;) alert tcp $HOME_NET any -> [144.208.127.116] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247569; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247566; rev:1;) alert tcp $HOME_NET any -> [40.66.40.50] 6214 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247567; rev:1;) alert tcp $HOME_NET any -> [147.185.221.184] 41092 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247565; rev:1;) alert tcp $HOME_NET any -> [176.150.69.221] 42475 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247563; rev:1;) alert tcp $HOME_NET any -> [198.44.167.231] 57321 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247564; rev:1;) alert tcp $HOME_NET any -> [121.62.63.238] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247561; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247562; rev:1;) alert tcp $HOME_NET any -> [13.36.174.17] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247559; rev:1;) alert tcp $HOME_NET any -> [176.150.69.221] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247560; rev:1;) alert tcp $HOME_NET any -> [85.105.88.221] 6935 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247558; rev:1;) alert tcp $HOME_NET any -> [142.202.242.170] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247557; rev:1;) alert tcp $HOME_NET any -> [179.14.8.182] 2009 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247532; rev:1;) alert tcp $HOME_NET any -> [193.233.132.5] 80 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247530/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_21; classtype:trojan-activity; sid:91247530; rev:1;) alert tcp $HOME_NET any -> [8.219.183.36] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247529/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_21; classtype:trojan-activity; sid:91247529; rev:1;) alert tcp $HOME_NET any -> [120.78.4.99] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"120.78.4.99"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"104.156.140.58"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"pipingpotcurry.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"conoleforcongress.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/xmlrpc.php"; depth:16; nocase; http.host; content:"www.bourse-du-travail.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"atlanticyachtandship.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ngajiyok.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"zarinbano.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"netmag.pk"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.diereisedeineslebens.de"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"palaiofaliro.gr"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"livingshorespa.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247524; rev:1;) alert tcp $HOME_NET any -> [91.92.241.71] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247525/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247525; rev:1;) alert tcp $HOME_NET any -> [170.64.183.151] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247514/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247514; rev:1;) alert tcp $HOME_NET any -> [20.163.75.108] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247513; rev:1;) alert tcp $HOME_NET any -> [101.35.198.120] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247512; rev:1;) alert tcp $HOME_NET any -> [202.161.85.51] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247511/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247511; rev:1;) alert tcp $HOME_NET any -> [46.17.107.164] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247510; rev:1;) alert tcp $HOME_NET any -> [38.47.101.176] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247509; rev:1;) alert tcp $HOME_NET any -> [97.154.242.206] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247508/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"meridianresourcellc.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247506/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247506; rev:1;) alert tcp $HOME_NET any -> [185.194.140.225] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247507; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 18335 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247504; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 18335 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247503; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 18335 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247502; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 18335 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storyernes.cur"; depth:15; nocase; http.host; content:"147.78.103.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmgbvtlwqy81.bin"; depth:17; nocase; http.host; content:"147.78.103.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"106.55.102.97"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"124.71.130.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.100.99.191"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247495; rev:1;) alert tcp $HOME_NET any -> [94.158.247.72] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.kogyoung.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.kogyoung.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247492; rev:1;) alert tcp $HOME_NET any -> [154.90.63.215] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns9.bpibank.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns8.bpibank.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lokolojazz.club"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"casiworksplcs.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"2.56.215.211"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"javiermar2.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"olssqh34.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247476/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knueoh22.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kypersau25.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lysmer21.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morluw04.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jenb128hiuedfhajduihfa.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247487; rev:1;) alert tcp $HOME_NET any -> [95.217.240.145] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247485; rev:1;) alert tcp $HOME_NET any -> [49.13.33.8] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.33.8"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247483; rev:1;) alert tcp $HOME_NET any -> [78.47.223.253] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.145"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.223.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"ct39024.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"39.107.89.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"124.222.97.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247470; rev:1;) alert tcp $HOME_NET any -> [103.47.82.210] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"103.47.82.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247468; rev:1;) alert tcp $HOME_NET any -> [213.109.202.227] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"213.109.202.227"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"182.61.25.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"154.92.18.103"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247463; rev:1;) alert tcp $HOME_NET any -> [154.92.18.103] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"120.46.130.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"94.156.67.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247461; rev:1;) alert tcp $HOME_NET any -> [45.86.86.217] 4444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247460/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247460; rev:1;) alert tcp $HOME_NET any -> [159.253.120.118] 1111 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247459; rev:1;) alert tcp $HOME_NET any -> [154.31.183.175] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247354; rev:1;) alert tcp $HOME_NET any -> [154.31.183.175] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247355; rev:1;) alert tcp $HOME_NET any -> [154.31.176.185] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247352; rev:1;) alert tcp $HOME_NET any -> [154.31.176.185] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247353; rev:1;) alert tcp $HOME_NET any -> [154.31.183.162] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247350; rev:1;) alert tcp $HOME_NET any -> [154.31.183.162] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247351; rev:1;) alert tcp $HOME_NET any -> [154.31.183.187] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247347; rev:1;) alert tcp $HOME_NET any -> [154.31.178.176] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247348; rev:1;) alert tcp $HOME_NET any -> [154.31.178.176] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247349; rev:1;) alert tcp $HOME_NET any -> [154.31.179.177] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247344; rev:1;) alert tcp $HOME_NET any -> [154.31.179.177] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247345; rev:1;) alert tcp $HOME_NET any -> [154.31.181.169] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247343; rev:1;) alert tcp $HOME_NET any -> [154.31.183.187] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247346; rev:1;) alert tcp $HOME_NET any -> [154.31.180.179] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247340; rev:1;) alert tcp $HOME_NET any -> [154.31.180.179] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247341; rev:1;) alert tcp $HOME_NET any -> [154.31.181.169] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247342; rev:1;) alert tcp $HOME_NET any -> [154.31.181.172] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247333; rev:1;) alert tcp $HOME_NET any -> [154.31.181.175] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247338; rev:1;) alert tcp $HOME_NET any -> [154.31.181.175] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247339; rev:1;) alert tcp $HOME_NET any -> [154.31.180.187] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247330; rev:1;) alert tcp $HOME_NET any -> [154.31.177.166] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247334; rev:1;) alert tcp $HOME_NET any -> [154.31.177.166] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247335; rev:1;) alert tcp $HOME_NET any -> [154.31.177.164] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247336; rev:1;) alert tcp $HOME_NET any -> [154.31.177.164] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247337; rev:1;) alert tcp $HOME_NET any -> [154.31.181.172] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247332; rev:1;) alert tcp $HOME_NET any -> [154.31.182.173] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247329; rev:1;) alert tcp $HOME_NET any -> [154.31.180.187] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247331; rev:1;) alert tcp $HOME_NET any -> [154.31.182.173] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247328; rev:1;) alert tcp $HOME_NET any -> [154.31.177.186] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247356; rev:1;) alert tcp $HOME_NET any -> [154.31.177.186] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247357; rev:1;) alert tcp $HOME_NET any -> [154.31.178.165] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247358; rev:1;) alert tcp $HOME_NET any -> [154.31.177.163] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247359; rev:1;) alert tcp $HOME_NET any -> [154.31.177.163] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247360; rev:1;) alert tcp $HOME_NET any -> [154.31.182.181] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247361; rev:1;) alert tcp $HOME_NET any -> [154.31.182.181] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247362; rev:1;) alert tcp $HOME_NET any -> [154.31.176.177] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247363; rev:1;) alert tcp $HOME_NET any -> [154.31.176.177] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247364; rev:1;) alert tcp $HOME_NET any -> [154.31.180.164] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247365; rev:1;) alert tcp $HOME_NET any -> [154.31.180.164] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247366; rev:1;) alert tcp $HOME_NET any -> [154.31.181.162] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247367; rev:1;) alert tcp $HOME_NET any -> [154.31.181.162] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247368; rev:1;) alert tcp $HOME_NET any -> [154.31.179.175] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247369; rev:1;) alert tcp $HOME_NET any -> [154.31.179.175] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247370; rev:1;) alert tcp $HOME_NET any -> [154.31.181.176] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247372; rev:1;) alert tcp $HOME_NET any -> [154.31.181.167] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247373; rev:1;) alert tcp $HOME_NET any -> [154.31.181.176] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247371; rev:1;) alert tcp $HOME_NET any -> [154.31.181.168] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247375; rev:1;) alert tcp $HOME_NET any -> [154.31.181.167] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247374; rev:1;) alert tcp $HOME_NET any -> [154.31.179.179] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247376; rev:1;) alert tcp $HOME_NET any -> [154.31.179.179] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247377; rev:1;) alert tcp $HOME_NET any -> [154.31.176.169] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247378; rev:1;) alert tcp $HOME_NET any -> [154.31.176.169] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247379; rev:1;) alert tcp $HOME_NET any -> [154.31.181.181] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247380; rev:1;) alert tcp $HOME_NET any -> [154.31.181.183] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247381; rev:1;) alert tcp $HOME_NET any -> [154.31.177.173] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247382; rev:1;) alert tcp $HOME_NET any -> [154.31.177.173] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247383; rev:1;) alert tcp $HOME_NET any -> [154.31.178.167] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247384; rev:1;) alert tcp $HOME_NET any -> [154.31.178.167] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247385; rev:1;) alert tcp $HOME_NET any -> [154.31.183.167] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247386; rev:1;) alert tcp $HOME_NET any -> [154.31.183.167] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247387; rev:1;) alert tcp $HOME_NET any -> [154.31.182.186] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247388; rev:1;) alert tcp $HOME_NET any -> [154.31.182.186] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247389; rev:1;) alert tcp $HOME_NET any -> [154.31.179.176] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247390; rev:1;) alert tcp $HOME_NET any -> [154.31.179.176] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247391; rev:1;) alert tcp $HOME_NET any -> [154.31.181.163] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247392; rev:1;) alert tcp $HOME_NET any -> [154.31.181.163] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247393; rev:1;) alert tcp $HOME_NET any -> [154.31.182.163] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247394; rev:1;) alert tcp $HOME_NET any -> [154.31.182.163] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247395; rev:1;) alert tcp $HOME_NET any -> [154.31.176.170] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247396; rev:1;) alert tcp $HOME_NET any -> [154.31.176.170] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247397; rev:1;) alert tcp $HOME_NET any -> [154.31.176.176] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247398; rev:1;) alert tcp $HOME_NET any -> [154.31.176.176] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247399; rev:1;) alert tcp $HOME_NET any -> [154.31.183.163] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247400; rev:1;) alert tcp $HOME_NET any -> [154.31.183.163] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247401; rev:1;) alert tcp $HOME_NET any -> [154.31.178.163] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247402; rev:1;) alert tcp $HOME_NET any -> [154.31.178.163] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247403; rev:1;) alert tcp $HOME_NET any -> [154.31.182.189] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247404; rev:1;) alert tcp $HOME_NET any -> [154.31.182.189] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247405; rev:1;) alert tcp $HOME_NET any -> [154.31.183.183] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247407; rev:1;) alert tcp $HOME_NET any -> [154.31.179.172] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247408; rev:1;) alert tcp $HOME_NET any -> [154.31.178.185] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247327; rev:1;) alert tcp $HOME_NET any -> [154.31.176.165] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247325; rev:1;) alert tcp $HOME_NET any -> [154.31.178.185] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247326; rev:1;) alert tcp $HOME_NET any -> [154.31.181.177] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247322; rev:1;) alert tcp $HOME_NET any -> [154.31.181.177] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247323; rev:1;) alert tcp $HOME_NET any -> [154.31.176.165] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247324; rev:1;) alert tcp $HOME_NET any -> [154.31.176.179] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247318; rev:1;) alert tcp $HOME_NET any -> [154.31.176.179] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247317; rev:1;) alert tcp $HOME_NET any -> [154.31.177.176] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247314/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247314; rev:1;) alert tcp $HOME_NET any -> [154.31.178.189] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247315; rev:1;) alert tcp $HOME_NET any -> [154.31.178.189] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247316/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247316; rev:1;) alert tcp $HOME_NET any -> [154.31.182.178] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247311/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247311; rev:1;) alert tcp $HOME_NET any -> [154.31.177.184] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247312; rev:1;) alert tcp $HOME_NET any -> [154.31.177.176] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247313; rev:1;) alert tcp $HOME_NET any -> [154.31.182.178] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247310; rev:1;) alert tcp $HOME_NET any -> [95.216.85.80] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247291; rev:1;) alert tcp $HOME_NET any -> [149.104.26.184] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247309; rev:1;) alert tcp $HOME_NET any -> [149.104.26.184] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247308; rev:1;) alert tcp $HOME_NET any -> [54.39.29.90] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247290; rev:1;) alert tcp $HOME_NET any -> [141.105.130.87] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247289; rev:1;) alert tcp $HOME_NET any -> [154.31.183.183] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247406; rev:1;) alert tcp $HOME_NET any -> [154.31.179.172] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247409; rev:1;) alert tcp $HOME_NET any -> [154.31.183.189] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247410; rev:1;) alert tcp $HOME_NET any -> [154.31.183.189] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247411; rev:1;) alert tcp $HOME_NET any -> [154.31.182.190] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247413; rev:1;) alert tcp $HOME_NET any -> [154.31.182.190] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247412; rev:1;) alert tcp $HOME_NET any -> [154.31.179.185] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247417; rev:1;) alert tcp $HOME_NET any -> [154.31.179.185] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247416; rev:1;) alert tcp $HOME_NET any -> [154.31.177.189] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247415; rev:1;) alert tcp $HOME_NET any -> [154.31.177.189] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247414; rev:1;) alert tcp $HOME_NET any -> [154.31.179.167] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247418; rev:1;) alert tcp $HOME_NET any -> [154.31.179.167] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247419; rev:1;) alert tcp $HOME_NET any -> [154.31.179.189] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247420; rev:1;) alert tcp $HOME_NET any -> [154.31.179.189] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247421; rev:1;) alert tcp $HOME_NET any -> [154.31.183.184] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247423; rev:1;) alert tcp $HOME_NET any -> [154.31.183.184] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247422; rev:1;) alert tcp $HOME_NET any -> [154.31.181.178] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247424; rev:1;) alert tcp $HOME_NET any -> [154.31.181.178] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247425; rev:1;) alert tcp $HOME_NET any -> [154.31.179.190] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247426; rev:1;) alert tcp $HOME_NET any -> [154.31.179.190] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247427; rev:1;) alert tcp $HOME_NET any -> [154.31.177.185] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247428; rev:1;) alert tcp $HOME_NET any -> [154.31.177.185] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247429; rev:1;) alert tcp $HOME_NET any -> [154.31.177.188] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247430; rev:1;) alert tcp $HOME_NET any -> [154.31.177.188] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247431; rev:1;) alert tcp $HOME_NET any -> [154.31.178.170] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247432; rev:1;) alert tcp $HOME_NET any -> [154.31.178.170] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247433; rev:1;) alert tcp $HOME_NET any -> [154.31.182.188] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247434; rev:1;) alert tcp $HOME_NET any -> [154.31.182.188] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247435; rev:1;) alert tcp $HOME_NET any -> [154.31.178.166] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247436; rev:1;) alert tcp $HOME_NET any -> [154.31.178.166] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247437; rev:1;) alert tcp $HOME_NET any -> [154.31.183.186] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247438; rev:1;) alert tcp $HOME_NET any -> [154.31.183.186] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247439; rev:1;) alert tcp $HOME_NET any -> [154.31.176.164] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247440; rev:1;) alert tcp $HOME_NET any -> [154.31.176.164] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247441; rev:1;) alert tcp $HOME_NET any -> [154.31.183.179] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247442; rev:1;) alert tcp $HOME_NET any -> [154.31.183.179] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247443; rev:1;) alert tcp $HOME_NET any -> [154.31.182.176] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247444; rev:1;) alert tcp $HOME_NET any -> [154.31.182.176] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247445; rev:1;) alert tcp $HOME_NET any -> [154.31.177.187] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247446; rev:1;) alert tcp $HOME_NET any -> [154.31.177.187] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247447; rev:1;) alert tcp $HOME_NET any -> [154.31.176.184] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247448; rev:1;) alert tcp $HOME_NET any -> [154.31.176.184] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247449; rev:1;) alert tcp $HOME_NET any -> [154.31.178.182] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247450; rev:1;) alert tcp $HOME_NET any -> [154.31.178.182] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247451; rev:1;) alert tcp $HOME_NET any -> [154.31.182.180] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247452; rev:1;) alert tcp $HOME_NET any -> [154.31.182.180] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247453; rev:1;) alert tcp $HOME_NET any -> [154.31.182.184] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247454; rev:1;) alert tcp $HOME_NET any -> [154.31.182.184] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247455; rev:1;) alert tcp $HOME_NET any -> [154.31.182.171] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247456; rev:1;) alert tcp $HOME_NET any -> [154.31.182.171] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"alltorq-net.oncallservices.ca"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247458/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247458; rev:1;) alert tcp $HOME_NET any -> [124.222.97.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-cedqvyh7-1322145958.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"service-cedqvyh7-1322145958.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"89.117.59.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"116.205.189.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"bb.makkgg.fyi"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"111.51.156.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"61.170.44.209"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"36.131.222.214"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"59.80.47.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"106.225.221.115"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"119.167.249.113"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"1.117.93.65"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"bb.makkgg.fyi"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"111.229.19.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247294; rev:1;) alert tcp $HOME_NET any -> [103.78.0.39] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalimagevmlineprocessorservertrackdle.php"; depth:46; nocase; http.host; content:"042506cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0932103.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247288; rev:1;) alert tcp $HOME_NET any -> [91.92.245.110] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"91.92.247.46"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247287; rev:1;) alert tcp $HOME_NET any -> [154.31.180.177] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247276; rev:1;) alert tcp $HOME_NET any -> [154.31.180.177] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247277/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247277; rev:1;) alert tcp $HOME_NET any -> [193.124.205.6] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247285/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247285; rev:1;) alert tcp $HOME_NET any -> [45.128.96.99] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247284/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247284; rev:1;) alert tcp $HOME_NET any -> [170.64.183.64] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247283/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247283; rev:1;) alert tcp $HOME_NET any -> [46.246.82.24] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247282/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247282; rev:1;) alert tcp $HOME_NET any -> [70.31.125.20] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247281/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247281; rev:1;) alert tcp $HOME_NET any -> [72.27.97.12] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247280/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247280; rev:1;) alert tcp $HOME_NET any -> [45.78.32.214] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247279/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247279; rev:1;) alert tcp $HOME_NET any -> [31.42.186.231] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247278/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247278; rev:1;) alert tcp $HOME_NET any -> [154.31.178.168] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247275/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247275; rev:1;) alert tcp $HOME_NET any -> [154.31.178.168] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247274; rev:1;) alert tcp $HOME_NET any -> [121.5.220.61] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247270; rev:1;) alert tcp $HOME_NET any -> [47.109.148.62] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247272/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247272; rev:1;) alert tcp $HOME_NET any -> [47.109.148.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247271; rev:1;) alert tcp $HOME_NET any -> [159.89.168.138] 52293 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247273/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247273; rev:1;) alert tcp $HOME_NET any -> [39.100.93.48] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247268; rev:1;) alert tcp $HOME_NET any -> [39.100.93.48] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gtldgtld.store"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"softupdate.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tfirstdaily.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-dev.helpkaspersky.top"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data-dev.helpkaspersky.top"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"happy.gitweb.cloudns.nz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support.helpkaspersky.top"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"update.microsoft-setting.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247156/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"update.windows.server-microsoft.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247157/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.security-microsoft.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247154/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"update.centos-yum.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247155/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247155; rev:1;) alert tcp $HOME_NET any -> [186.112.193.255] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247132; rev:1;) alert tcp $HOME_NET any -> [181.131.216.198] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247133; rev:1;) alert tcp $HOME_NET any -> [186.112.203.192] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247134; rev:1;) alert tcp $HOME_NET any -> [168.119.211.236] 115 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247135; rev:1;) alert tcp $HOME_NET any -> [85.215.196.156] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247136; rev:1;) alert tcp $HOME_NET any -> [152.70.163.213] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzlimme4mwuxnti0/"; depth:18; nocase; http.host; content:"213.109.202.108"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247144; rev:1;) alert tcp $HOME_NET any -> [161.132.38.47] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247151/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247151; rev:1;) alert tcp $HOME_NET any -> [154.31.179.182] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247150; rev:1;) alert tcp $HOME_NET any -> [154.31.179.182] 4569 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247152/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247152; rev:1;) alert tcp $HOME_NET any -> [66.42.54.125] 56250 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247153/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247153; rev:1;) alert tcp $HOME_NET any -> [23.94.159.198] 8055 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/five/fre.php"; depth:22; nocase; http.host; content:"meridianresourcellc.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/project/five/fre.php"; depth:21; nocase; http.host; content:"saldanha.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247147; rev:1;) alert tcp $HOME_NET any -> [91.238.181.248] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jp.css"; depth:7; nocase; http.host; content:"91.238.181.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247145; rev:1;) alert tcp $HOME_NET any -> [5.42.65.117] 80 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247143/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247143; rev:1;) alert tcp $HOME_NET any -> [5.42.92.73] 80 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247142/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247142; rev:1;) alert tcp $HOME_NET any -> [101.99.92.169] 80 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247141/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247141; rev:1;) alert tcp $HOME_NET any -> [193.233.132.11] 80 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247140/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247140; rev:1;) alert tcp $HOME_NET any -> [193.233.132.59] 80 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247139/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247139; rev:1;) alert tcp $HOME_NET any -> [37.110.19.55] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247138/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247138; rev:1;) alert tcp $HOME_NET any -> [194.33.191.3] 7391 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247131; rev:1;) alert tcp $HOME_NET any -> [128.199.71.62] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247121; rev:1;) alert tcp $HOME_NET any -> [128.199.71.62] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247119; rev:1;) alert tcp $HOME_NET any -> [128.199.71.62] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247120; rev:1;) alert tcp $HOME_NET any -> [94.156.69.121] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247105; rev:1;) alert tcp $HOME_NET any -> [88.179.240.135] 49158 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247118; rev:1;) alert tcp $HOME_NET any -> [94.156.67.106] 445 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247103; rev:1;) alert tcp $HOME_NET any -> [5.42.65.68] 29093 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247104; rev:1;) alert tcp $HOME_NET any -> [193.222.96.86] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247102; rev:1;) alert tcp $HOME_NET any -> [5.255.108.187] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247098/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_20; classtype:trojan-activity; sid:91247098; rev:1;) alert tcp $HOME_NET any -> [176.123.1.221] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247100/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_20; classtype:trojan-activity; sid:91247100; rev:1;) alert tcp $HOME_NET any -> [104.129.21.231] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247099/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_20; classtype:trojan-activity; sid:91247099; rev:1;) alert tcp $HOME_NET any -> [193.168.141.153] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247101/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_20; classtype:trojan-activity; sid:91247101; rev:1;) alert tcp $HOME_NET any -> [193.233.132.190] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"ns.b1ing.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/c6ui18im6abq8-el0qhxmang5bfkq"; depth:47; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247125; rev:1;) alert tcp $HOME_NET any -> [164.92.174.168] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watch"; depth:6; nocase; http.host; content:"164.92.174.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247123; rev:1;) alert tcp $HOME_NET any -> [65.21.119.55] 45110 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247122; rev:1;) alert tcp $HOME_NET any -> [121.36.105.186] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247117/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247117; rev:1;) alert tcp $HOME_NET any -> [38.59.124.61] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247116/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247116; rev:1;) alert tcp $HOME_NET any -> [46.246.12.4] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247115/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247115; rev:1;) alert tcp $HOME_NET any -> [78.178.72.139] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247114/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247114; rev:1;) alert tcp $HOME_NET any -> [5.163.180.48] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247113/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247113; rev:1;) alert tcp $HOME_NET any -> [92.251.173.191] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247112/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247112; rev:1;) alert tcp $HOME_NET any -> [91.254.253.44] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247111/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247111; rev:1;) alert tcp $HOME_NET any -> [97.118.56.247] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247110/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247110; rev:1;) alert tcp $HOME_NET any -> [188.170.152.11] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247109/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247109; rev:1;) alert tcp $HOME_NET any -> [103.81.38.242] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247108; rev:1;) alert tcp $HOME_NET any -> [172.172.152.168] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247107; rev:1;) alert tcp $HOME_NET any -> [95.183.54.20] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/pam8oa.php"; depth:45; nocase; http.host; content:"lurdyvanafernandesmkd.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/n2gd2t.php"; depth:45; nocase; http.host; content:"www.yukon.de"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentyten/b9un4f.php"; depth:39; nocase; http.host; content:"www.amysinger.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/c9wfar.php"; depth:46; nocase; http.host; content:"alternativetracks.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/t51kkf.php"; depth:47; nocase; http.host; content:"13300.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/34uo7s.php"; depth:46; nocase; http.host; content:"www.alabamacarhorns.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247092; rev:1;) alert tcp $HOME_NET any -> [109.120.184.220] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/34uo7s.php"; depth:46; nocase; http.host; content:"www.alabamacarhorns.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/c9wfar.php"; depth:46; nocase; http.host; content:"alternativetracks.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/t51kkf.php"; depth:47; nocase; http.host; content:"13300.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentyten/b9un4f.php"; depth:39; nocase; http.host; content:"www.amysinger.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/pam8oa.php"; depth:45; nocase; http.host; content:"lurdyvanafernandesmkd.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/n2gd2t.php"; depth:45; nocase; http.host; content:"www.yukon.de"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247090; rev:1;) alert tcp $HOME_NET any -> [193.233.132.5] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247080; rev:1;) alert tcp $HOME_NET any -> [193.233.132.11] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247081; rev:1;) alert tcp $HOME_NET any -> [193.233.132.59] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247082; rev:1;) alert tcp $HOME_NET any -> [193.233.132.71] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247083; rev:1;) alert tcp $HOME_NET any -> [193.233.132.173] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247084; rev:1;) alert tcp $HOME_NET any -> [46.246.84.18] 3100 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247078/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"luisro2158.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247079/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 50%)"; dns_query; content:"treimob.cfd"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247075/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:bad-unknown; sid:91247075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 50%)"; dns_query; content:"hopefor.space"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247074/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:bad-unknown; sid:91247074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gamerforyou.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247065/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sky-beta.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247064/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247064; rev:1;) alert tcp $HOME_NET any -> [103.172.79.74] 2023 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247062/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"net-killer.work.gd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247063/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247063; rev:1;) alert tcp $HOME_NET any -> [220.158.234.115] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247039; rev:1;) alert tcp $HOME_NET any -> [216.73.159.58] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247040; rev:1;) alert tcp $HOME_NET any -> [169.239.129.35] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247041; rev:1;) alert tcp $HOME_NET any -> [103.208.86.69] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247042; rev:1;) alert tcp $HOME_NET any -> [46.23.108.239] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247043; rev:1;) alert tcp $HOME_NET any -> [46.23.108.240] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247044; rev:1;) alert tcp $HOME_NET any -> [46.23.108.241] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247045; rev:1;) alert tcp $HOME_NET any -> [46.23.108.242] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247046; rev:1;) alert tcp $HOME_NET any -> [46.23.108.243] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247047; rev:1;) alert tcp $HOME_NET any -> [46.23.108.244] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247048; rev:1;) alert tcp $HOME_NET any -> [46.23.108.245] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247049; rev:1;) alert tcp $HOME_NET any -> [46.23.108.246] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247050; rev:1;) alert tcp $HOME_NET any -> [46.23.108.247] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247051; rev:1;) alert tcp $HOME_NET any -> [46.23.108.249] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247052; rev:1;) alert tcp $HOME_NET any -> [45.95.169.100] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247053; rev:1;) alert tcp $HOME_NET any -> [45.95.169.101] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247054; rev:1;) alert tcp $HOME_NET any -> [45.95.169.105] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247055; rev:1;) alert tcp $HOME_NET any -> [45.95.169.113] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247056; rev:1;) alert tcp $HOME_NET any -> [45.95.169.117] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247057; rev:1;) alert tcp $HOME_NET any -> [45.95.169.150] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247058; rev:1;) alert tcp $HOME_NET any -> [45.95.169.152] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247059; rev:1;) alert tcp $HOME_NET any -> [45.95.169.153] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247060; rev:1;) alert tcp $HOME_NET any -> [84.54.51.124] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247061; rev:1;) alert tcp $HOME_NET any -> [91.92.255.88] 8088 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"94.156.67.192"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"1.14.46.128"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/explode/poll/ere9k18mnq"; depth:24; nocase; http.host; content:"210.79.134.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247034; rev:1;) alert tcp $HOME_NET any -> [210.79.134.20] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"185.196.9.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.136.242.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247032; rev:1;) alert tcp $HOME_NET any -> [142.171.229.46] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"21hjgt71f.sharedomain.top"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"21hjgt71f.sharedomain.top"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247030; rev:1;) alert tcp $HOME_NET any -> [141.98.168.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kj"; depth:3; nocase; http.host; content:"141.98.168.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247027; rev:1;) alert tcp $HOME_NET any -> [176.32.35.104] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247025; rev:1;) alert tcp $HOME_NET any -> [185.161.208.123] 6655 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247024/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/panel/index.php"; depth:22; nocase; http.host; content:"store4.ro"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247023; rev:1;) alert tcp $HOME_NET any -> [43.129.31.231] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247022/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanomarch8100.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247000; rev:1;) alert tcp $HOME_NET any -> [85.204.116.154] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247013/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"60.204.133.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247018; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 12377 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247017; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 12377 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247016; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 12377 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3cd2b41cbde8fc9c.php"; depth:21; nocase; http.host; content:"185.172.128.209"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247014; rev:1;) alert tcp $HOME_NET any -> [123.249.30.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"123.249.30.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247011; rev:1;) alert tcp $HOME_NET any -> [103.211.56.154] 14782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmuploadstemporary.php"; depth:23; nocase; http.host; content:"785654cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.5.172"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.57.253"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.216.188"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247005; rev:1;) alert tcp $HOME_NET any -> [116.202.5.172] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247004; rev:1;) alert tcp $HOME_NET any -> [78.47.57.253] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247001; rev:1;) alert tcp $HOME_NET any -> [5.75.216.188] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247002; rev:1;) alert tcp $HOME_NET any -> [95.217.28.242] 8888 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247003; rev:1;) alert tcp $HOME_NET any -> [194.147.140.141] 8100 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246999; rev:1;) alert tcp $HOME_NET any -> [93.123.39.238] 2023 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246998; rev:1;) alert tcp $HOME_NET any -> [91.107.121.52] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246997/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246997; rev:1;) alert tcp $HOME_NET any -> [84.32.214.66] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246996; rev:1;) alert tcp $HOME_NET any -> [222.186.21.204] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246995/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246995; rev:1;) alert tcp $HOME_NET any -> [81.161.238.163] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246994/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246994; rev:1;) alert tcp $HOME_NET any -> [154.16.10.161] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246993/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246993; rev:1;) alert tcp $HOME_NET any -> [45.76.189.78] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246992/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246992; rev:1;) alert tcp $HOME_NET any -> [216.83.58.188] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246991/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246991; rev:1;) alert tcp $HOME_NET any -> [123.253.108.131] 8886 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246990/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246990; rev:1;) alert tcp $HOME_NET any -> [46.246.84.14] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246989/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246989; rev:1;) alert tcp $HOME_NET any -> [46.246.6.15] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246988/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246988; rev:1;) alert tcp $HOME_NET any -> [78.169.186.24] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246987/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246987; rev:1;) alert tcp $HOME_NET any -> [175.13.35.49] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246986/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246986; rev:1;) alert tcp $HOME_NET any -> [77.126.104.106] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246985/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246985; rev:1;) alert tcp $HOME_NET any -> [72.27.209.148] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246984/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246984; rev:1;) alert tcp $HOME_NET any -> [41.96.236.231] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246983/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246983; rev:1;) alert tcp $HOME_NET any -> [23.227.193.238] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246982/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246982; rev:1;) alert tcp $HOME_NET any -> [192.227.234.164] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246981/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246981; rev:1;) alert tcp $HOME_NET any -> [155.138.229.25] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246980; rev:1;) alert tcp $HOME_NET any -> [139.162.51.167] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246979/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246979; rev:1;) alert tcp $HOME_NET any -> [95.179.171.52] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246978; rev:1;) alert tcp $HOME_NET any -> [62.234.28.147] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246977; rev:1;) alert tcp $HOME_NET any -> [96.9.225.129] 37826 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246976/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246976; rev:1;) alert tcp $HOME_NET any -> [18.162.142.16] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246975/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246975; rev:1;) alert tcp $HOME_NET any -> [43.198.208.125] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246974/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246974; rev:1;) alert tcp $HOME_NET any -> [34.134.107.175] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246973/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246973; rev:1;) alert tcp $HOME_NET any -> [78.47.48.88] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246972; rev:1;) alert tcp $HOME_NET any -> [192.210.201.57] 52748 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ameerpplus.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246963/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91246963; rev:1;) alert tcp $HOME_NET any -> [24.42.99.89] 191 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246962/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91246962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"badbutperfect.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246957; rev:1;) alert tcp $HOME_NET any -> [165.22.16.55] 445 (msg:"ThreatFox DarkGate payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246958; rev:1;) alert tcp $HOME_NET any -> [147.78.47.15] 61227 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246959; rev:1;) alert tcp $HOME_NET any -> [52.157.196.2] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"147.78.47.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246961; rev:1;) alert tcp $HOME_NET any -> [45.120.177.167] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246970; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 15449 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246969; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 15449 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246968; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 15449 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246967; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 15449 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246966; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 15449 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246965; rev:1;) alert tcp $HOME_NET any -> [46.183.222.88] 22288 (msg:"ThreatFox AdWind botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246964; rev:1;) alert tcp $HOME_NET any -> [47.99.65.183] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.99.65.183"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246955; rev:1;) alert tcp $HOME_NET any -> [154.31.181.190] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246954; rev:1;) alert tcp $HOME_NET any -> [210.79.134.20] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/explode/poll/ere9k18mnq"; depth:24; nocase; http.host; content:"210.79.134.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246952; rev:1;) alert tcp $HOME_NET any -> [154.31.183.188] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"89.117.59.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246949; rev:1;) alert tcp $HOME_NET any -> [89.117.59.92] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246950; rev:1;) alert tcp $HOME_NET any -> [154.31.180.174] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"microsoftdell1.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246921; rev:1;) alert tcp $HOME_NET any -> [206.233.132.215] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246944/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246944; rev:1;) alert tcp $HOME_NET any -> [206.233.132.104] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246943/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246943; rev:1;) alert tcp $HOME_NET any -> [206.233.132.162] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246942/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246942; rev:1;) alert tcp $HOME_NET any -> [13.214.93.225] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246941/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246941; rev:1;) alert tcp $HOME_NET any -> [216.83.58.191] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246940/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246940; rev:1;) alert tcp $HOME_NET any -> [216.83.58.190] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246939/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246939; rev:1;) alert tcp $HOME_NET any -> [16.162.87.219] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246938/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246938; rev:1;) alert tcp $HOME_NET any -> [149.104.27.148] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246937/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246937; rev:1;) alert tcp $HOME_NET any -> [101.34.211.170] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246936; rev:1;) alert tcp $HOME_NET any -> [172.245.91.21] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246935; rev:1;) alert tcp $HOME_NET any -> [46.246.84.16] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246934; rev:1;) alert tcp $HOME_NET any -> [159.0.41.140] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246933; rev:1;) alert tcp $HOME_NET any -> [154.247.214.2] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246932; rev:1;) alert tcp $HOME_NET any -> [189.177.83.188] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246931; rev:1;) alert tcp $HOME_NET any -> [70.31.125.174] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246930; rev:1;) alert tcp $HOME_NET any -> [41.96.246.26] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246929; rev:1;) alert tcp $HOME_NET any -> [91.108.105.80] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246928; rev:1;) alert tcp $HOME_NET any -> [82.157.236.128] 6443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246927; rev:1;) alert tcp $HOME_NET any -> [185.248.143.18] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246926; rev:1;) alert tcp $HOME_NET any -> [176.120.75.169] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246925; rev:1;) alert tcp $HOME_NET any -> [99.83.171.11] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246924/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246924; rev:1;) alert tcp $HOME_NET any -> [130.61.212.165] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246923; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246922/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"20.107.244.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.120.63.211"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"20.107.244.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/check"; depth:26; nocase; http.host; content:"47.100.99.191"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"qq.qqweixinzhuce.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246916; rev:1;) alert tcp $HOME_NET any -> [142.11.201.122] 7010 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fam_calendar.css"; depth:17; nocase; http.host; content:"37.120.239.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246914; rev:1;) alert tcp $HOME_NET any -> [45.32.196.110] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beacon.etallyall.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stealit.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blendy-game.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246910; rev:1;) alert tcp $HOME_NET any -> [20.206.240.63] 1024 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246908; rev:1;) alert tcp $HOME_NET any -> [14.225.208.190] 19990 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246907/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246907; rev:1;) alert tcp $HOME_NET any -> [5.181.80.60] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246887; rev:1;) alert tcp $HOME_NET any -> [5.181.80.189] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246889; rev:1;) alert tcp $HOME_NET any -> [5.181.80.61] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246888; rev:1;) alert tcp $HOME_NET any -> [5.181.80.59] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246886; rev:1;) alert tcp $HOME_NET any -> [45.125.66.111] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246885; rev:1;) alert tcp $HOME_NET any -> [178.128.63.21] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246880; rev:1;) alert tcp $HOME_NET any -> [178.128.86.45] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246881; rev:1;) alert tcp $HOME_NET any -> [193.233.132.155] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246884; rev:1;) alert tcp $HOME_NET any -> [157.245.193.12] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246879; rev:1;) alert tcp $HOME_NET any -> [152.42.163.36] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246877; rev:1;) alert tcp $HOME_NET any -> [157.230.41.125] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246878; rev:1;) alert tcp $HOME_NET any -> [146.190.81.220] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246875; rev:1;) alert tcp $HOME_NET any -> [152.42.163.34] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246876; rev:1;) alert tcp $HOME_NET any -> [128.199.168.231] 1433 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246874; rev:1;) alert tcp $HOME_NET any -> [128.199.100.0] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246873; rev:1;) alert tcp $HOME_NET any -> [193.233.132.137] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246869; rev:1;) alert tcp $HOME_NET any -> [193.233.132.188] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246864; rev:1;) alert tcp $HOME_NET any -> [185.198.57.73] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246857; rev:1;) alert tcp $HOME_NET any -> [185.198.57.78] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246858; rev:1;) alert tcp $HOME_NET any -> [185.141.27.17] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246854; rev:1;) alert tcp $HOME_NET any -> [185.141.27.200] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246855; rev:1;) alert tcp $HOME_NET any -> [185.183.96.15] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246856; rev:1;) alert tcp $HOME_NET any -> [185.117.73.134] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246852; rev:1;) alert tcp $HOME_NET any -> [185.117.73.187] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246853; rev:1;) alert tcp $HOME_NET any -> [185.45.193.151] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246850; rev:1;) alert tcp $HOME_NET any -> [185.82.202.236] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.214.171"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.212.96"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.212.96"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.214.171"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246903; rev:1;) alert tcp $HOME_NET any -> [5.75.212.96] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246902; rev:1;) alert tcp $HOME_NET any -> [5.75.214.171] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246899; rev:1;) alert tcp $HOME_NET any -> [5.75.212.96] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246900; rev:1;) alert tcp $HOME_NET any -> [5.75.214.171] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"149.104.27.40"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"154.3.8.55"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246897; rev:1;) alert tcp $HOME_NET any -> [103.27.109.33] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-jby1ivts-1324864909.hk.tencentapigw.cn"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-jby1ivts-1324864909.hk.tencentapigw.cn"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246893; rev:1;) alert tcp $HOME_NET any -> [101.34.58.211] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"101.34.58.211"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246891; rev:1;) alert tcp $HOME_NET any -> [154.30.255.175] 8887 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.120.63.211"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sm.css"; depth:7; nocase; http.host; content:"apps.nbcnews.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"16.163.149.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"82.157.69.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"test.qqweixinzhuce.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"8.131.118.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.100.229.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"www.temt.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"104.156.140.58"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"150.158.37.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246848; rev:1;) alert tcp $HOME_NET any -> [150.158.37.125] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246849; rev:1;) alert tcp $HOME_NET any -> [154.31.180.186] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246847; rev:1;) alert tcp $HOME_NET any -> [38.55.204.19] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.55.204.19"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246845; rev:1;) alert tcp $HOME_NET any -> [154.31.181.180] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246844; rev:1;) alert tcp $HOME_NET any -> [154.31.180.168] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246843; rev:1;) alert tcp $HOME_NET any -> [154.31.177.169] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246842; rev:1;) alert tcp $HOME_NET any -> [154.31.181.165] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246841; rev:1;) alert tcp $HOME_NET any -> [123.60.135.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"123.60.135.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246839; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 12664 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246838/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lee.exe"; depth:8; nocase; http.host; content:"104.168.32.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xampp/bll/leeisagoodmanwholovedhertrulyfromtheheartsheismycutegirl____ilovehertrulyfromtheheartwithallmylovetokissyousuccess.doc"; depth:129; nocase; http.host; content:"94.156.69.17"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"185.81.68.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"185.81.68.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/c6ui18im6abq8-el0qhxmang5bfkq"; depth:47; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246833; rev:1;) alert tcp $HOME_NET any -> [217.197.107.177] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246832; rev:1;) alert tcp $HOME_NET any -> [20.73.14.86] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246822; rev:1;) alert tcp $HOME_NET any -> [20.73.14.86] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246823; rev:1;) alert tcp $HOME_NET any -> [80.82.76.79] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/amadey.exe"; depth:17; nocase; http.host; content:"91.92.250.47"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246826; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 12664 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246831; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 12664 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246830; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 12664 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246829; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 12664 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246828; rev:1;) alert tcp $HOME_NET any -> [147.45.68.14] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246827; rev:1;) alert tcp $HOME_NET any -> [185.255.114.127] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246824/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246824; rev:1;) alert tcp $HOME_NET any -> [94.156.8.116] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246821/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/18/gate.php"; depth:12; nocase; http.host; content:"couriercare.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246820; rev:1;) alert tcp $HOME_NET any -> [105.98.140.166] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246765; rev:1;) alert tcp $HOME_NET any -> [105.99.1.231] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246766; rev:1;) alert tcp $HOME_NET any -> [105.98.156.131] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246767; rev:1;) alert tcp $HOME_NET any -> [105.102.233.51] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246768; rev:1;) alert tcp $HOME_NET any -> [72.167.134.164] 5055 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aireynvuw.homeunix.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246772; rev:1;) alert tcp $HOME_NET any -> [94.156.66.151] 39001 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghfhhminfudk.exe"; depth:17; nocase; http.host; content:"94.156.66.151"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hghghjhfhleviticus.exe"; depth:23; nocase; http.host; content:"94.156.66.151"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjhfhgdg.insane.wang"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/1591130eaa3b8a96895bff8d686e7ec2697f986974508c85f0b051191a853aa069fe7ce03179e1c20ec7"; depth:94; nocase; http.host; content:"api.filedoge.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gfgghdhwhatsup.exe"; depth:19; nocase; http.host; content:"94.156.66.151"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246784; rev:1;) alert tcp $HOME_NET any -> [154.37.51.70] 3320 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246785; rev:1;) alert tcp $HOME_NET any -> [154.37.51.70] 3321 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buassinnndm.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246792; rev:1;) alert tcp $HOME_NET any -> [143.198.197.14] 445 (msg:"ThreatFox DarkGate payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246793; rev:1;) alert tcp $HOME_NET any -> [193.222.96.13] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246794; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 11256 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246818/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246818; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 11256 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246819/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246819; rev:1;) alert tcp $HOME_NET any -> [45.131.108.174] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246773/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246773; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 57514 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246758/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"17.ip.gl.ply.gg"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246759/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246759; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 17008 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246760/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246760; rev:1;) alert tcp $HOME_NET any -> [109.248.12.212] 5501 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246761/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246761; rev:1;) alert tcp $HOME_NET any -> [89.245.33.102] 25565 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246762/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246762; rev:1;) alert tcp $HOME_NET any -> [216.83.40.68] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246763/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/statistic/js/stat/js"; depth:21; nocase; http.host; content:"marvin-occentus.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/editcontent"; depth:12; nocase; http.host; content:"policy.donnafrey.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"policy.donnafrey.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cf-protected-l7.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"88.99.127.167"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1246743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.75.214.7"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1246744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"marvin-occentus.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"49.13.89.149"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1246741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"78.46.233.36"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1246742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmr.2miners.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246740; rev:1;) alert tcp $HOME_NET any -> [162.19.139.184] 12222 (msg:"ThreatFox xmrig botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aptcorp.us"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246737; rev:1;) alert tcp $HOME_NET any -> [45.128.232.250] 6149 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246738/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246738; rev:1;) alert tcp $HOME_NET any -> [14.224.174.212] 8889 (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246735; rev:1;) alert tcp $HOME_NET any -> [14.224.174.212] 31705 (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246736; rev:1;) alert tcp $HOME_NET any -> [14.224.174.212] 2014 (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246732; rev:1;) alert tcp $HOME_NET any -> [14.224.174.212] 8080 (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246733; rev:1;) alert tcp $HOME_NET any -> [14.224.174.212] 8888 (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246734; rev:1;) alert tcp $HOME_NET any -> [212.113.116.216] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246728; rev:1;) alert tcp $HOME_NET any -> [45.61.54.105] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246729; rev:1;) alert tcp $HOME_NET any -> [14.224.174.212] 1433 (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246731; rev:1;) alert tcp $HOME_NET any -> [14.224.174.212] 88 (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246730; rev:1;) alert tcp $HOME_NET any -> [141.98.7.221] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246695; rev:1;) alert tcp $HOME_NET any -> [176.97.210.31] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246727; rev:1;) alert tcp $HOME_NET any -> [212.109.194.186] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246817/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246817; rev:1;) alert tcp $HOME_NET any -> [107.189.24.173] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246816/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246816; rev:1;) alert tcp $HOME_NET any -> [65.20.71.37] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246815; rev:1;) alert tcp $HOME_NET any -> [46.246.82.17] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246814/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246814; rev:1;) alert tcp $HOME_NET any -> [154.246.189.64] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246813/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246813; rev:1;) alert tcp $HOME_NET any -> [193.149.189.103] 55006 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246812/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246812; rev:1;) alert tcp $HOME_NET any -> [207.148.73.248] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246811/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246811; rev:1;) alert tcp $HOME_NET any -> [65.108.19.239] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246810/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246810; rev:1;) alert tcp $HOME_NET any -> [172.247.113.106] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246809/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246809; rev:1;) alert tcp $HOME_NET any -> [185.22.155.92] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246808/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246808; rev:1;) alert tcp $HOME_NET any -> [165.22.72.160] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246807/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246807; rev:1;) alert tcp $HOME_NET any -> [168.76.172.126] 15023 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246806/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246806; rev:1;) alert tcp $HOME_NET any -> [218.28.172.25] 80 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246805/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246805; rev:1;) alert tcp $HOME_NET any -> [104.236.72.104] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246804/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246804; rev:1;) alert tcp $HOME_NET any -> [8.220.135.161] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246803/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246803; rev:1;) alert tcp $HOME_NET any -> [39.99.251.33] 63421 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246802/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246802; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 11326 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246801; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 11326 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246800; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 11326 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246799; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 11326 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246798; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 11326 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246797; rev:1;) alert tcp $HOME_NET any -> [93.123.39.147] 8088 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246796; rev:1;) alert tcp $HOME_NET any -> [52.27.42.38] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246795/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_19; classtype:trojan-activity; sid:91246795; rev:1;) alert tcp $HOME_NET any -> [154.31.180.183] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246791; rev:1;) alert tcp $HOME_NET any -> [154.31.181.170] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246790; rev:1;) alert tcp $HOME_NET any -> [154.31.179.163] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246789; rev:1;) alert tcp $HOME_NET any -> [154.31.183.177] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"154.31.176.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246787; rev:1;) alert tcp $HOME_NET any -> [31.129.98.219] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246783/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246783; rev:1;) alert tcp $HOME_NET any -> [41.98.246.202] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246782/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246782; rev:1;) alert tcp $HOME_NET any -> [94.237.43.116] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246781/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246781; rev:1;) alert tcp $HOME_NET any -> [104.238.60.87] 3509 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246780/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246780; rev:1;) alert tcp $HOME_NET any -> [13.113.189.83] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246779/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246779; rev:1;) alert tcp $HOME_NET any -> [45.140.146.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"45.140.146.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246769; rev:1;) alert tcp $HOME_NET any -> [94.156.65.18] 8088 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.25.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.210.0"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199654112719"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r2d0s"; depth:6; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246753; rev:1;) alert tcp $HOME_NET any -> [5.75.210.0] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246751; rev:1;) alert tcp $HOME_NET any -> [95.217.25.45] 8888 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246752; rev:1;) alert tcp $HOME_NET any -> [193.233.132.74] 58709 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246750; rev:1;) alert tcp $HOME_NET any -> [175.42.18.7] 4784 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246749; rev:1;) alert tcp $HOME_NET any -> [138.197.68.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/broadcast"; depth:10; nocase; http.host; content:"138.197.68.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jp.css"; depth:7; nocase; http.host; content:"91.238.181.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246723; rev:1;) alert tcp $HOME_NET any -> [82.157.69.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"82.157.69.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246721; rev:1;) alert tcp $HOME_NET any -> [185.130.46.166] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"111.67.195.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watch"; depth:6; nocase; http.host; content:"118.31.118.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246717; rev:1;) alert tcp $HOME_NET any -> [118.31.118.253] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"103.27.109.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246716; rev:1;) alert tcp $HOME_NET any -> [118.31.118.253] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watch"; depth:6; nocase; http.host; content:"118.31.118.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.103.218.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246713; rev:1;) alert tcp $HOME_NET any -> [13.55.236.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"13.55.236.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246711; rev:1;) alert tcp $HOME_NET any -> [8.217.68.27] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"8.217.68.27"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"16.163.149.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246707; rev:1;) alert tcp $HOME_NET any -> [16.163.149.10] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"118.25.173.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246705; rev:1;) alert tcp $HOME_NET any -> [118.25.173.86] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tgsk.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246703; rev:1;) alert tcp $HOME_NET any -> [49.232.191.68] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"tgsk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"49.232.191.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"193.222.96.156"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246700; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 41985 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246699; rev:1;) alert tcp $HOME_NET any -> [1.94.110.130] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.fwmtest.cn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.fwmtest.cn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test2/get.php"; depth:14; nocase; http.host; content:"sajdfue.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246693; rev:1;) alert tcp $HOME_NET any -> [217.18.63.132] 707 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246692/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246692; rev:1;) alert tcp $HOME_NET any -> [94.103.188.202] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246679/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246679; rev:1;) alert tcp $HOME_NET any -> [81.136.59.207] 1339 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246690; rev:1;) alert tcp $HOME_NET any -> [120.78.133.177] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-akqr4y12-1300243308.hk.tencentapigw.cn"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"service-akqr4y12-1300243308.hk.tencentapigw.cn"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246687; rev:1;) alert tcp $HOME_NET any -> [139.9.46.164] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"175.178.161.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"service-d1ssjklq-1306655841.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246680; rev:1;) alert tcp $HOME_NET any -> [141.98.10.128] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246677/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"firmware.fucktheccp.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246678/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246678; rev:1;) alert tcp $HOME_NET any -> [144.126.198.15] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246676/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246676; rev:1;) alert tcp $HOME_NET any -> [87.120.84.73] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246675/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246675; rev:1;) alert tcp $HOME_NET any -> [47.242.8.254] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246674/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246674; rev:1;) alert tcp $HOME_NET any -> [45.152.66.151] 18888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246673/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246673; rev:1;) alert tcp $HOME_NET any -> [103.165.81.207] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246672/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246672; rev:1;) alert tcp $HOME_NET any -> [190.133.143.235] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246671; rev:1;) alert tcp $HOME_NET any -> [79.174.95.201] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246670; rev:1;) alert tcp $HOME_NET any -> [43.198.225.0] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246669/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgeight8pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qftwo2vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qftwo2pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthre3vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfsix6pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfsix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qften10pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfseven7vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfleven11pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wall4k.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vstoea.wiki"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgfourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgfourt14vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgleven11vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgnein9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgsix6ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgsix6pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgsix6sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgthre3ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emv1.qftwo2sr.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246624; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 41414 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"authority-amazon.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246633; rev:1;) alert tcp $HOME_NET any -> [185.125.50.49] 7439 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246660; rev:1;) alert tcp $HOME_NET any -> [4.185.137.132] 1632 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246661; rev:1;) alert tcp $HOME_NET any -> [103.153.69.99] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246668/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bn.networkbn.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246656/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246656; rev:1;) alert tcp $HOME_NET any -> [187.135.149.236] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246642; rev:1;) alert tcp $HOME_NET any -> [187.135.170.92] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246643; rev:1;) alert tcp $HOME_NET any -> [187.135.170.92] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246644; rev:1;) alert tcp $HOME_NET any -> [187.135.170.92] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246645; rev:1;) alert tcp $HOME_NET any -> [187.135.139.227] 1949 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246646; rev:1;) alert tcp $HOME_NET any -> [187.135.139.227] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246648; rev:1;) alert tcp $HOME_NET any -> [187.135.139.227] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246649; rev:1;) alert tcp $HOME_NET any -> [82.66.185.138] 4449 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246650; rev:1;) alert tcp $HOME_NET any -> [187.135.139.227] 2050 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246647; rev:1;) alert tcp $HOME_NET any -> [45.14.245.215] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246640; rev:1;) alert tcp $HOME_NET any -> [89.23.100.222] 44528 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246641; rev:1;) alert tcp $HOME_NET any -> [193.222.96.14] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246639; rev:1;) alert tcp $HOME_NET any -> [193.222.96.20] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246638; rev:1;) alert tcp $HOME_NET any -> [193.222.96.96] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246637; rev:1;) alert tcp $HOME_NET any -> [193.222.96.95] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246636; rev:1;) alert tcp $HOME_NET any -> [193.222.96.41] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diveupdown.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"viopde.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utlyter.cloud"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tkteew.tech"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soudes.icu"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sotepo.info"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paolio.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rknloco.tech"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pabox.cc"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogcegd.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nowurl.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modpk.asia"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"melyre.tech"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lxszgs.icu"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lpcwww.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lmmqgd.website"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dre4.vip"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"desesn.asia"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyskop.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpritn.city"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdrawhi.art"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6lpc.online"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4url312.vip"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4url.vip"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.113.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.102"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.102"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246665; rev:1;) alert tcp $HOME_NET any -> [5.75.208.102] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246663; rev:1;) alert tcp $HOME_NET any -> [49.12.113.229] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246664; rev:1;) alert tcp $HOME_NET any -> [5.75.208.102] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246662; rev:1;) alert tcp $HOME_NET any -> [194.147.140.146] 6609 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246659; rev:1;) alert tcp $HOME_NET any -> [89.208.107.205] 7578 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246658; rev:1;) alert tcp $HOME_NET any -> [172.245.208.13] 4445 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246657; rev:1;) alert tcp $HOME_NET any -> [83.137.157.61] 9231 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246654; rev:1;) alert tcp $HOME_NET any -> [8.222.147.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246652; rev:1;) alert tcp $HOME_NET any -> [194.233.79.198] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246631; rev:1;) alert tcp $HOME_NET any -> [45.128.96.167] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246630; rev:1;) alert tcp $HOME_NET any -> [20.234.62.151] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246629/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246629; rev:1;) alert tcp $HOME_NET any -> [139.180.199.124] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246628; rev:1;) alert tcp $HOME_NET any -> [202.47.118.167] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246627; rev:1;) alert tcp $HOME_NET any -> [184.66.10.104] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246626/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246626; rev:1;) alert tcp $HOME_NET any -> [72.27.161.187] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246625/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.78.87"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.136.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"167.235.207.130"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.108.83.243"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246570; rev:1;) alert tcp $HOME_NET any -> [78.47.136.81] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246568; rev:1;) alert tcp $HOME_NET any -> [78.47.78.87] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246569; rev:1;) alert tcp $HOME_NET any -> [65.108.83.243] 8081 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246566; rev:1;) alert tcp $HOME_NET any -> [167.235.207.130] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246567; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 48079 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246556/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pidorgeio-48079.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246557/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"managevvb.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"managevvb.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246559; rev:1;) alert tcp $HOME_NET any -> [89.245.35.152] 25565 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246560/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246560; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 12051 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246561/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246561; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 56522 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246563/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"having-jackson.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246564/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246564; rev:1;) alert tcp $HOME_NET any -> [23.106.121.133] 3232 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246565; rev:1;) alert tcp $HOME_NET any -> [193.233.132.62] 58709 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beuces.cool"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ransomware.wannacry_plus.zip"; depth:29; nocase; http.host; content:"14.224.174.212"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246554; rev:1;) alert tcp $HOME_NET any -> [172.245.72.19] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cdn.3qweraa.beauty"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.3qweraa.beauty"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"146.70.44.156"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.120.63.211"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246547; rev:1;) alert tcp $HOME_NET any -> [47.120.63.211] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246548; rev:1;) alert tcp $HOME_NET any -> [13.68.195.153] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"redir-s49f828c.eastus.cloudapp.azure.com"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redir-s49f828c.eastus.cloudapp.azure.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.92.155.195"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246543; rev:1;) alert tcp $HOME_NET any -> [107.175.245.109] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.10086cn.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"8.134.126.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246540; rev:1;) alert tcp $HOME_NET any -> [49.232.191.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-d1ssjklq-1306655841.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-d1ssjklq-1306655841.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"124.222.147.8"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"80.87.206.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"planetstherapy.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.planetstherapy.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246533; rev:1;) alert tcp $HOME_NET any -> [37.120.239.32] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/link.css"; depth:9; nocase; http.host; content:"37.120.239.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"cq25511.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-89u0y7ij-1305550121.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246524; rev:1;) alert tcp $HOME_NET any -> [1.116.103.114] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"service-89u0y7ij-1305550121.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246523; rev:1;) alert tcp $HOME_NET any -> [107.175.245.109] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.10086cn.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.10086cn.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246521; rev:1;) alert tcp $HOME_NET any -> [107.175.245.109] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"prod-ireland.arkoselabs.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prod-ireland.arkoselabs.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epic-games-api.arkoselabs.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"epic-games-api.arkoselabs.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"client-api.arkoselabs.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0929875.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246512; rev:1;) alert tcp $HOME_NET any -> [23.94.104.16] 56789 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246505/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"4qvvg9ud51lxa5te.gta5.eu.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246506/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246506; rev:1;) alert tcp $HOME_NET any -> [198.12.88.130] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246507/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"139.9.190.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"121.40.119.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"123.207.45.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246508; rev:1;) alert tcp $HOME_NET any -> [205.185.126.140] 24124 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246504/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246504; rev:1;) alert tcp $HOME_NET any -> [194.169.175.43] 35342 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246503/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rebirthltd.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246502; rev:1;) alert tcp $HOME_NET any -> [78.40.117.218] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246501/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246501; rev:1;) alert tcp $HOME_NET any -> [79.124.40.47] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246500/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzflzwiznmywzdi5/"; depth:18; nocase; http.host; content:"83.97.73.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246485; rev:1;) alert tcp $HOME_NET any -> [89.245.33.186] 25565 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246470/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"huot.ltd"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246479; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 11599 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246480/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246480; rev:1;) alert tcp $HOME_NET any -> [89.245.33.186] 3000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246469/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246469; rev:1;) alert tcp $HOME_NET any -> [141.95.114.229] 2351 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246402; rev:1;) alert tcp $HOME_NET any -> [141.95.114.229] 8080 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246403; rev:1;) alert tcp $HOME_NET any -> [45.147.228.138] 8094 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246404; rev:1;) alert tcp $HOME_NET any -> [51.195.192.51] 8094 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246405; rev:1;) alert tcp $HOME_NET any -> [94.156.71.75] 8094 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246406; rev:1;) alert tcp $HOME_NET any -> [51.195.192.51] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246407; rev:1;) alert tcp $HOME_NET any -> [93.123.85.101] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246408/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246408; rev:1;) alert tcp $HOME_NET any -> [217.18.63.132] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246427/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"managedkv.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246463; rev:1;) alert tcp $HOME_NET any -> [188.120.250.67] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246499; rev:1;) alert tcp $HOME_NET any -> [2.31.159.75] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246498; rev:1;) alert tcp $HOME_NET any -> [124.171.143.147] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246497; rev:1;) alert tcp $HOME_NET any -> [70.31.125.101] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246496; rev:1;) alert tcp $HOME_NET any -> [62.182.80.97] 56432 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246495; rev:1;) alert tcp $HOME_NET any -> [37.1.210.247] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246494; rev:1;) alert tcp $HOME_NET any -> [51.195.91.31] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246493; rev:1;) alert tcp $HOME_NET any -> [89.116.22.214] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246492; rev:1;) alert tcp $HOME_NET any -> [20.197.20.154] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246491; rev:1;) alert tcp $HOME_NET any -> [3.35.14.154] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246490; rev:1;) alert tcp $HOME_NET any -> [168.76.172.111] 15023 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246489; rev:1;) alert tcp $HOME_NET any -> [89.223.121.240] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246488; rev:1;) alert tcp $HOME_NET any -> [89.223.121.240] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246487; rev:1;) alert tcp $HOME_NET any -> [185.194.140.225] 53 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246486; rev:1;) alert tcp $HOME_NET any -> [193.124.205.80] 4608 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flowerpublicpacket/db8test5/wordpress02flower/processorlongpolllow/defaultprotect/_temp/bigloaddatalife7mariadb/_vmbetterimage/dumppipejavascriptpython/8default/1/trafficprovider/wp/wpapi/vmlongpoll1/6wordpresspacket/0multiupdateauth/4/pipeauthtest.php"; depth:253; nocase; http.host; content:"89.23.96.177"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246483; rev:1;) alert tcp $HOME_NET any -> [103.253.73.222] 117 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flowerprocessorjavascriptvideo/eternalbigload/test/4/test/16datalife8/httpwpuploads/jssqlsqlline/uploadscpuproton/dbprotect/local/update/jstemp/videolinepythonsql/flower/apiwordpresstest_/javascriptuniversal/imageapitemp.php"; depth:225; nocase; http.host; content:"89.23.97.121"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246481; rev:1;) alert tcp $HOME_NET any -> [46.226.164.150] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246478/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246478; rev:1;) alert tcp $HOME_NET any -> [154.12.28.204] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246477/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246477; rev:1;) alert tcp $HOME_NET any -> [151.64.220.95] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246476/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246476; rev:1;) alert tcp $HOME_NET any -> [34.69.171.116] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246475; rev:1;) alert tcp $HOME_NET any -> [51.195.91.31] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246474; rev:1;) alert tcp $HOME_NET any -> [146.70.100.113] 22222 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246473/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246473; rev:1;) alert tcp $HOME_NET any -> [113.25.150.234] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246472; rev:1;) alert tcp $HOME_NET any -> [178.17.170.180] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bad.bois.sh"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246467; rev:1;) alert tcp $HOME_NET any -> [20.55.16.22] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scoring.bois.sh"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"good.bois.sh"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.96.229.84"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246462; rev:1;) alert tcp $HOME_NET any -> [121.36.33.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"121.36.33.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246460; rev:1;) alert tcp $HOME_NET any -> [54.220.110.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onlinetraveler.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"onlinetraveler.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246457; rev:1;) alert tcp $HOME_NET any -> [121.36.198.85] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"121.36.198.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246455; rev:1;) alert tcp $HOME_NET any -> [13.201.220.120] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"182.126.66.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246453; rev:1;) alert tcp $HOME_NET any -> [5.42.65.117] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"27925375.whiteproducts.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246451; rev:1;) alert tcp $HOME_NET any -> [154.23.178.106] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246450/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_16; classtype:trojan-activity; sid:91246450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.35.19.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"175.178.47.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"111.51.156.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"61.170.44.209"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"36.131.222.214"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"59.80.47.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"106.225.221.115"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"119.167.249.113"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.141.11.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"cdn-014.epsonupdate.uk"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"www.baidu12366.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246437; rev:1;) alert tcp $HOME_NET any -> [45.138.157.4] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.mozilia-tm.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"update.mozilia-tm.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z886888.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246432; rev:1;) alert tcp $HOME_NET any -> [8.222.147.15] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"z886888.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246431; rev:1;) alert tcp $HOME_NET any -> [5.188.86.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab.html"; depth:8; nocase; http.host; content:"86.106.20.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"103.253.146.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246428; rev:1;) alert tcp $HOME_NET any -> [5.42.65.117] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246426; rev:1;) alert tcp $HOME_NET any -> [188.120.231.211] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246425; rev:1;) alert tcp $HOME_NET any -> [64.23.228.21] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246424/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246424; rev:1;) alert tcp $HOME_NET any -> [185.80.128.10] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246423; rev:1;) alert tcp $HOME_NET any -> [46.246.86.16] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246422; rev:1;) alert tcp $HOME_NET any -> [27.124.34.10] 1145 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246421; rev:1;) alert tcp $HOME_NET any -> [72.27.104.146] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246420; rev:1;) alert tcp $HOME_NET any -> [189.222.127.29] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246419; rev:1;) alert tcp $HOME_NET any -> [50.67.6.160] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246418/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246418; rev:1;) alert tcp $HOME_NET any -> [39.105.194.87] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246417; rev:1;) alert tcp $HOME_NET any -> [37.1.210.247] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246416/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246416; rev:1;) alert tcp $HOME_NET any -> [45.134.9.138] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246415/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246415; rev:1;) alert tcp $HOME_NET any -> [47.122.6.179] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246414; rev:1;) alert tcp $HOME_NET any -> [20.127.96.164] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246413; rev:1;) alert tcp $HOME_NET any -> [94.103.87.88] 4444 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246412; rev:1;) alert tcp $HOME_NET any -> [140.82.20.246] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246411; rev:1;) alert tcp $HOME_NET any -> [23.227.202.153] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246410; rev:1;) alert tcp $HOME_NET any -> [34.231.255.33] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246409; rev:1;) alert tcp $HOME_NET any -> [206.238.113.242] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246401; rev:1;) alert tcp $HOME_NET any -> [104.233.187.229] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246400; rev:1;) alert tcp $HOME_NET any -> [43.143.130.124] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246399; rev:1;) alert tcp $HOME_NET any -> [121.41.168.126] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246398; rev:1;) alert tcp $HOME_NET any -> [180.76.231.105] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246397; rev:1;) alert tcp $HOME_NET any -> [39.51.186.81] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246396; rev:1;) alert tcp $HOME_NET any -> [167.56.66.0] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246395; rev:1;) alert tcp $HOME_NET any -> [46.41.139.162] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246394/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246394; rev:1;) alert tcp $HOME_NET any -> [69.30.249.147] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246393; rev:1;) alert tcp $HOME_NET any -> [45.138.157.4] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246392; rev:1;) alert tcp $HOME_NET any -> [103.113.68.85] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246390; rev:1;) alert tcp $HOME_NET any -> [103.113.68.85] 81 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246391; rev:1;) alert tcp $HOME_NET any -> [69.30.249.148] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246388/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246388; rev:1;) alert tcp $HOME_NET any -> [69.30.249.148] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246389/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246389; rev:1;) alert tcp $HOME_NET any -> [69.30.249.148] 81 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246387/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246387; rev:1;) alert tcp $HOME_NET any -> [20.244.47.98] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246386/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246386; rev:1;) alert tcp $HOME_NET any -> [136.0.3.71] 49737 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246385/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246385; rev:1;) alert tcp $HOME_NET any -> [172.105.58.129] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246384/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"120.46.207.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dwai1l.papelhigienicoobjeto.ru.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"w8oafr.almofadaobjeto.ru.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"e3iu8c.carregadorobjeto.za.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"veea5y.gpsdecarroobjeto.sa.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"t2uehw.etiquetaadesivaobjeto.ru.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"0buue2.padelixoobjeto.sa.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wafu.gpsdecarroobjeto.sa.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"a5aoee.caixadeferramentasobjeto.za.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wadn.maquinadecafeobjeto.ru.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"r6oacr.papelhigienicoobjeto.ru.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"reoer.canecaobjeto.ru.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eeu6r.etiquetaadesivaobjeto.ru.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"3ba7r.almofadaobjeto.ru.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rgar0.padelixoobjeto.sa.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"freodr.kitdesocorrosobjeto.za.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"jwafy.canecaobjeto.ru.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"9ja7t.maquinadecafeobjeto.ru.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"raipd.carregadorobjeto.za.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hiui7e.kitdesocorrosobjeto.za.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lwajt.caixadeferramentasobjeto.za.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reoer.canecaobjeto.ru.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rgar0.padelixoobjeto.sa.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t2uehw.etiquetaadesivaobjeto.ru.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"veea5y.gpsdecarroobjeto.sa.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w8oafr.almofadaobjeto.ru.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wadn.maquinadecafeobjeto.ru.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wafu.gpsdecarroobjeto.sa.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0buue2.padelixoobjeto.sa.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3ba7r.almofadaobjeto.ru.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9ja7t.maquinadecafeobjeto.ru.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a5aoee.caixadeferramentasobjeto.za.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dwai1l.papelhigienicoobjeto.ru.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e3iu8c.carregadorobjeto.za.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eeu6r.etiquetaadesivaobjeto.ru.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freodr.kitdesocorrosobjeto.za.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hiui7e.kitdesocorrosobjeto.za.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jwafy.canecaobjeto.ru.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lwajt.caixadeferramentasobjeto.za.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r6oacr.papelhigienicoobjeto.ru.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raipd.carregadorobjeto.za.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sqlcentraluploads.php"; depth:22; nocase; http.host; content:"951499cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246342; rev:1;) alert tcp $HOME_NET any -> [103.119.1.73] 1111 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246341/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"parabmasale.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246340; rev:1;) alert tcp $HOME_NET any -> [193.35.18.164] 59432 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"franco1.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"worldofmantas.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"worldofmantas.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cheaterpro.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246337; rev:1;) alert tcp $HOME_NET any -> [213.248.43.34] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246338; rev:1;) alert tcp $HOME_NET any -> [95.179.190.134] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.ontexcare.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"cdn-lnk-075.epsonupdate.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246328; rev:1;) alert tcp $HOME_NET any -> [128.90.128.157] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246314; rev:1;) alert tcp $HOME_NET any -> [193.47.46.10] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246316; rev:1;) alert tcp $HOME_NET any -> [105.99.46.173] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246317; rev:1;) alert tcp $HOME_NET any -> [187.135.82.22] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246318; rev:1;) alert tcp $HOME_NET any -> [187.135.82.22] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246319; rev:1;) alert tcp $HOME_NET any -> [23.95.132.42] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246320; rev:1;) alert tcp $HOME_NET any -> [85.204.116.169] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246321/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246321; rev:1;) alert tcp $HOME_NET any -> [51.79.87.4] 1482 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246322/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bm.css"; depth:7; nocase; http.host; content:"apps.nbcnews.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apps.nbcnews.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content"; depth:8; nocase; http.host; content:"199.195.252.200"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/define/cookies/j7y8xv07bjq"; depth:27; nocase; http.host; content:"139.155.97.79"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246324; rev:1;) alert tcp $HOME_NET any -> [91.92.252.232] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"theatergenerationju.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"111.229.19.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"1.94.52.236"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"xunleicloud.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"192.227.155.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"120.222.152.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"120.222.152.206"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"60.204.133.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.219.54.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.jd-vip.cn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.jd-vip.cn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/boondle.txt"; depth:12; nocase; http.host; content:"tafrihafashion.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xjadlcqfulrmbgzmnncyaldkmqglyjbkix.txt"; depth:39; nocase; http.host; content:"fatttjapan.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"otxcosmeticscare.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"otxcarecosmetics.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"artstrailman.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ontexcare.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trackgroup.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"businessprofessionalllc.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246294; rev:1;) alert tcp $HOME_NET any -> [77.232.143.206] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"77.232.143.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-mx77zdhn-1303081427.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-mx77zdhn-1303081427.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246290; rev:1;) alert tcp $HOME_NET any -> [192.151.244.144] 14782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c8/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246286/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246286; rev:1;) alert tcp $HOME_NET any -> [45.125.66.54] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246277; rev:1;) alert tcp $HOME_NET any -> [45.125.66.37] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246276; rev:1;) alert tcp $HOME_NET any -> [45.125.66.61] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246278; rev:1;) alert tcp $HOME_NET any -> [45.125.66.64] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246279; rev:1;) alert tcp $HOME_NET any -> [45.125.66.68] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246280; rev:1;) alert tcp $HOME_NET any -> [45.125.66.95] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246281; rev:1;) alert tcp $HOME_NET any -> [45.125.66.109] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246282; rev:1;) alert tcp $HOME_NET any -> [45.125.66.137] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246283; rev:1;) alert tcp $HOME_NET any -> [45.125.66.146] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246284; rev:1;) alert tcp $HOME_NET any -> [45.125.66.152] 1311 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246285; rev:1;) alert tcp $HOME_NET any -> [88.198.109.225] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.109.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246274; rev:1;) alert tcp $HOME_NET any -> [124.221.163.107] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246272; rev:1;) alert tcp $HOME_NET any -> [141.98.10.52] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"muggierdragstemmio.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"zamesblack.fun"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"wisemassiveharmonious.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"medalappearancerackw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"modernizepledgeoi.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sofahuntingslidedine.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"reechoingkaolizationp.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"townsfolkhiwoeko.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"theoryapparatusjuko.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"premeritwallyoko.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"scandalbasketballoe.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mealroomrallpassiveer.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"favourlegislatureduei.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"asleepfulltytarrtw.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"vatleaflettrusteeooj.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"questbehavixoporpo.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"greenbowelsustainny.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fishboatnurrybeauti.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mutterunlikelyoo.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bicyclesunhygenico.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"executivebrakeji.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"drilmoralwandreowpops.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"blastoporicwoff.fun"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"decorousnumerousieo.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pielumchalotpostwo.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"triangleseasonbenchwj.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fieldtrollyeowskwe.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"lightsecretatylattew.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"executrixrangedcoew.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"forknegotationaow.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bremenessverdurewas.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"inviteaccessiblesaltw.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fossillandscapefewkew.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"relevantvoicelesskw.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"antiuncontemporary.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"peasanthovecapspll.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"likelysoarastonishiow.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"scshemevalleywelferw.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pioneerframeoakchew.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"herdbescuitinjurywu.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"smallrabbitcrossing.site"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"improvisersmissionjuw.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sustentatorcoagulat.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fikkeropendorwiw.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"telephoneverdictyow.site"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"explodesaildecksatt.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"donorwifeconfusionstronko.site"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"stamprollabbeymemberw.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mazumaponyanthus.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cattilecodereowop.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sermonundressolcow.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"scrapedirtyieoqk.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"presencewineonnyui.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"thinrecordsunrjisow.pw"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246013; rev:1;) alert tcp $HOME_NET any -> [34.125.56.40] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246009; rev:1;) alert tcp $HOME_NET any -> [138.68.78.110] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246010; rev:1;) alert tcp $HOME_NET any -> [35.237.192.132] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"audiencegafferokkow.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"prescriptionstorageag.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"snuggleapplicationswo.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"steadfastvaluabelywomo.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"breakdecisiveexpandw.fun"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"unexaminablespectrall.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"unhappytidydryypwto.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"diamondarrivallyowju.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"regardvelvettynerverf.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"isotrimorphicnongrasse.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ironshottallinko.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"woodfeetumhblefepoj.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"additionmarriagefoewsv.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"baresoakopiniocowe.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"auctiondecadecontaii.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"syncarpiajanapiom.fun"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"modestessayevenmilwek.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"colorfulequalugliess.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"superiorhardwaerw.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"princeaccessiblepo.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"noduscheatscake.fun"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"knonkcdalfyhitt.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"culturesketchfinanciall.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"televisionstudiowmmj.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"assumptionflattyou.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"legatorypluralishrtw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"clientgirlfrienddyjw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"onebiogopwdsa.site"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"samplepoisonbarryntj.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"villagemagneticcsa.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"avatar.ps"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246239/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgj112233.codns.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246241; rev:1;) alert tcp $HOME_NET any -> [67.213.108.79] 4782 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.fwfy.club"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"njtrial.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246244/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246244; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 38122 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246245/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"links-annually.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246246/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246246; rev:1;) alert tcp $HOME_NET any -> [52.14.81.142] 22206 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246247/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"7.tcp.ngrok.io"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246248/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246248; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 13040 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246249/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246249; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 12607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246250; rev:1;) alert tcp $HOME_NET any -> [204.93.201.142] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246230; rev:1;) alert tcp $HOME_NET any -> [35.213.200.121] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246237/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nextroundst.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246229; rev:1;) alert tcp $HOME_NET any -> [170.130.165.132] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246104; rev:1;) alert tcp $HOME_NET any -> [206.217.139.231] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246105; rev:1;) alert tcp $HOME_NET any -> [206.217.139.231] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246106; rev:1;) alert tcp $HOME_NET any -> [1.13.17.185] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adfhjadfbjadbfjkhad44jka.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywzimzrmnza4nzk0/"; depth:18; nocase; http.host; content:"valeriamygirlinstripcalloc.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246120; rev:1;) alert tcp $HOME_NET any -> [94.156.68.16] 137 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mauricioclopatofsky.tel"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246142/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246142; rev:1;) alert tcp $HOME_NET any -> [194.147.140.188] 4781 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"voshu.art"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246170; rev:1;) alert tcp $HOME_NET any -> [51.144.73.229] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246197; rev:1;) alert tcp $HOME_NET any -> [5.255.123.240] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246198/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91246198; rev:1;) alert tcp $HOME_NET any -> [5.255.116.222] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246199/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91246199; rev:1;) alert tcp $HOME_NET any -> [87.251.67.74] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246200/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91246200; rev:1;) alert tcp $HOME_NET any -> [213.139.205.137] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246202/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91246202; rev:1;) alert tcp $HOME_NET any -> [91.235.234.149] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246201/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91246201; rev:1;) alert tcp $HOME_NET any -> [185.141.24.10] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245971; rev:1;) alert tcp $HOME_NET any -> [194.36.188.66] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245972; rev:1;) alert tcp $HOME_NET any -> [185.82.200.181] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245973; rev:1;) alert tcp $HOME_NET any -> [194.36.188.56] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245974; rev:1;) alert tcp $HOME_NET any -> [194.36.188.62] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245975; rev:1;) alert tcp $HOME_NET any -> [164.90.202.142] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245978; rev:1;) alert tcp $HOME_NET any -> [178.128.94.83] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245979; rev:1;) alert tcp $HOME_NET any -> [152.42.185.24] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245980; rev:1;) alert tcp $HOME_NET any -> [152.42.169.205] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245981; rev:1;) alert tcp $HOME_NET any -> [128.199.198.141] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245982; rev:1;) alert tcp $HOME_NET any -> [152.42.169.247] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245987; rev:1;) alert tcp $HOME_NET any -> [24.199.125.76] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245986; rev:1;) alert tcp $HOME_NET any -> [152.42.185.16] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245988; rev:1;) alert tcp $HOME_NET any -> [152.42.185.20] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245989; rev:1;) alert tcp $HOME_NET any -> [170.64.211.86] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1b.cx"; depth:5; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245992; rev:1;) alert tcp $HOME_NET any -> [194.36.188.83] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245970; rev:1;) alert tcp $HOME_NET any -> [188.116.36.109] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245969; rev:1;) alert tcp $HOME_NET any -> [18.144.30.84] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245976; rev:1;) alert tcp $HOME_NET any -> [34.216.132.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1v.nz"; depth:5; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t6m.pics"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245993; rev:1;) alert tcp $HOME_NET any -> [103.174.73.85] 1500 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246005/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bot.nhankimcuong.vn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246006/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246006; rev:1;) alert tcp $HOME_NET any -> [94.156.71.187] 7678 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245959; rev:1;) alert tcp $HOME_NET any -> [80.87.206.160] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245960; rev:1;) alert tcp $HOME_NET any -> [45.94.31.49] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245961; rev:1;) alert tcp $HOME_NET any -> [85.239.33.54] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245962/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91245962; rev:1;) alert tcp $HOME_NET any -> [91.235.234.121] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245963/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91245963; rev:1;) alert tcp $HOME_NET any -> [193.168.143.173] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245964/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91245964; rev:1;) alert tcp $HOME_NET any -> [91.235.234.195] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245965/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91245965; rev:1;) alert tcp $HOME_NET any -> [5.255.108.56] 443 (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245966/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91245966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windowsflowerlongpoll/datalifemariadb0/9/requestapi/videojavascriptbigloaddefaultflowerdlecdn.php"; depth:98; nocase; http.host; content:"gaming7core.info"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245967; rev:1;) alert tcp $HOME_NET any -> [185.209.160.19] 54439 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"45.9.74.60"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245913/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_15; classtype:trojan-activity; sid:91245913; rev:1;) alert tcp $HOME_NET any -> [185.209.160.19] 54438 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"45.9.74.136"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245914/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_15; classtype:trojan-activity; sid:91245914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"acizac12141.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245915/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_15; classtype:trojan-activity; sid:91245915; rev:1;) alert tcp $HOME_NET any -> [51.79.87.4] 34241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91245922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"45.9.74.166"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245912/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_15; classtype:trojan-activity; sid:91245912; rev:1;) alert tcp $HOME_NET any -> [91.92.253.149] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245890; rev:1;) alert tcp $HOME_NET any -> [128.90.61.78] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ledger-live.exe"; depth:16; nocase; http.host; content:"185.172.128.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245859; rev:1;) alert tcp $HOME_NET any -> [185.172.128.145] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245860; rev:1;) alert tcp $HOME_NET any -> [185.172.128.90] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245861; rev:1;) alert tcp $HOME_NET any -> [149.50.213.215] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245889; rev:1;) alert tcp $HOME_NET any -> [45.94.31.49] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245849; rev:1;) alert tcp $HOME_NET any -> [2.58.56.142] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245848; rev:1;) alert tcp $HOME_NET any -> [186.169.60.250] 1987 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ex.zip"; depth:7; nocase; http.host; content:"206.188.196.222"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245854; rev:1;) alert tcp $HOME_NET any -> [45.15.157.139] 11070 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245855; rev:1;) alert tcp $HOME_NET any -> [45.15.157.139] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0885058.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246271; rev:1;) alert tcp $HOME_NET any -> [124.70.78.129] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246270/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246270; rev:1;) alert tcp $HOME_NET any -> [97.74.95.68] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246269/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246269; rev:1;) alert tcp $HOME_NET any -> [140.143.125.127] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246268/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246268; rev:1;) alert tcp $HOME_NET any -> [172.245.34.171] 58888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246267/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246267; rev:1;) alert tcp $HOME_NET any -> [123.253.108.131] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246266/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246266; rev:1;) alert tcp $HOME_NET any -> [179.14.9.152] 4433 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246265/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246265; rev:1;) alert tcp $HOME_NET any -> [27.124.34.16] 1145 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246264; rev:1;) alert tcp $HOME_NET any -> [41.96.85.67] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246263/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246263; rev:1;) alert tcp $HOME_NET any -> [137.103.187.32] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246262/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246262; rev:1;) alert tcp $HOME_NET any -> [72.27.11.159] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246261/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246261; rev:1;) alert tcp $HOME_NET any -> [172.232.14.44] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246260/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246260; rev:1;) alert tcp $HOME_NET any -> [23.227.198.236] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246259/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246259; rev:1;) alert tcp $HOME_NET any -> [46.37.96.110] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246258/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246258; rev:1;) alert tcp $HOME_NET any -> [54.209.66.233] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246257/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246257; rev:1;) alert tcp $HOME_NET any -> [139.162.180.174] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246256/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246256; rev:1;) alert tcp $HOME_NET any -> [23.95.48.151] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246255/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246255; rev:1;) alert tcp $HOME_NET any -> [23.227.194.177] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246254/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246254; rev:1;) alert tcp $HOME_NET any -> [194.246.114.147] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246253/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246253; rev:1;) alert tcp $HOME_NET any -> [8.130.10.159] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246252/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246252; rev:1;) alert tcp $HOME_NET any -> [143.244.132.162] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246251/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"392065cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"107.174.228.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246236; rev:1;) alert tcp $HOME_NET any -> [222.114.183.144] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246235; rev:1;) alert tcp $HOME_NET any -> [54.156.182.111] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246234/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_15; classtype:trojan-activity; sid:91246234; rev:1;) alert tcp $HOME_NET any -> [139.180.144.32] 9001 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246233/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_15; classtype:trojan-activity; sid:91246233; rev:1;) alert tcp $HOME_NET any -> [85.239.238.79] 1235 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalgeocentral.php"; depth:22; nocase; http.host; content:"91.220.109.66"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kj.html"; depth:8; nocase; http.host; content:"86.106.20.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246227; rev:1;) alert tcp $HOME_NET any -> [5.188.86.215] 3389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246228; rev:1;) alert tcp $HOME_NET any -> [107.174.228.79] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"107.174.228.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246225; rev:1;) alert tcp $HOME_NET any -> [82.146.59.110] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246224/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246224; rev:1;) alert tcp $HOME_NET any -> [206.238.42.236] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246223/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246223; rev:1;) alert tcp $HOME_NET any -> [147.78.103.233] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246222/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246222; rev:1;) alert tcp $HOME_NET any -> [45.67.230.185] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246221/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246221; rev:1;) alert tcp $HOME_NET any -> [167.179.105.44] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246220/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246220; rev:1;) alert tcp $HOME_NET any -> [46.246.6.11] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246219/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246219; rev:1;) alert tcp $HOME_NET any -> [20.107.243.137] 3000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246218/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246218; rev:1;) alert tcp $HOME_NET any -> [50.35.133.42] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246217/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246217; rev:1;) alert tcp $HOME_NET any -> [54.37.138.65] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246216/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246216; rev:1;) alert tcp $HOME_NET any -> [54.245.19.64] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246215/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246215; rev:1;) alert tcp $HOME_NET any -> [23.95.48.151] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246214/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246214; rev:1;) alert tcp $HOME_NET any -> [45.144.31.57] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246212/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246212; rev:1;) alert tcp $HOME_NET any -> [45.144.31.57] 40000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246213/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246213; rev:1;) alert tcp $HOME_NET any -> [103.152.254.139] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246211/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246211; rev:1;) alert tcp $HOME_NET any -> [45.8.146.116] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246210/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246210; rev:1;) alert tcp $HOME_NET any -> [3.0.250.71] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246209/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246209; rev:1;) alert tcp $HOME_NET any -> [116.203.117.12] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246208; rev:1;) alert tcp $HOME_NET any -> [45.144.28.165] 49119 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246206; rev:1;) alert tcp $HOME_NET any -> [103.35.188.34] 39119 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.117.12"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"103.35.188.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.144.28.165"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246203; rev:1;) alert tcp $HOME_NET any -> [168.100.11.227] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.otxcarecosmetics.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246195; rev:1;) alert tcp $HOME_NET any -> [134.209.87.204] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.otxcosmeticscare.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kumbaraan.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246191; rev:1;) alert tcp $HOME_NET any -> [103.253.146.79] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"kumbaraan.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"154.92.19.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246189; rev:1;) alert tcp $HOME_NET any -> [185.196.9.234] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"cdn-1488.winstate.cc"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-1488.winstate.cc"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"37.1.197.252"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246184; rev:1;) alert tcp $HOME_NET any -> [37.1.197.252] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246185; rev:1;) alert tcp $HOME_NET any -> [172.210.42.227] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocsp/"; depth:6; nocase; http.host; content:"172.210.42.227"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"35.153.33.243"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"42.186.17.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246180; rev:1;) alert tcp $HOME_NET any -> [74.48.19.146] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"jspassport.ssl.qhimg.com.dsa.dnsv1.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jspassport.ssl.qhimg.com.dsa.dnsv1.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246178; rev:1;) alert tcp $HOME_NET any -> [3.213.37.39] 80 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246176/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_14; classtype:trojan-activity; sid:91246176; rev:1;) alert tcp $HOME_NET any -> [3.219.159.186] 80 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246175/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_14; classtype:trojan-activity; sid:91246175; rev:1;) alert tcp $HOME_NET any -> [107.172.31.178] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246174/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_14; classtype:trojan-activity; sid:91246174; rev:1;) alert tcp $HOME_NET any -> [47.92.158.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"res.mall.10010.cn"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"112.124.65.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.97.222.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"119.91.26.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"8.219.54.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"103.146.140.99"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"162.14.107.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"119.91.26.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"1.94.52.236"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"xunleicloud.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"120.46.207.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content/hot/y/liveupdate/"; depth:26; nocase; http.host; content:"docloudstorage.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"docloudstorage.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"36.131.222.214"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"59.80.47.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"106.225.221.115"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"43.141.11.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.103.100"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.215.43"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.15.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.240.54"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246150; rev:1;) alert tcp $HOME_NET any -> [116.203.15.173] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246146; rev:1;) alert tcp $HOME_NET any -> [5.75.215.43] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246147; rev:1;) alert tcp $HOME_NET any -> [159.69.103.100] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246148; rev:1;) alert tcp $HOME_NET any -> [65.109.240.54] 8081 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246143; rev:1;) alert tcp $HOME_NET any -> [5.75.208.156] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246144; rev:1;) alert tcp $HOME_NET any -> [5.75.208.156] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user/five/fre.php"; depth:18; nocase; http.host; content:"mauricioclopatofsky.tel"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246139/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_14; classtype:trojan-activity; sid:91246139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user/five/fre.php"; depth:18; nocase; http.host; content:"mauricioclopatofsky.tel"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246138; rev:1;) alert tcp $HOME_NET any -> [124.70.19.189] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246137/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246137; rev:1;) alert tcp $HOME_NET any -> [123.1.189.241] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246136/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246136; rev:1;) alert tcp $HOME_NET any -> [46.246.80.13] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246135/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246135; rev:1;) alert tcp $HOME_NET any -> [78.46.191.105] 6666 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246134; rev:1;) alert tcp $HOME_NET any -> [27.124.34.14] 1145 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246133; rev:1;) alert tcp $HOME_NET any -> [41.96.78.253] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246132/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246132; rev:1;) alert tcp $HOME_NET any -> [82.7.3.113] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246131; rev:1;) alert tcp $HOME_NET any -> [74.138.4.64] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246130; rev:1;) alert tcp $HOME_NET any -> [37.1.208.95] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246129; rev:1;) alert tcp $HOME_NET any -> [85.111.0.39] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246128/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246128; rev:1;) alert tcp $HOME_NET any -> [138.197.116.57] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246127/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246127; rev:1;) alert tcp $HOME_NET any -> [51.195.231.121] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246126/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_14; classtype:trojan-activity; sid:91246126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0929508.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246125; rev:1;) alert tcp $HOME_NET any -> [49.13.200.170] 7878 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"rosalihi.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image1/linuxhttp/_/53secure/phplocal/externalrequestlow6/cdn/multi3auth/vmmultiflower.php"; depth:90; nocase; http.host; content:"185.104.113.237"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246122; rev:1;) alert tcp $HOME_NET any -> [154.23.178.70] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_14; classtype:trojan-activity; sid:91246121; rev:1;) alert tcp $HOME_NET any -> [141.255.167.251] 4760 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246119; rev:1;) alert tcp $HOME_NET any -> [5.181.80.13] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246118; rev:1;) alert tcp $HOME_NET any -> [124.106.197.167] 4343 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246117/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246117; rev:1;) alert tcp $HOME_NET any -> [34.162.156.94] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246116/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246116; rev:1;) alert tcp $HOME_NET any -> [3.88.102.160] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246115/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246115; rev:1;) alert tcp $HOME_NET any -> [3.94.102.197] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246114/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246114; rev:1;) alert tcp $HOME_NET any -> [38.242.236.116] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91246113; rev:1;) alert tcp $HOME_NET any -> [81.94.150.166] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246112/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246112; rev:1;) alert tcp $HOME_NET any -> [142.93.97.142] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91246110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newcleos.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91246109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/appdata.aspx"; depth:13; nocase; http.host; content:"newcleos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91246108; rev:1;) alert tcp $HOME_NET any -> [81.70.71.30] 62233 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246103/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246103; rev:1;) alert tcp $HOME_NET any -> [57.151.120.22] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246102/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246102; rev:1;) alert tcp $HOME_NET any -> [187.135.82.22] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246101/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246101; rev:1;) alert tcp $HOME_NET any -> [187.135.82.22] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246100/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246100; rev:1;) alert tcp $HOME_NET any -> [187.135.82.22] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246099/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246099; rev:1;) alert tcp $HOME_NET any -> [187.135.82.22] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246098/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246098; rev:1;) alert tcp $HOME_NET any -> [129.204.201.114] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246097/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246097; rev:1;) alert tcp $HOME_NET any -> [193.42.63.146] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246096/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246096; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 56901 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91246095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receive.php"; depth:12; nocase; http.host; content:"dbhg.duckdns.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91246007; rev:1;) alert tcp $HOME_NET any -> [194.87.74.14] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246004/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91246004; rev:1;) alert tcp $HOME_NET any -> [46.246.84.5] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246003/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91246003; rev:1;) alert tcp $HOME_NET any -> [167.56.207.201] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246002/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91246002; rev:1;) alert tcp $HOME_NET any -> [188.49.94.176] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246001/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91246001; rev:1;) alert tcp $HOME_NET any -> [185.51.171.169] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246000/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91246000; rev:1;) alert tcp $HOME_NET any -> [92.177.126.152] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245999/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245999; rev:1;) alert tcp $HOME_NET any -> [157.230.175.190] 4891 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245998; rev:1;) alert tcp $HOME_NET any -> [103.216.51.35] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245997/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245997; rev:1;) alert tcp $HOME_NET any -> [49.232.214.141] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245996/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245996; rev:1;) alert tcp $HOME_NET any -> [45.89.54.206] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245995/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245995; rev:1;) alert tcp $HOME_NET any -> [45.157.69.156] 443 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245994/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245994; rev:1;) alert tcp $HOME_NET any -> [146.70.44.156] 50051 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245985/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245985; rev:1;) alert tcp $HOME_NET any -> [14.239.3.253] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245984/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245984; rev:1;) alert tcp $HOME_NET any -> [69.30.232.226] 1433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245983/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.97.222.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245968; rev:1;) alert tcp $HOME_NET any -> [193.233.132.57] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245956; rev:1;) alert tcp $HOME_NET any -> [144.91.109.161] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245955/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245955; rev:1;) alert tcp $HOME_NET any -> [45.154.3.56] 56789 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245954/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245954; rev:1;) alert tcp $HOME_NET any -> [185.11.61.124] 55779 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245953/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245953; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245952/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245952; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245951/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245951; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245950/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245950; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245949/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245949; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245948/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245948; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 1761 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245947/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245947; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245946/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245946; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245945/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245945; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245944/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245944; rev:1;) alert tcp $HOME_NET any -> [2.45.75.48] 88 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245943/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245943; rev:1;) alert tcp $HOME_NET any -> [74.48.151.50] 11212 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245942/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245942; rev:1;) alert tcp $HOME_NET any -> [20.19.35.117] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245941/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245941; rev:1;) alert tcp $HOME_NET any -> [39.104.200.45] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245940/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245940; rev:1;) alert tcp $HOME_NET any -> [101.99.92.169] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245939/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245939; rev:1;) alert tcp $HOME_NET any -> [185.196.9.38] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245938/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245938; rev:1;) alert tcp $HOME_NET any -> [193.233.132.147] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245937/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245937; rev:1;) alert tcp $HOME_NET any -> [193.233.132.180] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245936/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245936; rev:1;) alert tcp $HOME_NET any -> [88.198.107.0] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245935/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245935; rev:1;) alert tcp $HOME_NET any -> [116.202.4.240] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245934/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245934; rev:1;) alert tcp $HOME_NET any -> [77.105.162.176] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245933/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dolul/five/fre.php"; depth:19; nocase; http.host; content:"94.156.66.115"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245932/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245932; rev:1;) alert tcp $HOME_NET any -> [193.233.132.57] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245931; rev:1;) alert tcp $HOME_NET any -> [121.43.55.149] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245930; rev:1;) alert tcp $HOME_NET any -> [185.106.96.225] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"uama.com.ua"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"talesofpirates.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245927/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"sodez.ru"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245926/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"nidoe.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245925/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"175.178.47.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.236.111.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245923; rev:1;) alert tcp $HOME_NET any -> [205.189.160.217] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245921; rev:1;) alert tcp $HOME_NET any -> [39.105.4.90] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"39.105.4.90"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"175.27.162.205"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"175.27.162.205"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245916; rev:1;) alert tcp $HOME_NET any -> [175.27.162.205] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245917; rev:1;) alert tcp $HOME_NET any -> [192.3.109.132] 4445 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245911/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bachlong-sro.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245910; rev:1;) alert tcp $HOME_NET any -> [185.172.128.146] 443 (msg:"ThreatFox Tsunami botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245909/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sys/index.php"; depth:14; nocase; http.host; content:"185.172.128.146"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245908; rev:1;) alert tcp $HOME_NET any -> [192.210.201.57] 52499 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245907; rev:1;) alert tcp $HOME_NET any -> [154.90.63.253] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"154.90.63.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245905; rev:1;) alert tcp $HOME_NET any -> [39.107.89.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"39.107.89.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-lhtzt3wh-1319979259.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-lhtzt3wh-1319979259.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"139.224.188.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"cdn-014.epsonupdate.uk"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"39.107.242.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"120.48.5.80"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"qq.qqweixinzhuce.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eb6f29c6a60b3865.php"; depth:21; nocase; http.host; content:"147.45.47.71"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.213.121"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.221.28"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.213.121"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245886; rev:1;) alert tcp $HOME_NET any -> [5.75.213.121] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245884; rev:1;) alert tcp $HOME_NET any -> [5.75.221.28] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245885; rev:1;) alert tcp $HOME_NET any -> [5.75.213.121] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"82.146.45.177"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245882; rev:1;) alert tcp $HOME_NET any -> [66.63.162.155] 1608 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245881/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245881; rev:1;) alert tcp $HOME_NET any -> [83.220.169.98] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245880/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245880; rev:1;) alert tcp $HOME_NET any -> [213.189.201.252] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245879/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245879; rev:1;) alert tcp $HOME_NET any -> [37.1.205.231] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245878/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245878; rev:1;) alert tcp $HOME_NET any -> [178.73.192.11] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245877/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245877; rev:1;) alert tcp $HOME_NET any -> [46.246.80.4] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245876/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245876; rev:1;) alert tcp $HOME_NET any -> [58.84.90.93] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245875; rev:1;) alert tcp $HOME_NET any -> [72.27.137.129] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245874; rev:1;) alert tcp $HOME_NET any -> [2.50.45.215] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245873; rev:1;) alert tcp $HOME_NET any -> [39.40.175.239] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245872/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245872; rev:1;) alert tcp $HOME_NET any -> [24.148.11.98] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245871; rev:1;) alert tcp $HOME_NET any -> [45.137.10.34] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245870; rev:1;) alert tcp $HOME_NET any -> [37.1.212.112] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245869; rev:1;) alert tcp $HOME_NET any -> [23.227.193.87] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245868; rev:1;) alert tcp $HOME_NET any -> [37.1.208.95] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245867; rev:1;) alert tcp $HOME_NET any -> [87.122.8.35] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245866; rev:1;) alert tcp $HOME_NET any -> [139.84.137.24] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129edec4272dc2c8.php"; depth:21; nocase; http.host; content:"193.143.1.226"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release_notes.js"; depth:17; nocase; http.host; content:"74.48.57.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/69pipe4/2temp/betterpipetrackpipe/62test/geoprocessauth.php"; depth:60; nocase; http.host; content:"188.120.241.126"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245862; rev:1;) alert tcp $HOME_NET any -> [43.248.129.152] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/processorbase.php"; depth:18; nocase; http.host; content:"737165cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245857; rev:1;) alert tcp $HOME_NET any -> [124.248.69.29] 14363 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245853; rev:1;) alert tcp $HOME_NET any -> [115.231.218.42] 14363 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245852; rev:1;) alert tcp $HOME_NET any -> [110.42.102.82] 6688 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245850; rev:1;) alert tcp $HOME_NET any -> [114.130.36.120] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245847/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245847; rev:1;) alert tcp $HOME_NET any -> [137.184.177.175] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245846/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245846; rev:1;) alert tcp $HOME_NET any -> [34.81.83.87] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245845/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245845; rev:1;) alert tcp $HOME_NET any -> [27.156.108.198] 6079 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245844/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245844; rev:1;) alert tcp $HOME_NET any -> [191.88.250.232] 4433 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245843/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245843; rev:1;) alert tcp $HOME_NET any -> [41.96.29.46] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245842; rev:1;) alert tcp $HOME_NET any -> [51.211.208.112] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245841/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245841; rev:1;) alert tcp $HOME_NET any -> [210.2.169.247] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245840; rev:1;) alert tcp $HOME_NET any -> [124.106.197.167] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245839; rev:1;) alert tcp $HOME_NET any -> [20.191.195.105] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245838; rev:1;) alert tcp $HOME_NET any -> [95.164.19.54] 8085 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245836; rev:1;) alert tcp $HOME_NET any -> [37.120.239.146] 23250 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245837; rev:1;) alert tcp $HOME_NET any -> [193.233.132.159] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245835; rev:1;) alert tcp $HOME_NET any -> [69.30.232.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"69.30.232.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"69.30.232.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"69.30.232.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"69.30.232.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245830; rev:1;) alert tcp $HOME_NET any -> [134.122.129.173] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.198"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245824; rev:1;) alert tcp $HOME_NET any -> [5.75.208.68] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245825; rev:1;) alert tcp $HOME_NET any -> [5.75.208.68] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245826; rev:1;) alert tcp $HOME_NET any -> [95.217.28.198] 8081 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.68"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.68"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7t.nz"; depth:5; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/read/timer.php"; depth:15; nocase; http.host; content:"dasmake.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"69.30.232.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"69.30.232.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"69.30.232.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"69.30.232.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"69.30.232.226"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245801; rev:1;) alert tcp $HOME_NET any -> [95.179.177.99] 9999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245800/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_12; classtype:trojan-activity; sid:91245800; rev:1;) alert tcp $HOME_NET any -> [134.122.129.173] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245799; rev:1;) alert tcp $HOME_NET any -> [3.141.100.233] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.tecbanis.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245797; rev:1;) alert tcp $HOME_NET any -> [23.95.208.14] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oob.microsoft360.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbo.microsoft360.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245794; rev:1;) alert tcp $HOME_NET any -> [5.34.179.101] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quit/message/amd"; depth:17; nocase; http.host; content:"5.34.179.101"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.60.253.150"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245791; rev:1;) alert tcp $HOME_NET any -> [5.34.179.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quit/message/amd"; depth:17; nocase; http.host; content:"5.34.179.101"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.136.241.0"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"82.157.169.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"164.92.116.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"88.214.27.74"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.222.213.61"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"43.143.143.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nekololis.ovh"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245775; rev:1;) alert tcp $HOME_NET any -> [91.92.246.100] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"catgirls.network"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rx.neko.ltd"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neko.ltd"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245772; rev:1;) alert tcp $HOME_NET any -> [15.204.211.32] 888 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245769; rev:1;) alert tcp $HOME_NET any -> [141.98.7.7] 2 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245770; rev:1;) alert tcp $HOME_NET any -> [94.156.69.226] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245771; rev:1;) alert tcp $HOME_NET any -> [51.89.157.32] 4200 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245768; rev:1;) alert tcp $HOME_NET any -> [194.169.175.33] 2323 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245767; rev:1;) alert tcp $HOME_NET any -> [194.169.175.31] 2323 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"221.150.72.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/limitgameruleboot/systemcore/war/basewordpressdatalife.php"; depth:59; nocase; http.host; content:"185.246.67.26"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.219.54.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245764; rev:1;) alert tcp $HOME_NET any -> [49.13.32.231] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245761; rev:1;) alert tcp $HOME_NET any -> [116.202.4.240] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245762; rev:1;) alert tcp $HOME_NET any -> [88.198.107.0] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.107.0"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.32.231"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.4.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245758; rev:1;) alert tcp $HOME_NET any -> [103.186.117.66] 1906 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245757; rev:1;) alert tcp $HOME_NET any -> [194.33.191.105] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245756/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245756; rev:1;) alert tcp $HOME_NET any -> [185.196.11.210] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245755/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245755; rev:1;) alert tcp $HOME_NET any -> [143.110.180.125] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245754/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245754; rev:1;) alert tcp $HOME_NET any -> [66.103.202.31] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245753/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245753; rev:1;) alert tcp $HOME_NET any -> [66.103.202.47] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245752; rev:1;) alert tcp $HOME_NET any -> [64.23.194.166] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245751; rev:1;) alert tcp $HOME_NET any -> [23.93.94.187] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245750; rev:1;) alert tcp $HOME_NET any -> [70.31.127.214] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245749; rev:1;) alert tcp $HOME_NET any -> [72.27.34.29] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245748; rev:1;) alert tcp $HOME_NET any -> [175.10.220.200] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245747; rev:1;) alert tcp $HOME_NET any -> [104.248.92.16] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245746/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245746; rev:1;) alert tcp $HOME_NET any -> [122.114.225.100] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245745/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245745; rev:1;) alert tcp $HOME_NET any -> [122.114.192.32] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245744; rev:1;) alert tcp $HOME_NET any -> [122.114.156.47] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245743; rev:1;) alert tcp $HOME_NET any -> [122.114.197.147] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245742; rev:1;) alert tcp $HOME_NET any -> [122.114.10.11] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245741; rev:1;) alert tcp $HOME_NET any -> [122.114.192.234] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245740; rev:1;) alert tcp $HOME_NET any -> [37.1.212.112] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245739; rev:1;) alert tcp $HOME_NET any -> [154.90.49.110] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asyncawaitapi.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245734; rev:1;) alert tcp $HOME_NET any -> [91.92.243.162] 45162 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apifunctioncall.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245733; rev:1;) alert tcp $HOME_NET any -> [45.128.232.59] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"xcelonline.000webhostapp.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245736; rev:1;) alert tcp $HOME_NET any -> [204.95.99.109] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245735; rev:1;) alert tcp $HOME_NET any -> [194.165.16.59] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v8.18/84le6psohs"; depth:26; nocase; http.host; content:"194.165.16.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v8.18/84le6psohs"; depth:26; nocase; http.host; content:"blm-wiki.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v8.18/84le6psohs"; depth:26; nocase; http.host; content:"jango-pulse.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245729; rev:1;) alert tcp $HOME_NET any -> [45.74.36.210] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"170.130.55.104"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"45.132.237.13"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"154.92.19.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245725; rev:1;) alert tcp $HOME_NET any -> [142.202.242.172] 30098 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245724; rev:1;) alert tcp $HOME_NET any -> [146.56.238.25] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245722/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245722; rev:1;) alert tcp $HOME_NET any -> [167.88.160.158] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245721/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245721; rev:1;) alert tcp $HOME_NET any -> [79.114.226.14] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245720/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245720; rev:1;) alert tcp $HOME_NET any -> [45.87.246.76] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245719; rev:1;) alert tcp $HOME_NET any -> [94.198.50.195] 10000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245718; rev:1;) alert tcp $HOME_NET any -> [94.198.50.195] 9800 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245717; rev:1;) alert tcp $HOME_NET any -> [154.223.20.108] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245716; rev:1;) alert tcp $HOME_NET any -> [38.54.63.253] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0/b/maga-414515.appspot.com/o/l4djx6iv5c%2fdoc_h37_93i800248-18015745p1346-4493y8.js"; depth:86; nocase; http.host; content:"firebasestorage.googleapis.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"durete.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qbijgho"; depth:8; nocase; http.host; content:"qyjifia.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wcjwcj.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245710; rev:1;) alert tcp $HOME_NET any -> [154.9.29.154] 55650 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245709/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"drifajizo.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"scifimond.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"minndarespo.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"ginzbargatey.tech"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"popfealt.one"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245704; rev:1;) alert tcp $HOME_NET any -> [89.190.156.61] 60124 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245702; rev:1;) alert tcp $HOME_NET any -> [141.98.7.7] 1 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/"; depth:8; nocase; http.host; content:"bellebobas.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245701/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245701; rev:1;) alert tcp $HOME_NET any -> [217.67.178.79] 51177 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245700/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245700; rev:1;) alert tcp $HOME_NET any -> [85.175.101.203] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245699/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245699; rev:1;) alert tcp $HOME_NET any -> [193.143.1.195] 30293 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245698/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245698; rev:1;) alert tcp $HOME_NET any -> [193.233.132.162] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245697/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245697; rev:1;) alert tcp $HOME_NET any -> [45.156.21.39] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245696/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245696; rev:1;) alert tcp $HOME_NET any -> [188.27.166.233] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245695/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245695; rev:1;) alert tcp $HOME_NET any -> [193.233.161.246] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245694/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245694; rev:1;) alert tcp $HOME_NET any -> [95.216.117.33] 8088 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245693; rev:1;) alert tcp $HOME_NET any -> [77.91.124.37] 3001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245692/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245692; rev:1;) alert tcp $HOME_NET any -> [45.15.157.90] 3000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245691/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199651834633"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.116.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raf6ik"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245687; rev:1;) alert tcp $HOME_NET any -> [49.12.116.63] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245685; rev:1;) alert tcp $HOME_NET any -> [95.217.240.152] 8081 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dumpdlepipe/pipeprovider0python/3dumpdump/dumpsecure/db6locallow/async9/pipetosql.php"; depth:86; nocase; http.host; content:"195.2.84.94"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"bestopgoespink.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"bestopgoespink.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"digestlivepro.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245671; rev:1;) alert tcp $HOME_NET any -> [78.40.117.110] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245673; rev:1;) alert tcp $HOME_NET any -> [78.40.117.169] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245674; rev:1;) alert tcp $HOME_NET any -> [78.40.117.174] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245675; rev:1;) alert tcp $HOME_NET any -> [78.40.117.251] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245676; rev:1;) alert tcp $HOME_NET any -> [85.204.116.126] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245678; rev:1;) alert tcp $HOME_NET any -> [85.204.116.143] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hex.lumosora.us"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245681; rev:1;) alert tcp $HOME_NET any -> [85.204.116.144] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245680; rev:1;) alert tcp $HOME_NET any -> [93.123.85.121] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245682/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245682; rev:1;) alert tcp $HOME_NET any -> [185.196.9.25] 38242 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245683/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245683; rev:1;) alert tcp $HOME_NET any -> [54.94.118.7] 333 (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c7/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245672/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c9/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245667/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245667; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 13672 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245666/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"46.183.223.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245665; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 13672 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245663; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 13672 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245664; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 17485 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245655/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245655; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 19607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245656/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245656; rev:1;) alert tcp $HOME_NET any -> [62.113.112.234] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245657; rev:1;) alert tcp $HOME_NET any -> [94.103.85.34] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245658; rev:1;) alert tcp $HOME_NET any -> [95.142.45.151] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245659; rev:1;) alert tcp $HOME_NET any -> [193.178.170.114] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245661; rev:1;) alert tcp $HOME_NET any -> [178.20.40.225] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245660; rev:1;) alert tcp $HOME_NET any -> [194.48.250.133] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245662/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245662; rev:1;) alert tcp $HOME_NET any -> [147.45.77.28] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245644/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245644; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 17485 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245654; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 17485 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245653; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 17485 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245652; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 17485 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245651; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 17485 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245650; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 19607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245649; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 19607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245648; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 19607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245647; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 19607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245646; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 19607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245645; rev:1;) alert tcp $HOME_NET any -> [93.123.85.75] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"47.92.158.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245643; rev:1;) alert tcp $HOME_NET any -> [194.165.16.59] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v8.18/84le6psohs"; depth:26; nocase; http.host; content:"194.165.16.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jango-pulse.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v8.18/84le6psohs"; depth:26; nocase; http.host; content:"jango-pulse.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blm-wiki.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v8.18/84le6psohs"; depth:26; nocase; http.host; content:"blm-wiki.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245637; rev:1;) alert tcp $HOME_NET any -> [38.181.70.201] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.dice1018.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.dice1018.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245634; rev:1;) alert tcp $HOME_NET any -> [141.98.7.62] 44556 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.99.177.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"124.222.173.69"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"www.test9977.tk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"www.test9977.tk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245627; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 16779 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245626/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245626; rev:1;) alert tcp $HOME_NET any -> [192.3.216.140] 52498 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245625/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245625; rev:1;) alert tcp $HOME_NET any -> [141.98.7.12] 1985 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245613; rev:1;) alert tcp $HOME_NET any -> [51.81.0.241] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245612; rev:1;) alert tcp $HOME_NET any -> [147.78.103.89] 5958 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245614; rev:1;) alert tcp $HOME_NET any -> [45.125.66.129] 37215 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245615; rev:1;) alert tcp $HOME_NET any -> [103.173.255.143] 42516 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245616; rev:1;) alert tcp $HOME_NET any -> [91.92.251.30] 9506 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245617; rev:1;) alert tcp $HOME_NET any -> [103.172.79.74] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245618; rev:1;) alert tcp $HOME_NET any -> [103.67.197.185] 2023 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245619; rev:1;) alert tcp $HOME_NET any -> [45.13.227.12] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245620; rev:1;) alert tcp $HOME_NET any -> [141.98.7.17] 49760 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245621; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 16779 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245624; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 16779 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245623; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 16779 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245622; rev:1;) alert tcp $HOME_NET any -> [49.12.116.63] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.116.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245610; rev:1;) alert tcp $HOME_NET any -> [82.156.211.202] 1145 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245609; rev:1;) alert tcp $HOME_NET any -> [3.127.253.86] 14314 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245607; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 14314 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245608; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 14314 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245606; rev:1;) alert tcp $HOME_NET any -> [62.109.20.47] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245605/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245605; rev:1;) alert tcp $HOME_NET any -> [101.34.222.185] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245604/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245604; rev:1;) alert tcp $HOME_NET any -> [120.26.243.135] 4545 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245603/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245603; rev:1;) alert tcp $HOME_NET any -> [190.134.52.14] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245602; rev:1;) alert tcp $HOME_NET any -> [75.173.32.149] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245601; rev:1;) alert tcp $HOME_NET any -> [41.98.180.188] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245600; rev:1;) alert tcp $HOME_NET any -> [161.97.141.230] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245599; rev:1;) alert tcp $HOME_NET any -> [103.173.255.143] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245576/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245576; rev:1;) alert tcp $HOME_NET any -> [94.156.8.116] 1024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245548/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245548; rev:1;) alert tcp $HOME_NET any -> [193.233.132.204] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245581/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzuymgi3mtixowfk/"; depth:18; nocase; http.host; content:"aliatabakastabumerangs.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mexico2020.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245588/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245588; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 11258 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245595/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245595; rev:1;) alert tcp $HOME_NET any -> [46.246.6.12] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245587/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"1callalert.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"choiceonesupport.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"criminallawdc.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245596; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 11258 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245594; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 11258 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245592; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 11258 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245593; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 11258 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245591; rev:1;) alert tcp $HOME_NET any -> [147.45.47.39] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245590; rev:1;) alert tcp $HOME_NET any -> [192.3.216.131] 1808 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/64yz"; depth:5; nocase; http.host; content:"175.178.103.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245585/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"umfi.live"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245583; rev:1;) alert tcp $HOME_NET any -> [34.216.132.82] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"umfi.live"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245582; rev:1;) alert tcp $HOME_NET any -> [193.26.115.138] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aerotable_generate_ai"; depth:22; nocase; http.host; content:"150.107.201.170"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245579; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 49626 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.233.132.204"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245577; rev:1;) alert tcp $HOME_NET any -> [123.99.198.201] 20064 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245575; rev:1;) alert tcp $HOME_NET any -> [82.197.93.210] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245574/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245574; rev:1;) alert tcp $HOME_NET any -> [142.171.8.253] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245573/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.213.155"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.4.168"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.46.233.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.89.149"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.234.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245568; rev:1;) alert tcp $HOME_NET any -> [95.217.234.153] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245565; rev:1;) alert tcp $HOME_NET any -> [49.13.89.149] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245566; rev:1;) alert tcp $HOME_NET any -> [78.46.233.36] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245567; rev:1;) alert tcp $HOME_NET any -> [103.163.208.187] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245564/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245564; rev:1;) alert tcp $HOME_NET any -> [94.198.54.154] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245563/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245563; rev:1;) alert tcp $HOME_NET any -> [72.27.110.218] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245562/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245562; rev:1;) alert tcp $HOME_NET any -> [45.245.103.58] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245561/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245561; rev:1;) alert tcp $HOME_NET any -> [80.75.212.148] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245560/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245560; rev:1;) alert tcp $HOME_NET any -> [179.60.149.241] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245559/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245559; rev:1;) alert tcp $HOME_NET any -> [66.85.27.144] 24513 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245558/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245558; rev:1;) alert tcp $HOME_NET any -> [151.236.16.232] 8226 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245557/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245557; rev:1;) alert tcp $HOME_NET any -> [163.177.79.82] 7443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245556/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245556; rev:1;) alert tcp $HOME_NET any -> [34.126.126.52] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245555/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245555; rev:1;) alert tcp $HOME_NET any -> [88.151.192.114] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245554/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245554; rev:1;) alert tcp $HOME_NET any -> [167.71.184.214] 8081 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245553/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245553; rev:1;) alert tcp $HOME_NET any -> [167.71.184.214] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245552/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"113.26.81.251"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245551/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245551; rev:1;) alert tcp $HOME_NET any -> [193.233.132.224] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245550/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245550; rev:1;) alert tcp $HOME_NET any -> [193.233.132.224] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245549; rev:1;) alert tcp $HOME_NET any -> [142.93.140.199] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245547/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_10; classtype:trojan-activity; sid:91245547; rev:1;) alert tcp $HOME_NET any -> [91.201.40.221] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245546/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_10; classtype:trojan-activity; sid:91245546; rev:1;) alert tcp $HOME_NET any -> [45.132.237.13] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245545/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_10; classtype:trojan-activity; sid:91245545; rev:1;) alert tcp $HOME_NET any -> [193.233.132.159] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245544/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_10; classtype:trojan-activity; sid:91245544; rev:1;) alert tcp $HOME_NET any -> [138.201.82.227] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245543/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_10; classtype:trojan-activity; sid:91245543; rev:1;) alert tcp $HOME_NET any -> [142.202.240.134] 5555 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245542/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_10; classtype:trojan-activity; sid:91245542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"octopanel.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma1bmx.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma2ford.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma3apple.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma4samsung.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma5merc.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma7class.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma8pla.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245540; rev:1;) alert tcp $HOME_NET any -> [185.172.128.123] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245525; rev:1;) alert tcp $HOME_NET any -> [34.243.217.50] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/search/"; depth:12; nocase; http.host; content:"69uiu06es5.execute-api.us-east-1.amazonaws.com"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"69uiu06es5.execute-api.us-east-1.amazonaws.com"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"59.110.6.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245529; rev:1;) alert tcp $HOME_NET any -> [59.110.6.123] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"43.136.40.231"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245528; rev:1;) alert tcp $HOME_NET any -> [47.76.150.79] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.76.150.79"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245526; rev:1;) alert tcp $HOME_NET any -> [146.19.233.250] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"146.19.233.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245523; rev:1;) alert tcp $HOME_NET any -> [120.46.207.190] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"120.46.207.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/12/29136388_"; depth:45; nocase; http.host; content:"142.171.227.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245519; rev:1;) alert tcp $HOME_NET any -> [142.171.227.68] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245520; rev:1;) alert tcp $HOME_NET any -> [142.171.227.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/12/29136388_"; depth:45; nocase; http.host; content:"142.171.227.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.76.150.79"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245515; rev:1;) alert tcp $HOME_NET any -> [47.76.150.79] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/83/process8/windowspipe3/trackjs2/2downloads2php/linesecure/serverrequestgeo/better1processor/pipedownloads5/uploadscdn/polllowapiprotectsqlwpdlecentraldownloads.php"; depth:166; nocase; http.host; content:"62.109.7.175"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"119.3.123.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"arpa.indiadreamdestinations.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arpa.indiadreamdestinations.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arpa.giodnews.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"arpa.giodnews.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f993692117a3fda2.php"; depth:21; nocase; http.host; content:"185.172.128.210"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/0ab7ztvql7n68tmodjmicd"; depth:27; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0927657.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245504; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 47077 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtrj"; depth:5; nocase; http.host; content:"23.95.90.77"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245502/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_10; classtype:trojan-activity; sid:91245502; rev:1;) alert tcp $HOME_NET any -> [23.95.90.77] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zakifail.hopto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245469/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_10; classtype:trojan-activity; sid:91245469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5bae"; depth:5; nocase; http.host; content:"43.153.173.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245477; rev:1;) alert tcp $HOME_NET any -> [43.248.188.181] 9003 (msg:"ThreatFox KrBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgq4mde1zdk3nzc1/"; depth:18; nocase; http.host; content:"usdtzshlavsmoked.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245488; rev:1;) alert tcp $HOME_NET any -> [94.250.255.6] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245500; rev:1;) alert tcp $HOME_NET any -> [184.63.241.238] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245499; rev:1;) alert tcp $HOME_NET any -> [149.109.123.217] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245498; rev:1;) alert tcp $HOME_NET any -> [185.130.46.164] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245497; rev:1;) alert tcp $HOME_NET any -> [45.134.9.140] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245496; rev:1;) alert tcp $HOME_NET any -> [213.109.192.46] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245494/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_10; classtype:trojan-activity; sid:91245494; rev:1;) alert tcp $HOME_NET any -> [5.252.178.5] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245495/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_10; classtype:trojan-activity; sid:91245495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stats/save.php"; depth:15; nocase; http.host; content:"ppp-gl.biz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245493; rev:1;) alert tcp $HOME_NET any -> [135.181.10.212] 27222 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245492; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 12353 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245491; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 12353 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245490; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 12353 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245489; rev:1;) alert tcp $HOME_NET any -> [15.235.130.29] 60237 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245487/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dle4/javascriptrequestsecurecpuserversqlbaseflowerasynccdn.php"; depth:63; nocase; http.host; content:"62.109.11.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsjs/gate.php"; depth:14; nocase; http.host; content:"www.techlift.com.my"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245485; rev:1;) alert tcp $HOME_NET any -> [107.172.31.19] 8823 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245484; rev:1;) alert tcp $HOME_NET any -> [147.45.40.66] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245483/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245483; rev:1;) alert tcp $HOME_NET any -> [5.42.92.73] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245482/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245482; rev:1;) alert tcp $HOME_NET any -> [5.75.213.155] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245481/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245481; rev:1;) alert tcp $HOME_NET any -> [5.75.213.155] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245480/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245480; rev:1;) alert tcp $HOME_NET any -> [45.137.22.252] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245479; rev:1;) alert tcp $HOME_NET any -> [47.100.87.177] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.100.87.177"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245475; rev:1;) alert tcp $HOME_NET any -> [95.181.161.144] 443 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245474/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245474; rev:1;) alert tcp $HOME_NET any -> [141.98.7.17] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245473/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245473; rev:1;) alert tcp $HOME_NET any -> [46.246.4.16] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245472; rev:1;) alert tcp $HOME_NET any -> [173.249.59.173] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245471; rev:1;) alert tcp $HOME_NET any -> [172.233.174.11] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245470/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245470; rev:1;) alert tcp $HOME_NET any -> [217.195.197.48] 80 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245468/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.109.106.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245467; rev:1;) alert tcp $HOME_NET any -> [213.152.162.15] 53525 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagegeoapimultibaselinuxtracktempuploads.php"; depth:46; nocase; http.host; content:"739668cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245465; rev:1;) alert tcp $HOME_NET any -> [41.103.44.20] 999 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hi.vani.ovh"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245463; rev:1;) alert tcp $HOME_NET any -> [14.225.213.142] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245462/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245462; rev:1;) alert tcp $HOME_NET any -> [124.71.130.71] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245461/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245461; rev:1;) alert tcp $HOME_NET any -> [61.63.127.56] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245460/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245460; rev:1;) alert tcp $HOME_NET any -> [195.133.45.131] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245459/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245459; rev:1;) alert tcp $HOME_NET any -> [180.140.153.148] 30010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245458/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.131.106.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245457; rev:1;) alert tcp $HOME_NET any -> [103.82.24.193] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245456/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245456; rev:1;) alert tcp $HOME_NET any -> [124.221.98.94] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245455/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245455; rev:1;) alert tcp $HOME_NET any -> [31.192.236.82] 48126 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245454/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245454; rev:1;) alert tcp $HOME_NET any -> [167.99.250.80] 60060 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245453/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245453; rev:1;) alert tcp $HOME_NET any -> [172.104.242.152] 59088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245452/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245452; rev:1;) alert tcp $HOME_NET any -> [159.203.25.245] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245451/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245451; rev:1;) alert tcp $HOME_NET any -> [188.119.67.185] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245450/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245450; rev:1;) alert tcp $HOME_NET any -> [120.26.222.182] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245449/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245449; rev:1;) alert tcp $HOME_NET any -> [187.135.178.73] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245448/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245448; rev:1;) alert tcp $HOME_NET any -> [187.135.178.73] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245447/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245447; rev:1;) alert tcp $HOME_NET any -> [187.135.178.73] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245446/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245446; rev:1;) alert tcp $HOME_NET any -> [187.135.178.73] 1919 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245445/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245445; rev:1;) alert tcp $HOME_NET any -> [187.135.178.73] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245444/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245444; rev:1;) alert tcp $HOME_NET any -> [187.135.178.73] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245443/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245443; rev:1;) alert tcp $HOME_NET any -> [187.135.178.73] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245442/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245442; rev:1;) alert tcp $HOME_NET any -> [187.135.178.73] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245441/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245441; rev:1;) alert tcp $HOME_NET any -> [45.133.36.114] 8888 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245440/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245440; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245439/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245439; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245438/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245438; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245437/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245437; rev:1;) alert tcp $HOME_NET any -> [187.135.82.30] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245436/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245436; rev:1;) alert tcp $HOME_NET any -> [105.100.63.223] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245435/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245435; rev:1;) alert tcp $HOME_NET any -> [69.30.232.229] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245434/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245434; rev:1;) alert tcp $HOME_NET any -> [69.30.232.226] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245433/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245433; rev:1;) alert tcp $HOME_NET any -> [103.5.210.28] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245432/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245432; rev:1;) alert tcp $HOME_NET any -> [147.45.47.80] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245431/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245431; rev:1;) alert tcp $HOME_NET any -> [193.233.132.148] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245430/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245430; rev:1;) alert tcp $HOME_NET any -> [95.216.41.236] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245429/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245429; rev:1;) alert tcp $HOME_NET any -> [193.233.132.127] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245428/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245428; rev:1;) alert tcp $HOME_NET any -> [89.23.99.219] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245427/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245427; rev:1;) alert tcp $HOME_NET any -> [154.243.121.19] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245426/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245426; rev:1;) alert tcp $HOME_NET any -> [103.155.214.203] 443 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245425/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245425; rev:1;) alert tcp $HOME_NET any -> [146.0.79.19] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245424/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245424; rev:1;) alert tcp $HOME_NET any -> [116.202.4.168] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245423/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245423; rev:1;) alert tcp $HOME_NET any -> [116.202.4.168] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245422/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245422; rev:1;) alert tcp $HOME_NET any -> [195.201.131.130] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245421/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245421; rev:1;) alert tcp $HOME_NET any -> [115.74.30.127] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245420/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245420; rev:1;) alert tcp $HOME_NET any -> [202.134.56.2] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245419/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245419; rev:1;) alert tcp $HOME_NET any -> [37.114.37.177] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245418/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245418; rev:1;) alert tcp $HOME_NET any -> [147.124.223.16] 5903 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245417/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245417; rev:1;) alert tcp $HOME_NET any -> [171.41.198.240] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245416/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245416; rev:1;) alert tcp $HOME_NET any -> [95.165.99.74] 8443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245415/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245415; rev:1;) alert tcp $HOME_NET any -> [179.14.8.182] 6606 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245414/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245414; rev:1;) alert tcp $HOME_NET any -> [46.246.84.18] 2121 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245413/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245413; rev:1;) alert tcp $HOME_NET any -> [65.1.107.60] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245412/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245412; rev:1;) alert tcp $HOME_NET any -> [178.63.148.180] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245411/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"117.50.185.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"120.48.5.80"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"139.180.192.219"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.94.241.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.109.106.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"45.74.36.78"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"154.3.1.95"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"45.74.36.78"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245402; rev:1;) alert tcp $HOME_NET any -> [45.74.36.78] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"107.174.241.206"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"139.180.192.219"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"81.71.140.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.101.181.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flash_light-aligned.apk"; depth:24; nocase; http.host; content:"www.87-119-220-245.cprapid.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flash_light-aligned.apk"; depth:24; nocase; http.host; content:"87.119.220.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flash_light-aligned.apk"; depth:24; nocase; http.host; content:"fzmovies.space"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flashlight.apk"; depth:15; nocase; http.host; content:"fzmovies.space"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flashlight.apk"; depth:15; nocase; http.host; content:"www.87-119-220-245.cprapid.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flashlight.apk"; depth:15; nocase; http.host; content:"www.fzmovies.space"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flash_light-aligned.apk"; depth:24; nocase; http.host; content:"www.fzmovies.space"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flash_light-aligned.apk"; depth:24; nocase; http.host; content:"mail.87-119-220-245.cprapid.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flashlight.apk"; depth:15; nocase; http.host; content:"mail.87-119-220-245.cprapid.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245381; rev:1;) alert tcp $HOME_NET any -> [87.119.220.245] 4456 (msg:"ThreatFox AhMyth botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flashlight.apk"; depth:15; nocase; http.host; content:"87.119.220.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.87-119-220-245.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245394; rev:1;) alert tcp $HOME_NET any -> [87.119.220.245] 443 (msg:"ThreatFox AhMyth payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.fzmovies.space"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fzmovies.space"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.87-119-220-245.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.bestresulttostart.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"find.bestresulttostart.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"follow.bestresulttostart.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"point.bestresulttostart.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"right.bestresulttostart.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"host.cloudsonicwave.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ttincoming.traveltraffic.cc"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bestresulttostart.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scripts.bestresulttostart.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qtwo2ht.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shop.klnein9ht.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"store.klone1vt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245343; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 13672 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245349/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245349; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 13672 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245350/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245350; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 313 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245358; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 14314 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245359/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245359; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 14314 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245360/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245360; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 14314 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245361/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245361; rev:1;) alert tcp $HOME_NET any -> [94.156.66.44] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245035; rev:1;) alert tcp $HOME_NET any -> [94.156.67.106] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245037; rev:1;) alert tcp $HOME_NET any -> [91.92.246.100] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245038; rev:1;) alert tcp $HOME_NET any -> [91.92.246.100] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245039; rev:1;) alert tcp $HOME_NET any -> [91.92.246.100] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245040; rev:1;) alert tcp $HOME_NET any -> [193.149.129.251] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scambaiter11.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245047; rev:1;) alert tcp $HOME_NET any -> [37.120.141.139] 1113 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trs_async.exe"; depth:14; nocase; http.host; content:"91.92.254.250"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trscentral.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245050; rev:1;) alert tcp $HOME_NET any -> [194.9.172.135] 7730 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245033; rev:1;) alert tcp $HOME_NET any -> [103.153.69.114] 43046 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"advanceddataenterprise.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"advanceddataenterprise.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245031; rev:1;) alert tcp $HOME_NET any -> [45.9.74.12] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"advanceddataenterprise.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server.php"; depth:11; nocase; http.host; content:"45.9.74.12"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245028; rev:1;) alert tcp $HOME_NET any -> [91.92.241.220] 59962 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245026/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cnc.pr333.ggm.kr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245027/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"start.apistatexperience.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245011; rev:1;) alert tcp $HOME_NET any -> [18.229.248.167] 19606 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245008/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.startservicefounds.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.startservicefounds.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245010; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 19606 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245007/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245007; rev:1;) alert tcp $HOME_NET any -> [171.228.226.103] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244982; rev:1;) alert tcp $HOME_NET any -> [91.92.246.154] 1370 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244985; rev:1;) alert tcp $HOME_NET any -> [91.92.246.213] 1289 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244986; rev:1;) alert tcp $HOME_NET any -> [91.92.247.229] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244988; rev:1;) alert tcp $HOME_NET any -> [91.92.246.211] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244987; rev:1;) alert tcp $HOME_NET any -> [94.156.69.14] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244989; rev:1;) alert tcp $HOME_NET any -> [78.40.117.219] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244990; rev:1;) alert tcp $HOME_NET any -> [85.204.116.143] 1296 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244991; rev:1;) alert tcp $HOME_NET any -> [85.204.116.144] 1284 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244992; rev:1;) alert tcp $HOME_NET any -> [85.204.116.139] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244993; rev:1;) alert tcp $HOME_NET any -> [85.204.116.124] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244994; rev:1;) alert tcp $HOME_NET any -> [85.204.116.126] 1294 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244995; rev:1;) alert tcp $HOME_NET any -> [85.204.116.131] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244996; rev:1;) alert tcp $HOME_NET any -> [45.95.147.168] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/styles.html"; depth:12; nocase; http.host; content:"38.27.163.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245369; rev:1;) alert tcp $HOME_NET any -> [164.92.116.94] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"164.92.116.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245367; rev:1;) alert tcp $HOME_NET any -> [172.86.101.115] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.236.19.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"45.134.225.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgq4mde1zdk3nzc1/"; depth:18; nocase; http.host; content:"usdtzshlavkovacamoke.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"2istanbullu2586.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/aftdjdu0uppzualdkjdqndbzxabxckbtm6h8zreo1wi15htkq0"; depth:55; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet7.vani.ovh"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245362; rev:1;) alert tcp $HOME_NET any -> [185.246.64.139] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245357/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245357; rev:1;) alert tcp $HOME_NET any -> [178.128.122.145] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245356/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245356; rev:1;) alert tcp $HOME_NET any -> [89.23.103.75] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245355/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245355; rev:1;) alert tcp $HOME_NET any -> [91.202.233.135] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245354/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245354; rev:1;) alert tcp $HOME_NET any -> [103.94.185.28] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245353/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245353; rev:1;) alert tcp $HOME_NET any -> [154.17.15.207] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245352/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245352; rev:1;) alert tcp $HOME_NET any -> [157.230.247.198] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245351/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245351; rev:1;) alert tcp $HOME_NET any -> [217.195.207.156] 47721 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.20.16.127"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245347; rev:1;) alert tcp $HOME_NET any -> [107.175.28.248] 8082 (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245346/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"118.178.231.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245345; rev:1;) alert tcp $HOME_NET any -> [91.92.250.61] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245344/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91245344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klnein9pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klnein9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klten10pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kltwo2vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgnein9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgthre3sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgtwo2vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qtfive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkfourt14vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkhirteen13pt.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkleven11vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jknein9vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkten10pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klfive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klfive5vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klfourt14pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klfourt14sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klhirteen13pn.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klleven11pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klleven11sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klleven11sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klnein9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkone1sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkone1sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkone1vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkseven7vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkten10pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkthre3sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkthre3vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gktwo2pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gktwo2sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkeight8pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkeight8vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjthre3vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjthre3vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjtwo2two.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkeith8sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkfive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkfive5vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkfourt14ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkfourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkhirteen13vs.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkleven11ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkleven11pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gknein9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gknein9sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjeight8pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjfive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjfive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjfive5vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjfive5vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjone1vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjone1vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjsix6pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjsix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjten10pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjthre3sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ggsix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245270; rev:1;) alert tcp $HOME_NET any -> [186.169.53.81] 2025 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245269; rev:1;) alert tcp $HOME_NET any -> [118.178.231.68] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"121.41.101.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"192.227.155.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdsix6pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdsix6sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdten10vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdtwelve12vt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdtwo2pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdtwo2sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vtten10vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzzseven7vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzzthre3vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzztwo2vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdeight8ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdeight8sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdeight8vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdeleven11vt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdfifteen15ht.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdfifteen15vt.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdfive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdfourteen14vt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdnine9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdnine9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdone1pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdone1sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kznein9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kznein9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kznein9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kznine9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzseven7vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzsix6pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzten10ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzthre3ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kztvelwe12ht.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kztwo2sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzzeight8vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzzfive5vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvthre3pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvthre3s.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvtwo2sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzeigtht8sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzeleven11ht.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzfive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzfive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzfourt14pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzfourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzfourt14vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzfourteen14ht.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzleven11pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzleven11sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzleven11vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfive5pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfourteen14vs.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfourteen14vt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfourteen14vz.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvnine9pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvnine9vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvnine9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvseven7pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kllnein9pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klone1vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klseven7vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klten10pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klten10sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klthre3vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kltvelwe12sr.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kltwo2vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kveight8pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kveight8vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kveigth8vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kveleven11pn.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kveleven11vs.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kveleven11vt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbthirteen13pn.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbthre3vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbtwo2pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kceight8pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kcfourt14pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kcleven11pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kcnein9pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kctwelve12pn.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klfive5vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klfourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klleven11pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kllfourt14pn.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbfourteen14pt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbfourteen14sb.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbfourteen14vt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbnine9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbnine9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbnine9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbone1vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbseven7vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbsix6pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbsix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbten10sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbten10vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbtwo2ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbtwo2pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbtwo2vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbtwo2vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeight8ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeight8pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeight8pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeight8sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeight8vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeleven11pt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeleven11sb.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeleven11vt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbfive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbfive5vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbseven7vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbseven7vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbsix6ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbsix6pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbsix6pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbsix6sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbsix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbsix6vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbten10sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbthirteen13ht.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbthre3vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbthree3ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbthree3vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfive5pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfive5vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfive5vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfourteen14sb.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbnine9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbnine9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbone1ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbone1pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbone1sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbone1vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbone1vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbseven7pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdthre3ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdthre3vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdthree3sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdtwelve12pt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdtwelve12sr.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdtwelve12vs.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdtwo2sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbeight8ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbeight8sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbeight8vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbeleven11sb.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfifteen15pt.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfifteen15sb.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdfive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdfourteen14pt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdfourteen14sr.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdfourteen14vs.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdnine9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdnine9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdnine9vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdseven7pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdsix6ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdsix6sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdten10pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdten10sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdten10vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdeight8pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdeight8sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdeight8sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdeleven11pt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdeleven11sr.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdeleven11vs.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdfive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test1/get.php"; depth:14; nocase; http.host; content:"sajdfue.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245070; rev:1;) alert tcp $HOME_NET any -> [91.92.242.50] 81 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245069; rev:1;) alert tcp $HOME_NET any -> [198.44.178.84] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245068/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245068; rev:1;) alert tcp $HOME_NET any -> [124.220.200.241] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245067/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245067; rev:1;) alert tcp $HOME_NET any -> [46.246.14.6] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245066/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245066; rev:1;) alert tcp $HOME_NET any -> [46.246.80.7] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245065/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245065; rev:1;) alert tcp $HOME_NET any -> [39.40.181.3] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245064; rev:1;) alert tcp $HOME_NET any -> [2.50.45.90] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245063; rev:1;) alert tcp $HOME_NET any -> [70.31.125.235] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245062; rev:1;) alert tcp $HOME_NET any -> [72.27.136.137] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245061; rev:1;) alert tcp $HOME_NET any -> [76.142.23.238] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245060; rev:1;) alert tcp $HOME_NET any -> [188.119.66.163] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245059; rev:1;) alert tcp $HOME_NET any -> [192.46.228.106] 445 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245058; rev:1;) alert tcp $HOME_NET any -> [159.69.207.158] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245057; rev:1;) alert tcp $HOME_NET any -> [94.232.45.42] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245056; rev:1;) alert tcp $HOME_NET any -> [136.0.3.71] 5295 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245055/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245055; rev:1;) alert tcp $HOME_NET any -> [162.252.175.153] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245054/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245054; rev:1;) alert tcp $HOME_NET any -> [62.182.84.172] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245053; rev:1;) alert tcp $HOME_NET any -> [43.198.251.145] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245052; rev:1;) alert tcp $HOME_NET any -> [113.190.198.225] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245051; rev:1;) alert tcp $HOME_NET any -> [185.11.61.171] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245045/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91245045; rev:1;) alert tcp $HOME_NET any -> [185.11.61.172] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245046/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91245046; rev:1;) alert tcp $HOME_NET any -> [185.11.61.169] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245043/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91245043; rev:1;) alert tcp $HOME_NET any -> [185.11.61.170] 443 (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245044/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91245044; rev:1;) alert tcp $HOME_NET any -> [185.255.114.104] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245041/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91245041; rev:1;) alert tcp $HOME_NET any -> [65.108.20.239] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245036; rev:1;) alert tcp $HOME_NET any -> [20.104.183.199] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnsrv.prdcdn.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.prdcdn.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updates.prdcdn.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"citrix.prdcdn.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245022; rev:1;) alert tcp $HOME_NET any -> [103.253.146.79] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"103.253.146.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245019; rev:1;) alert tcp $HOME_NET any -> [3.108.192.191] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"3.108.192.191"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.204.251.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"165.154.131.126"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245015; rev:1;) alert tcp $HOME_NET any -> [43.153.228.97] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"qq.qqweixinzhuce.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"128.199.71.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245012; rev:1;) alert tcp $HOME_NET any -> [137.184.117.57] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"137.184.117.57"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.48.58.156"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"45.134.225.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"101.200.164.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"60.28.220.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"8.219.54.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/hu9v3jmvtlysh83svxuafwgzv7c-wfwox8h9z"; depth:42; nocase; http.host; content:"175.197.65.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91244999; rev:1;) alert tcp $HOME_NET any -> [3.125.188.168] 14402 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91244998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"vip.z886888.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91244983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vip.z886888.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91244984; rev:1;) alert tcp $HOME_NET any -> [188.120.225.37] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244981/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244981; rev:1;) alert tcp $HOME_NET any -> [142.171.226.188] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244980; rev:1;) alert tcp $HOME_NET any -> [81.19.140.77] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244979/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244979; rev:1;) alert tcp $HOME_NET any -> [142.11.199.59] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244978; rev:1;) alert tcp $HOME_NET any -> [95.181.173.126] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244977; rev:1;) alert tcp $HOME_NET any -> [23.224.144.50] 20300 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244976/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244976; rev:1;) alert tcp $HOME_NET any -> [151.30.227.158] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244975/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244975; rev:1;) alert tcp $HOME_NET any -> [2.88.130.140] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244974/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244974; rev:1;) alert tcp $HOME_NET any -> [41.99.0.26] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244973/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244973; rev:1;) alert tcp $HOME_NET any -> [72.27.99.56] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244972; rev:1;) alert tcp $HOME_NET any -> [45.136.15.139] 53 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244971/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244971; rev:1;) alert tcp $HOME_NET any -> [40.124.181.17] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244970; rev:1;) alert tcp $HOME_NET any -> [37.35.109.128] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244969/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244969; rev:1;) alert tcp $HOME_NET any -> [129.159.131.26] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244968; rev:1;) alert tcp $HOME_NET any -> [89.23.103.208] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244967; rev:1;) alert tcp $HOME_NET any -> [139.162.36.86] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244966; rev:1;) alert tcp $HOME_NET any -> [194.124.33.109] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244965; rev:1;) alert tcp $HOME_NET any -> [194.124.33.109] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244964; rev:1;) alert tcp $HOME_NET any -> [37.1.214.247] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244963; rev:1;) alert tcp $HOME_NET any -> [37.1.214.6] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244962; rev:1;) alert tcp $HOME_NET any -> [115.85.46.21] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244961; rev:1;) alert tcp $HOME_NET any -> [194.163.169.13] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244960; rev:1;) alert tcp $HOME_NET any -> [46.8.221.19] 8443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244959; rev:1;) alert tcp $HOME_NET any -> [46.8.221.19] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244958; rev:1;) alert tcp $HOME_NET any -> [80.77.23.52] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244951/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244951; rev:1;) alert tcp $HOME_NET any -> [91.240.202.234] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244952/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244952; rev:1;) alert tcp $HOME_NET any -> [94.247.42.247] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244953/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244953; rev:1;) alert tcp $HOME_NET any -> [167.88.162.223] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244954/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244954; rev:1;) alert tcp $HOME_NET any -> [167.88.162.241] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244955/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244955; rev:1;) alert tcp $HOME_NET any -> [172.86.70.28] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244956/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244956; rev:1;) alert tcp $HOME_NET any -> [185.212.44.92] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244957/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244957; rev:1;) alert tcp $HOME_NET any -> [45.11.180.28] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244948/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244948; rev:1;) alert tcp $HOME_NET any -> [45.61.152.227] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244949/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244949; rev:1;) alert tcp $HOME_NET any -> [45.155.250.207] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244950/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"peacecheese.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244938/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pipelinning.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244939/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pixgraphie.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244940/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"redactweb.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244941/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sdlsd.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244942/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shinemarksystems.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244943/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sms-atc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244944/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"strokestownlearningzone.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244945/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thebestoftenerife.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244946/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thesolutionmatrix.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244947/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"a1photoprinting.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244911/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"americanhomeservicesllc.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244912/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"anambrabasiceducation.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244913/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"audiolabelectronics.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244914/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"b2bsupermarkets.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"b2bturkishtextile.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chryatech.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244917/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cmfgsi.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244918/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"colortreeva.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244919/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"computerfeuerwehr.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244920/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"crabonchips.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cristinastanciu.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"daffigallery.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244923/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dallassutherland.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"detectiveman.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244925/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"etsprayfoam.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244926/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"freeautotalk.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244927/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"happeelearning.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hostel99.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244929/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"insproscp.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244930/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jobmalta.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244931/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kingtonyamerica.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244932/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mello-roos.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244933/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"michaelcaneconsultants.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244934/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mowilderness.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244935/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mtgimports.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244936/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"netdognetworks.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244937/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagevmjspacketupdategamebigloadtraffictestdatalife.php"; depth:56; nocase; http.host; content:"icanzuo.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/u7koxg.php"; depth:47; nocase; http.host; content:"www.nsglamour.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwenty/tlsgvu.php"; depth:42; nocase; http.host; content:"mrs-batiment.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/ifzgav.php"; depth:45; nocase; http.host; content:"wxgrant.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/iaawld.php"; depth:46; nocase; http.host; content:"criaturafantastica.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244903; rev:1;) alert tcp $HOME_NET any -> [80.87.192.43] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244902; rev:1;) alert tcp $HOME_NET any -> [45.84.226.86] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244901; rev:1;) alert tcp $HOME_NET any -> [167.71.91.12] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244900; rev:1;) alert tcp $HOME_NET any -> [119.45.162.251] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244899; rev:1;) alert tcp $HOME_NET any -> [46.246.86.9] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244898; rev:1;) alert tcp $HOME_NET any -> [189.140.59.81] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244897; rev:1;) alert tcp $HOME_NET any -> [159.235.7.188] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244896; rev:1;) alert tcp $HOME_NET any -> [70.31.125.31] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244895; rev:1;) alert tcp $HOME_NET any -> [47.236.84.82] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244893/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244893; rev:1;) alert tcp $HOME_NET any -> [47.236.84.82] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244894/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244894; rev:1;) alert tcp $HOME_NET any -> [174.138.6.9] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244892/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244892; rev:1;) alert tcp $HOME_NET any -> [20.127.230.167] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244891/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244891; rev:1;) alert tcp $HOME_NET any -> [38.180.91.39] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244890/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244890; rev:1;) alert tcp $HOME_NET any -> [95.179.189.177] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244889/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244889; rev:1;) alert tcp $HOME_NET any -> [185.196.11.148] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244888/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244888; rev:1;) alert tcp $HOME_NET any -> [104.238.35.20] 16655 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244887/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244887; rev:1;) alert tcp $HOME_NET any -> [47.98.126.140] 10004 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244886/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244886; rev:1;) alert tcp $HOME_NET any -> [37.1.208.232] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244885/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244885; rev:1;) alert tcp $HOME_NET any -> [170.187.232.104] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244884/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244884; rev:1;) alert tcp $HOME_NET any -> [35.233.38.208] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244883/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244883; rev:1;) alert tcp $HOME_NET any -> [103.193.176.76] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244882/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244882; rev:1;) alert tcp $HOME_NET any -> [103.193.176.76] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244881/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244881; rev:1;) alert tcp $HOME_NET any -> [142.93.131.96] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244880/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244880; rev:1;) alert tcp $HOME_NET any -> [142.93.131.96] 43555 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244879/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/8ub8qyhvfkehhmfr4dgcou1vlkki6dw1ssuj3l6p7si3omdean"; depth:55; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244878; rev:1;) alert tcp $HOME_NET any -> [91.92.241.203] 37942 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244877/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244877; rev:1;) alert tcp $HOME_NET any -> [172.93.160.2] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244876/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalpythonrequestpollbaseasyncgeneratorwpdlepublic.php"; depth:58; nocase; http.host; content:"421820cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/useraccount.aspx"; depth:17; nocase; http.host; content:"muagol.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/useraccount.aspx"; depth:17; nocase; http.host; content:"selevkis.app"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/view/stylesheet/50k.png"; depth:30; nocase; http.host; content:"988skins.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244872; rev:1;) alert tcp $HOME_NET any -> [147.45.47.116] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244871; rev:1;) alert tcp $HOME_NET any -> [147.45.47.116] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2wpcdn/multi/88/bigload/sql8defaultlow/httprequestprotonbigload/api7voiddbdatalife/publicjavascripttemp5/videobigloadmultidefaultwindowswordpresspublictemporary.php"; depth:165; nocase; http.host; content:"86.110.194.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244869; rev:1;) alert tcp $HOME_NET any -> [194.116.173.25] 6519 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windows11.loseyourip.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244849; rev:1;) alert tcp $HOME_NET any -> [124.221.133.199] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.bwork.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c11/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244865; rev:1;) alert tcp $HOME_NET any -> [20.121.128.235] 4876 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244864/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244864; rev:1;) alert tcp $HOME_NET any -> [20.121.128.235] 4845 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244863/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244863; rev:1;) alert tcp $HOME_NET any -> [20.121.128.235] 4834 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244862/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244862; rev:1;) alert tcp $HOME_NET any -> [20.121.128.235] 4674 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244861/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244861; rev:1;) alert tcp $HOME_NET any -> [83.97.20.141] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"83.97.20.141"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"101.35.19.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v3/s25fogl"; depth:15; nocase; http.host; content:"static.chat5188.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"qq.qqweixinzhuce.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.71.38.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"83.97.20.141"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244853; rev:1;) alert tcp $HOME_NET any -> [83.97.20.141] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244854; rev:1;) alert tcp $HOME_NET any -> [47.243.108.86] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.chat5188.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v3/s25fogl"; depth:15; nocase; http.host; content:"static.chat5188.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"securecloudmanage.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oneblackwood.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buygreenstudio.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"startupbuss.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"topgamecheats.dev"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244843/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"galaxybotnet.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cnc.shakeit.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.freetube.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244842; rev:1;) alert tcp $HOME_NET any -> [95.217.142.46] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"114.55.133.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"45.134.225.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"192.3.101.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"121.41.107.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"61.170.84.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"61.170.44.209"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understand/v2.61/rylqupm8ll"; depth:28; nocase; http.host; content:"security-socks777.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security-socks777.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understand/v2.61/rylqupm8ll"; depth:28; nocase; http.host; content:"security-socks777.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.104.179.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"8.222.165.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"192.3.101.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"81.69.242.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"5.101.0.245"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"5.101.0.245"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"www.cloudflarecache.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/5gn1hb9coo2yjr2gfysvdjro2gm1e9rk"; depth:50; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/5gn1hb9coo2yjr2gfysvdjro2gm1e9rk"; depth:50; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jj.jpg"; depth:7; nocase; http.host; content:"91.92.254.77"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j4fvskd3/index.php"; depth:19; nocase; http.host; content:"topgamecheats.dev"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"185.14.30.218"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"livinglearning.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"livinglearning.info"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244815; rev:1;) alert tcp $HOME_NET any -> [185.14.30.218] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244812; rev:1;) alert tcp $HOME_NET any -> [139.84.139.29] 5273 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244798; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 10058 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244800/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244800; rev:1;) alert tcp $HOME_NET any -> [3.127.181.115] 10058 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244801/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244801; rev:1;) alert tcp $HOME_NET any -> [193.124.205.30] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244803; rev:1;) alert tcp $HOME_NET any -> [85.204.116.119] 6666 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244804; rev:1;) alert tcp $HOME_NET any -> [94.156.66.226] 6996 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244805; rev:1;) alert tcp $HOME_NET any -> [185.216.70.21] 60195 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244806; rev:1;) alert tcp $HOME_NET any -> [185.216.70.30] 420 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244807; rev:1;) alert tcp $HOME_NET any -> [78.40.117.36] 1302 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244808; rev:1;) alert tcp $HOME_NET any -> [141.98.7.2] 1 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244809; rev:1;) alert tcp $HOME_NET any -> [94.156.68.231] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244810; rev:1;) alert tcp $HOME_NET any -> [85.204.116.119] 1234 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244811; rev:1;) alert tcp $HOME_NET any -> [191.88.249.10] 4433 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244802/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0927241.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244799; rev:1;) alert tcp $HOME_NET any -> [1.94.52.236] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xunleicloud.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"xunleicloud.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244795; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 11855 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244790/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244790; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 11855 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244791/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244791; rev:1;) alert tcp $HOME_NET any -> [46.246.86.5] 8090 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244792/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244792; rev:1;) alert tcp $HOME_NET any -> [46.246.84.18] 1981 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244793/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rverde.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244794/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244794; rev:1;) alert tcp $HOME_NET any -> [45.84.0.177] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quit/message/amd"; depth:17; nocase; http.host; content:"45.84.0.177"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244788; rev:1;) alert tcp $HOME_NET any -> [170.130.165.129] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shopmoneyweb.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/accounts/v1/basic-accounts/pinned"; depth:38; nocase; http.host; content:"shopmoneyweb.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"1.94.52.236"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244784; rev:1;) alert tcp $HOME_NET any -> [45.84.0.177] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quit/message/amd"; depth:17; nocase; http.host; content:"45.84.0.177"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understand/v2.61/rylqupm8ll"; depth:28; nocase; http.host; content:"194.165.16.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244780; rev:1;) alert tcp $HOME_NET any -> [194.165.16.55] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understand/v2.61/rylqupm8ll"; depth:28; nocase; http.host; content:"security-socks.expert"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244779; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 11855 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244778; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 11855 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244777; rev:1;) alert tcp $HOME_NET any -> [192.119.110.233] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244776/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244776; rev:1;) alert tcp $HOME_NET any -> [161.35.62.207] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244775/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244775; rev:1;) alert tcp $HOME_NET any -> [51.142.10.24] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244774/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244774; rev:1;) alert tcp $HOME_NET any -> [154.247.162.241] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244773/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244773; rev:1;) alert tcp $HOME_NET any -> [39.40.148.240] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244772/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244772; rev:1;) alert tcp $HOME_NET any -> [157.245.45.26] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244771/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244771; rev:1;) alert tcp $HOME_NET any -> [8.219.183.36] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244770/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244770; rev:1;) alert tcp $HOME_NET any -> [45.152.85.15] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244769/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244769; rev:1;) alert tcp $HOME_NET any -> [198.23.228.167] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244768/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244768; rev:1;) alert tcp $HOME_NET any -> [5.206.224.58] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244767/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244767; rev:1;) alert tcp $HOME_NET any -> [185.163.124.133] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/"; depth:7; nocase; http.host; content:"185.163.124.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/"; depth:7; nocase; http.host; content:"185.163.124.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244763; rev:1;) alert tcp $HOME_NET any -> [91.198.77.158] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1.exe"; depth:7; nocase; http.host; content:"91.198.77.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244765; rev:1;) alert tcp $HOME_NET any -> [185.163.124.133] 7777 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"distributors.commdistinc.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244747; rev:1;) alert tcp $HOME_NET any -> [87.121.58.103] 32105 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244732; rev:1;) alert tcp $HOME_NET any -> [84.54.51.103] 32105 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/4xcgqyhfkt0cmh8kmdtzrh"; depth:27; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auvm/6875"; depth:10; nocase; http.host; content:"topflowersclub.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrd/4462"; depth:9; nocase; http.host; content:"yourunitedlaws.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244758; rev:1;) alert tcp $HOME_NET any -> [154.12.236.248] 13786 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244749; rev:1;) alert tcp $HOME_NET any -> [158.247.240.58] 5632 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244750; rev:1;) alert tcp $HOME_NET any -> [70.34.199.64] 9785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244751; rev:1;) alert tcp $HOME_NET any -> [94.72.104.77] 13724 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244752; rev:1;) alert tcp $HOME_NET any -> [154.53.55.165] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244753; rev:1;) alert tcp $HOME_NET any -> [45.77.63.237] 5632 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244754; rev:1;) alert tcp $HOME_NET any -> [94.72.104.80] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244755; rev:1;) alert tcp $HOME_NET any -> [198.38.94.213] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244756; rev:1;) alert tcp $HOME_NET any -> [70.34.223.164] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244757; rev:1;) alert tcp $HOME_NET any -> [209.182.234.69] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"www.cloudflarecache.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cloudflarecache.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"test.qqweixinzhuce.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"123.56.251.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244743; rev:1;) alert tcp $HOME_NET any -> [34.131.18.55] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"55.18.131.34.bc.googleusercontent.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"55.18.131.34.bc.googleusercontent.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.200.164.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244738; rev:1;) alert tcp $HOME_NET any -> [206.237.16.117] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.msn-microsoft.co"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.msn-microsoft.co"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244735; rev:1;) alert tcp $HOME_NET any -> [198.44.174.232] 10086 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244734; rev:1;) alert tcp $HOME_NET any -> [179.15.14.181] 9091 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244733; rev:1;) alert tcp $HOME_NET any -> [178.238.112.11] 56555 (msg:"ThreatFox RMS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"i-wallet.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"i-wallet.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244729; rev:1;) alert tcp $HOME_NET any -> [95.141.41.8] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"googlesupportacc.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bg"; depth:3; nocase; http.host; content:"googlesupportacc.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244725; rev:1;) alert tcp $HOME_NET any -> [45.90.97.172] 2211 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244724/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"81.71.140.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244722; rev:1;) alert tcp $HOME_NET any -> [81.71.140.170] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"14.116.174.122"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.13.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244720; rev:1;) alert tcp $HOME_NET any -> [116.203.13.151] 9494 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.99.127.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.183.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244717; rev:1;) alert tcp $HOME_NET any -> [88.99.127.167] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244715; rev:1;) alert tcp $HOME_NET any -> [95.216.183.48] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244716; rev:1;) alert tcp $HOME_NET any -> [193.57.41.76] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244714; rev:1;) alert tcp $HOME_NET any -> [163.197.242.202] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244713; rev:1;) alert tcp $HOME_NET any -> [209.126.86.48] 1194 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244712; rev:1;) alert tcp $HOME_NET any -> [46.246.80.10] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244711; rev:1;) alert tcp $HOME_NET any -> [89.117.23.25] 46450 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244710; rev:1;) alert tcp $HOME_NET any -> [70.31.125.184] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244709; rev:1;) alert tcp $HOME_NET any -> [72.27.199.181] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244708; rev:1;) alert tcp $HOME_NET any -> [45.150.198.28] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244707; rev:1;) alert tcp $HOME_NET any -> [38.147.189.157] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244706; rev:1;) alert tcp $HOME_NET any -> [91.143.101.212] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244705; rev:1;) alert tcp $HOME_NET any -> [94.156.66.44] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244704; rev:1;) alert tcp $HOME_NET any -> [185.11.61.57] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244703; rev:1;) alert tcp $HOME_NET any -> [136.0.3.71] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244702/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244702; rev:1;) alert tcp $HOME_NET any -> [20.168.0.131] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244701/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244701; rev:1;) alert tcp $HOME_NET any -> [15.235.166.83] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244700; rev:1;) alert tcp $HOME_NET any -> [185.233.203.43] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244641; rev:1;) alert tcp $HOME_NET any -> [91.92.253.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244637; rev:1;) alert tcp $HOME_NET any -> [185.237.206.57] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244642; rev:1;) alert tcp $HOME_NET any -> [206.188.197.213] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244648; rev:1;) alert tcp $HOME_NET any -> [4.210.191.162] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244660; rev:1;) alert tcp $HOME_NET any -> [193.149.129.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244661; rev:1;) alert tcp $HOME_NET any -> [5.188.87.40] 36543 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244669; rev:1;) alert tcp $HOME_NET any -> [45.140.146.2] 443 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzuymgi3mtixowfk/"; depth:18; nocase; http.host; content:"83.97.73.205"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244688; rev:1;) alert tcp $HOME_NET any -> [192.3.216.140] 16519 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244699/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/base93/3multibasetest/3/trackauth/linuxtoasync6/longpoll/cpuserver2wp/tracklinux/phpasynccentral.php"; depth:101; nocase; http.host; content:"79.174.94.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244698; rev:1;) alert tcp $HOME_NET any -> [174.93.198.242] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244697/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244697; rev:1;) alert tcp $HOME_NET any -> [62.122.184.95] 8888 (msg:"ThreatFox StealthWorker Go botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244696; rev:1;) alert tcp $HOME_NET any -> [185.158.251.20] 23 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244695/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244695; rev:1;) alert tcp $HOME_NET any -> [109.248.170.151] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244694/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244694; rev:1;) alert tcp $HOME_NET any -> [45.134.225.247] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244693; rev:1;) alert tcp $HOME_NET any -> [124.71.9.23] 8005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244692/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244692; rev:1;) alert tcp $HOME_NET any -> [47.123.4.117] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244691/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244691; rev:1;) alert tcp $HOME_NET any -> [39.108.229.236] 800 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244690/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244690; rev:1;) alert tcp $HOME_NET any -> [3.146.206.189] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244689/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244689; rev:1;) alert tcp $HOME_NET any -> [13.50.244.252] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244686/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244686; rev:1;) alert tcp $HOME_NET any -> [89.23.99.198] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244685/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244685; rev:1;) alert tcp $HOME_NET any -> [197.119.48.109] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244684/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244684; rev:1;) alert tcp $HOME_NET any -> [103.155.214.72] 443 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244683/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244683; rev:1;) alert tcp $HOME_NET any -> [142.132.224.223] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244682/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244682; rev:1;) alert tcp $HOME_NET any -> [142.132.224.223] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244681/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244681; rev:1;) alert tcp $HOME_NET any -> [116.203.13.151] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244680/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244680; rev:1;) alert tcp $HOME_NET any -> [116.203.13.151] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244679/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244679; rev:1;) alert tcp $HOME_NET any -> [5.75.209.178] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244678/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244678; rev:1;) alert tcp $HOME_NET any -> [20.169.80.43] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244677/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244677; rev:1;) alert tcp $HOME_NET any -> [154.23.141.66] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244676; rev:1;) alert tcp $HOME_NET any -> [193.124.205.30] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244675; rev:1;) alert tcp $HOME_NET any -> [45.83.207.249] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244674; rev:1;) alert tcp $HOME_NET any -> [110.164.146.49] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244673/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244673; rev:1;) alert tcp $HOME_NET any -> [128.90.145.218] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244672/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244672; rev:1;) alert tcp $HOME_NET any -> [31.6.179.181] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244671/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244671; rev:1;) alert tcp $HOME_NET any -> [174.78.242.29] 9100 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244670/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244670; rev:1;) alert tcp $HOME_NET any -> [20.163.176.140] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244668/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244668; rev:1;) alert tcp $HOME_NET any -> [8.130.122.174] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244667/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244667; rev:1;) alert tcp $HOME_NET any -> [111.229.198.177] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244666/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244666; rev:1;) alert tcp $HOME_NET any -> [164.92.191.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244665/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244665; rev:1;) alert tcp $HOME_NET any -> [94.156.8.188] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244664/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244664; rev:1;) alert tcp $HOME_NET any -> [74.91.29.67] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244663/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244663; rev:1;) alert tcp $HOME_NET any -> [154.23.178.139] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244662/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244662; rev:1;) alert tcp $HOME_NET any -> [67.205.152.19] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244659/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244659; rev:1;) alert tcp $HOME_NET any -> [46.249.38.211] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244658/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244658; rev:1;) alert tcp $HOME_NET any -> [34.88.176.115] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244657/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244657; rev:1;) alert tcp $HOME_NET any -> [54.145.92.29] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244656/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244656; rev:1;) alert tcp $HOME_NET any -> [154.9.255.31] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244655/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244655; rev:1;) alert tcp $HOME_NET any -> [3.146.206.189] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244654/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244654; rev:1;) alert tcp $HOME_NET any -> [39.104.66.132] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244653/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244653; rev:1;) alert tcp $HOME_NET any -> [45.76.196.30] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244652/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244652; rev:1;) alert tcp $HOME_NET any -> [47.92.146.233] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244651/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244651; rev:1;) alert tcp $HOME_NET any -> [107.174.241.206] 7989 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244650/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244650; rev:1;) alert tcp $HOME_NET any -> [8.222.158.76] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244649/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244649; rev:1;) alert tcp $HOME_NET any -> [3.11.29.211] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244647/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244647; rev:1;) alert tcp $HOME_NET any -> [43.136.71.208] 8881 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244646/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244646; rev:1;) alert tcp $HOME_NET any -> [120.48.5.80] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244645/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244645; rev:1;) alert tcp $HOME_NET any -> [193.222.96.156] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244644/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244644; rev:1;) alert tcp $HOME_NET any -> [69.30.232.230] 1433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244643/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244643; rev:1;) alert tcp $HOME_NET any -> [91.92.248.206] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244639; rev:1;) alert tcp $HOME_NET any -> [91.92.252.33] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244638; rev:1;) alert tcp $HOME_NET any -> [37.120.141.144] 5903 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ui_cache.js"; depth:12; nocase; http.host; content:"apicachebot.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"apicachebot.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"commdistinc.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.254.207.135"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"marxrwo9090.duckdns.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"194.147.140.138"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/marxrwo.txt"; depth:16; nocase; http.host; content:"nzaria.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.178.170.30"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1244620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hzp02itt0a.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244625; rev:1;) alert tcp $HOME_NET any -> [193.178.170.30] 7771 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244626; rev:1;) alert tcp $HOME_NET any -> [91.92.252.146] 4002 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understand/v2.61/rylqupm8ll"; depth:28; nocase; http.host; content:"194.165.16.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244635; rev:1;) alert tcp $HOME_NET any -> [194.165.16.55] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security-socks.expert"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understand/v2.61/rylqupm8ll"; depth:28; nocase; http.host; content:"security-socks.expert"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c12/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providervmjs_pollauthapibasecdndownloads.php"; depth:45; nocase; http.host; content:"h172956.srv11.test-hf.su"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kioy/five/fre.php"; depth:18; nocase; http.host; content:"91.92.252.146"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244629/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kioy/five/fre.php"; depth:18; nocase; http.host; content:"91.92.252.146"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244628; rev:1;) alert tcp $HOME_NET any -> [95.217.250.22] 36043 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244627; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 14210 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244624; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 14210 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244623; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 14210 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244622; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 14210 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244621; rev:1;) alert tcp $HOME_NET any -> [181.131.218.39] 4041 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"39.107.70.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"121.5.66.186"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"161.35.186.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"121.5.66.186"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"cdn-014.epsonupdate.uk"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244607; rev:1;) alert tcp $HOME_NET any -> [84.46.240.42] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244606/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244606; rev:1;) alert tcp $HOME_NET any -> [111.229.149.200] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244605/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244605; rev:1;) alert tcp $HOME_NET any -> [20.19.32.59] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244604/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244604; rev:1;) alert tcp $HOME_NET any -> [46.246.14.3] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244603/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244603; rev:1;) alert tcp $HOME_NET any -> [85.110.178.102] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244602; rev:1;) alert tcp $HOME_NET any -> [37.56.108.122] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244601; rev:1;) alert tcp $HOME_NET any -> [89.23.107.13] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244600; rev:1;) alert tcp $HOME_NET any -> [81.95.8.174] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244599; rev:1;) alert tcp $HOME_NET any -> [172.105.0.147] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244598; rev:1;) alert tcp $HOME_NET any -> [124.223.215.119] 65413 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244597; rev:1;) alert tcp $HOME_NET any -> [37.1.214.247] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244596; rev:1;) alert tcp $HOME_NET any -> [172.247.113.97] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244595; rev:1;) alert tcp $HOME_NET any -> [151.236.16.48] 5901 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244594; rev:1;) alert tcp $HOME_NET any -> [23.227.202.28] 35676 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244593; rev:1;) alert tcp $HOME_NET any -> [23.94.120.119] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244592/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244592; rev:1;) alert tcp $HOME_NET any -> [104.238.60.87] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244591/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244591; rev:1;) alert tcp $HOME_NET any -> [143.244.186.6] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244590/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244590; rev:1;) alert tcp $HOME_NET any -> [69.176.89.82] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244589; rev:1;) alert tcp $HOME_NET any -> [179.60.150.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"179.60.150.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/q9dyqu9x6rjwvcdqhumrmy"; depth:27; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244582; rev:1;) alert tcp $HOME_NET any -> [65.21.21.176] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244581/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244581; rev:1;) alert tcp $HOME_NET any -> [193.203.203.211] 443 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244580/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"afdhf198jfadafdkfad.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244579; rev:1;) alert tcp $HOME_NET any -> [65.21.21.176] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalpollsqldblinuxgenerator.php"; depth:36; nocase; http.host; content:"113304cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244577; rev:1;) alert tcp $HOME_NET any -> [65.108.20.226] 37715 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"41.231.54.88"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"96.126.101.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"200.58.122.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"briefscala.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"briefscala.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"briefscala.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244575; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 17647 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244567/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244567; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 17647 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244568/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244568; rev:1;) alert tcp $HOME_NET any -> [3.68.56.232] 10352 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244569/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244569; rev:1;) alert tcp $HOME_NET any -> [117.72.46.146] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"117.72.46.146"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"60.246.28.219"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244564/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244564; rev:1;) alert tcp $HOME_NET any -> [104.237.252.14] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244541/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244541; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 19976 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244515/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244515; rev:1;) alert tcp $HOME_NET any -> [3.67.112.102] 19976 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244514/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244514; rev:1;) alert tcp $HOME_NET any -> [145.239.202.110] 8094 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dark.vbs"; depth:9; nocase; http.host; content:"145.239.202.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"8.219.54.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"81.69.242.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244562; rev:1;) alert tcp $HOME_NET any -> [159.203.67.15] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wizjqpi1.azureedge.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/filesystem.htm"; depth:15; nocase; http.host; content:"wizjqpi1.azureedge.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.100.229.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"60.204.133.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gv"; depth:3; nocase; http.host; content:"154.82.81.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/as"; depth:3; nocase; http.host; content:"154.82.81.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.trailcocompany.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244552; rev:1;) alert tcp $HOME_NET any -> [137.220.55.94] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/2i00fa-t5zxohtu1hspr"; depth:25; nocase; http.host; content:"175.197.65.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/4zt2say1wkoheml0x8bbfa"; depth:27; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dam.html"; depth:9; nocase; http.host; content:"firmwarefusion.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vfo2"; depth:5; nocase; http.host; content:"122.51.118.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244544/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244544; rev:1;) alert tcp $HOME_NET any -> [122.51.118.39] 23333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244543; rev:1;) alert tcp $HOME_NET any -> [103.151.123.225] 7800 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c12/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244540/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c11/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244539/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.213.10"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.180.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199649267298"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uprizin"; depth:8; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.180.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.214.7"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244533; rev:1;) alert tcp $HOME_NET any -> [5.75.214.7] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244532; rev:1;) alert tcp $HOME_NET any -> [188.120.254.185] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244531/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244531; rev:1;) alert tcp $HOME_NET any -> [157.245.16.54] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244530/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244530; rev:1;) alert tcp $HOME_NET any -> [85.192.40.131] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244529/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244529; rev:1;) alert tcp $HOME_NET any -> [59.174.225.176] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244528/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244528; rev:1;) alert tcp $HOME_NET any -> [46.246.12.2] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244527/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244527; rev:1;) alert tcp $HOME_NET any -> [41.99.9.210] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244526/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244526; rev:1;) alert tcp $HOME_NET any -> [201.124.218.102] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244525/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244525; rev:1;) alert tcp $HOME_NET any -> [146.19.173.108] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244524/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244524; rev:1;) alert tcp $HOME_NET any -> [185.130.46.231] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244523/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244523; rev:1;) alert tcp $HOME_NET any -> [185.94.164.105] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244522/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244522; rev:1;) alert tcp $HOME_NET any -> [37.1.214.6] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244521/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244521; rev:1;) alert tcp $HOME_NET any -> [175.197.65.135] 8082 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244520/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244520; rev:1;) alert tcp $HOME_NET any -> [94.103.87.88] 445 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244519/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244519; rev:1;) alert tcp $HOME_NET any -> [172.174.105.127] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244518/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244518; rev:1;) alert tcp $HOME_NET any -> [179.8.14.54] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244517/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244517; rev:1;) alert tcp $HOME_NET any -> [103.214.173.80] 20000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244516/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/line/updateflower4external/eternalpacketprocesslongpollprotectbasewindowstraffictemporary.php"; depth:94; nocase; http.host; content:"95.142.35.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244513; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 10757 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244451/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244451; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 10757 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244452/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"electric-guest.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244455/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244455; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 35608 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244456/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"points-detect.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244457/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"artist-shared.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244458/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stories-boulevard.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244459; rev:1;) alert tcp $HOME_NET any -> [45.85.117.121] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244468/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244468; rev:1;) alert tcp $HOME_NET any -> [37.221.67.4] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244467/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244467; rev:1;) alert tcp $HOME_NET any -> [5.255.115.46] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244465/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244465; rev:1;) alert tcp $HOME_NET any -> [5.255.118.76] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244466/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244466; rev:1;) alert tcp $HOME_NET any -> [45.61.156.54] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244463/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244463; rev:1;) alert tcp $HOME_NET any -> [193.168.143.128] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244464/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244464; rev:1;) alert tcp $HOME_NET any -> [155.94.208.159] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244462/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244462; rev:1;) alert tcp $HOME_NET any -> [5.255.120.61] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244461/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244461; rev:1;) alert tcp $HOME_NET any -> [193.168.143.114] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244460/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244460; rev:1;) alert tcp $HOME_NET any -> [45.129.199.202] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244469/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244469; rev:1;) alert tcp $HOME_NET any -> [46.246.98.52] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244470/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244470; rev:1;) alert tcp $HOME_NET any -> [80.66.88.70] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244471/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244471; rev:1;) alert tcp $HOME_NET any -> [155.94.208.162] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244472/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244472; rev:1;) alert tcp $HOME_NET any -> [193.168.143.165] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244473/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244473; rev:1;) alert tcp $HOME_NET any -> [217.195.153.215] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244474/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244474; rev:1;) alert tcp $HOME_NET any -> [209.54.96.58] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244475/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244475; rev:1;) alert tcp $HOME_NET any -> [3.125.188.168] 15966 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244486/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244486; rev:1;) alert tcp $HOME_NET any -> [3.68.56.232] 15966 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244484/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244484; rev:1;) alert tcp $HOME_NET any -> [3.124.67.191] 15966 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244485/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244485; rev:1;) alert tcp $HOME_NET any -> [37.44.238.80] 8190 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244483/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244483; rev:1;) alert tcp $HOME_NET any -> [5.199.161.93] 6783 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244512/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244512; rev:1;) alert tcp $HOME_NET any -> [182.149.199.249] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244511/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244511; rev:1;) alert tcp $HOME_NET any -> [187.135.95.46] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244510/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244510; rev:1;) alert tcp $HOME_NET any -> [187.135.95.46] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244509/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244509; rev:1;) alert tcp $HOME_NET any -> [187.135.95.46] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244508/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244508; rev:1;) alert tcp $HOME_NET any -> [187.135.95.46] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244507/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244507; rev:1;) alert tcp $HOME_NET any -> [187.135.95.46] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244506/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244506; rev:1;) alert tcp $HOME_NET any -> [187.135.95.46] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244505/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244505; rev:1;) alert tcp $HOME_NET any -> [187.135.95.46] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244504/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244504; rev:1;) alert tcp $HOME_NET any -> [187.135.95.46] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244503/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244503; rev:1;) alert tcp $HOME_NET any -> [107.148.37.67] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244502/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244502; rev:1;) alert tcp $HOME_NET any -> [89.23.103.208] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244501/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244501; rev:1;) alert tcp $HOME_NET any -> [69.30.232.226] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244500/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244500; rev:1;) alert tcp $HOME_NET any -> [69.30.232.229] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244499/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244499; rev:1;) alert tcp $HOME_NET any -> [38.207.173.147] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244498/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244498; rev:1;) alert tcp $HOME_NET any -> [188.25.164.217] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244497/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244497; rev:1;) alert tcp $HOME_NET any -> [193.233.132.69] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244496/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244496; rev:1;) alert tcp $HOME_NET any -> [144.202.23.219] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244495/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244495; rev:1;) alert tcp $HOME_NET any -> [46.226.166.200] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244494; rev:1;) alert tcp $HOME_NET any -> [95.216.180.93] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244493; rev:1;) alert tcp $HOME_NET any -> [95.216.180.93] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244492/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244492; rev:1;) alert tcp $HOME_NET any -> [95.216.180.93] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244491/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244491; rev:1;) alert tcp $HOME_NET any -> [116.202.2.143] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244490/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244490; rev:1;) alert tcp $HOME_NET any -> [5.75.213.10] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244489/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244489; rev:1;) alert tcp $HOME_NET any -> [5.75.213.10] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244488/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244488; rev:1;) alert tcp $HOME_NET any -> [128.90.115.54] 4433 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244487/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244487; rev:1;) alert tcp $HOME_NET any -> [91.92.242.139] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244454; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 30641 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244453; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 10757 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244450; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 10757 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244448; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 10757 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244449; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 10757 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244447; rev:1;) alert tcp $HOME_NET any -> [195.54.170.36] 22033 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pneh2sxqk0/index.php"; depth:21; nocase; http.host; content:"91.92.242.139"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244445; rev:1;) alert tcp $HOME_NET any -> [157.230.110.136] 8899 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244434; rev:1;) alert tcp $HOME_NET any -> [45.128.232.238] 999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244435; rev:1;) alert tcp $HOME_NET any -> [91.92.244.11] 6697 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244436; rev:1;) alert tcp $HOME_NET any -> [20.205.11.156] 9506 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244444; rev:1;) alert tcp $HOME_NET any -> [84.201.167.175] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244443; rev:1;) alert tcp $HOME_NET any -> [104.233.192.16] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244442; rev:1;) alert tcp $HOME_NET any -> [72.27.83.159] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244441; rev:1;) alert tcp $HOME_NET any -> [152.136.171.162] 4433 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244440/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244440; rev:1;) alert tcp $HOME_NET any -> [175.197.65.135] 6379 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244439; rev:1;) alert tcp $HOME_NET any -> [154.90.62.224] 53 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244438/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244438; rev:1;) alert tcp $HOME_NET any -> [185.225.70.160] 43029 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244437/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244437; rev:1;) alert tcp $HOME_NET any -> [43.154.25.56] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244433/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onedogsclub.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wipresolutions.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"recentbeelive.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trailcocompany.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trailcosolutions.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"artstrailreviews.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244428; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 16267 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244432; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 16267 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244431; rev:1;) alert tcp $HOME_NET any -> [94.72.114.95] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"185.81.68.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"101.43.191.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.143.143.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"121.43.62.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244420; rev:1;) alert tcp $HOME_NET any -> [65.109.11.145] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244418; rev:1;) alert tcp $HOME_NET any -> [116.202.2.143] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.2.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244416; rev:1;) alert tcp $HOME_NET any -> [49.12.103.42] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.11.145"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.103.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244414; rev:1;) alert tcp $HOME_NET any -> [103.116.52.207] 23597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244413/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"314.hongdrama.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hongdrama.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order%20list.vbs"; depth:17; nocase; http.host; content:"37.49.228.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/purchase.vbs"; depth:13; nocase; http.host; content:"37.49.228.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dark.vbs"; depth:9; nocase; http.host; content:"149.56.252.31"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244408; rev:1;) alert tcp $HOME_NET any -> [103.78.0.41] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244239/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"botnet.vani.ovh"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244240/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244240; rev:1;) alert tcp $HOME_NET any -> [194.127.178.5] 23597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244249/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cnc.moneymakernation.online"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244250; rev:1;) alert tcp $HOME_NET any -> [45.155.249.96] 2023 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244251/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244251; rev:1;) alert tcp $HOME_NET any -> [107.175.3.10] 7536 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244253/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zofav.aus.mimico-cooperative.org"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244255; rev:1;) alert tcp $HOME_NET any -> [149.56.252.31] 8094 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244404; rev:1;) alert tcp $HOME_NET any -> [107.175.3.10] 7536 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244252/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aus.mimico-cooperative.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"149.56.252.31"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/web/path/gate.php"; depth:20; nocase; http.host; content:"myetherwallet.kl.com.ua"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/web/gate.php"; depth:15; nocase; http.host; content:"myetherwallet.kl.com.ua"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244405; rev:1;) alert tcp $HOME_NET any -> [139.59.16.171] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244402; rev:1;) alert tcp $HOME_NET any -> [45.77.154.69] 30092 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244403; rev:1;) alert tcp $HOME_NET any -> [165.232.101.47] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244401; rev:1;) alert tcp $HOME_NET any -> [74.207.231.13] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244400; rev:1;) alert tcp $HOME_NET any -> [54.148.146.229] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244399; rev:1;) alert tcp $HOME_NET any -> [47.99.186.100] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244398; rev:1;) alert tcp $HOME_NET any -> [18.192.93.230] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244397; rev:1;) alert tcp $HOME_NET any -> [93.119.13.109] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244396; rev:1;) alert tcp $HOME_NET any -> [121.37.222.182] 5001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244395; rev:1;) alert tcp $HOME_NET any -> [20.212.234.70] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244394; rev:1;) alert tcp $HOME_NET any -> [194.182.90.109] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244393; rev:1;) alert tcp $HOME_NET any -> [3.69.130.202] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244392; rev:1;) alert tcp $HOME_NET any -> [43.136.86.22] 31220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244391; rev:1;) alert tcp $HOME_NET any -> [106.15.52.156] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244390; rev:1;) alert tcp $HOME_NET any -> [43.229.134.14] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244389; rev:1;) alert tcp $HOME_NET any -> [198.13.46.179] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244388; rev:1;) alert tcp $HOME_NET any -> [24.199.126.139] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244387; rev:1;) alert tcp $HOME_NET any -> [43.132.234.114] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244386; rev:1;) alert tcp $HOME_NET any -> [64.226.106.235] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244385; rev:1;) alert tcp $HOME_NET any -> [128.199.98.189] 43333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244384; rev:1;) alert tcp $HOME_NET any -> [54.89.6.172] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244383; rev:1;) alert tcp $HOME_NET any -> [3.21.161.218] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244382; rev:1;) alert tcp $HOME_NET any -> [91.134.226.170] 2053 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244381; rev:1;) alert tcp $HOME_NET any -> [159.89.212.121] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244380; rev:1;) alert tcp $HOME_NET any -> [186.121.34.135] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244379; rev:1;) alert tcp $HOME_NET any -> [149.129.241.76] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244378; rev:1;) alert tcp $HOME_NET any -> [3.135.49.252] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244377; rev:1;) alert tcp $HOME_NET any -> [52.28.220.250] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244376; rev:1;) alert tcp $HOME_NET any -> [52.28.220.250] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244375; rev:1;) alert tcp $HOME_NET any -> [103.27.202.188] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244374; rev:1;) alert tcp $HOME_NET any -> [44.222.157.145] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"accountcapabilities-pa.accguide.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip177.ip-51-210-73.eu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244371; rev:1;) alert tcp $HOME_NET any -> [154.223.21.28] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244370; rev:1;) alert tcp $HOME_NET any -> [91.92.242.137] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244369; rev:1;) alert tcp $HOME_NET any -> [117.72.10.229] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244368; rev:1;) alert tcp $HOME_NET any -> [8.140.55.145] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244367; rev:1;) alert tcp $HOME_NET any -> [34.172.89.75] 80 (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panel.niggas.icu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"binplat.elementfx.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"se-5.ironhide.su"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244364; rev:1;) alert tcp $HOME_NET any -> [134.255.254.225] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244362; rev:1;) alert tcp $HOME_NET any -> [81.230.10.189] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244361; rev:1;) alert tcp $HOME_NET any -> [103.116.52.207] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244360; rev:1;) alert tcp $HOME_NET any -> [103.172.79.74] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244359; rev:1;) alert tcp $HOME_NET any -> [194.127.178.5] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244358; rev:1;) alert tcp $HOME_NET any -> [36.152.201.67] 65535 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244357; rev:1;) alert tcp $HOME_NET any -> [183.249.20.106] 8090 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip140.ip-51-195-83.eu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244355; rev:1;) alert tcp $HOME_NET any -> [34.200.37.176] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-200-37-176.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244354; rev:1;) alert tcp $HOME_NET any -> [195.211.97.9] 80 (msg:"ThreatFox Lumma Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244352; rev:1;) alert tcp $HOME_NET any -> [20.77.71.31] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244351; rev:1;) alert tcp $HOME_NET any -> [185.78.76.40] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244350; rev:1;) alert tcp $HOME_NET any -> [193.222.96.33] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244349; rev:1;) alert tcp $HOME_NET any -> [45.128.96.74] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244348; rev:1;) alert tcp $HOME_NET any -> [172.208.54.18] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244347; rev:1;) alert tcp $HOME_NET any -> [91.92.242.137] 8443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kardiocentrumnitra-fingera.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fresocialcasinogames.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"126.124.141.34.bc.googleusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-169-174-23.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"edgarmcneil.autos"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244341; rev:1;) alert tcp $HOME_NET any -> [81.69.242.185] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244340; rev:1;) alert tcp $HOME_NET any -> [81.69.242.185] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244339; rev:1;) alert tcp $HOME_NET any -> [191.82.223.234] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244338; rev:1;) alert tcp $HOME_NET any -> [14.225.210.222] 12345 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244337; rev:1;) alert tcp $HOME_NET any -> [181.162.168.165] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244336; rev:1;) alert tcp $HOME_NET any -> [185.221.198.67] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244335; rev:1;) alert tcp $HOME_NET any -> [45.145.42.229] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grinevitchnicolas5.fvds.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mesixcrypto.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fi119-files.canceltap.online"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s1.devsapi.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244331; rev:1;) alert tcp $HOME_NET any -> [51.195.231.121] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244329; rev:1;) alert tcp $HOME_NET any -> [185.174.101.80] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244328; rev:1;) alert tcp $HOME_NET any -> [147.124.217.110] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244327; rev:1;) alert tcp $HOME_NET any -> [94.156.69.174] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244326; rev:1;) alert tcp $HOME_NET any -> [69.64.95.233] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244324; rev:1;) alert tcp $HOME_NET any -> [69.64.95.233] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244325; rev:1;) alert tcp $HOME_NET any -> [147.124.213.188] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244323; rev:1;) alert tcp $HOME_NET any -> [89.117.49.133] 1996 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244322; rev:1;) alert tcp $HOME_NET any -> [23.26.201.73] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244321; rev:1;) alert tcp $HOME_NET any -> [45.138.16.125] 777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244320; rev:1;) alert tcp $HOME_NET any -> [135.125.21.74] 4242 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244319; rev:1;) alert tcp $HOME_NET any -> [139.162.63.45] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244318; rev:1;) alert tcp $HOME_NET any -> [15.235.166.83] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244317/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244317; rev:1;) alert tcp $HOME_NET any -> [5.180.151.91] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244315/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244315; rev:1;) alert tcp $HOME_NET any -> [91.149.253.90] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244316/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244316; rev:1;) alert tcp $HOME_NET any -> [194.87.213.6] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244314/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244314; rev:1;) alert tcp $HOME_NET any -> [68.183.236.120] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244313/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244313; rev:1;) alert tcp $HOME_NET any -> [64.225.53.227] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244311/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244311; rev:1;) alert tcp $HOME_NET any -> [207.174.3.213] 38443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244312/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244312; rev:1;) alert tcp $HOME_NET any -> [105.102.177.34] 443 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244309; rev:1;) alert tcp $HOME_NET any -> [47.94.241.49] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244307; rev:1;) alert tcp $HOME_NET any -> [121.199.40.70] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244308; rev:1;) alert tcp $HOME_NET any -> [121.5.69.117] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244306; rev:1;) alert tcp $HOME_NET any -> [47.109.106.162] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244305; rev:1;) alert tcp $HOME_NET any -> [124.70.158.35] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244304; rev:1;) alert tcp $HOME_NET any -> [101.36.111.175] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244303; rev:1;) alert tcp $HOME_NET any -> [1.32.228.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244301; rev:1;) alert tcp $HOME_NET any -> [209.141.44.168] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244302; rev:1;) alert tcp $HOME_NET any -> [120.46.94.192] 8785 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244300; rev:1;) alert tcp $HOME_NET any -> [8.130.105.233] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244299; rev:1;) alert tcp $HOME_NET any -> [148.135.127.214] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244297; rev:1;) alert tcp $HOME_NET any -> [148.135.127.214] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244298; rev:1;) alert tcp $HOME_NET any -> [95.169.24.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244296; rev:1;) alert tcp $HOME_NET any -> [47.236.248.52] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244295; rev:1;) alert tcp $HOME_NET any -> [47.236.248.52] 2052 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244294; rev:1;) alert tcp $HOME_NET any -> [193.42.61.102] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244293; rev:1;) alert tcp $HOME_NET any -> [61.160.207.61] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244291; rev:1;) alert tcp $HOME_NET any -> [101.34.243.38] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244292; rev:1;) alert tcp $HOME_NET any -> [123.57.204.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244290; rev:1;) alert tcp $HOME_NET any -> [8.130.119.173] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244289; rev:1;) alert tcp $HOME_NET any -> [94.156.66.44] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244287; rev:1;) alert tcp $HOME_NET any -> [8.130.119.173] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244288; rev:1;) alert tcp $HOME_NET any -> [146.190.160.218] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244286; rev:1;) alert tcp $HOME_NET any -> [45.159.210.152] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244285; rev:1;) alert tcp $HOME_NET any -> [60.204.133.143] 9876 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244283; rev:1;) alert tcp $HOME_NET any -> [45.159.210.152] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244284; rev:1;) alert tcp $HOME_NET any -> [107.173.171.251] 65443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jovial-ellis.104-168-102-175.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244281; rev:1;) alert tcp $HOME_NET any -> [49.4.115.199] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244280; rev:1;) alert tcp $HOME_NET any -> [185.196.10.224] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244278; rev:1;) alert tcp $HOME_NET any -> [185.196.10.224] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244279; rev:1;) alert tcp $HOME_NET any -> [43.241.16.222] 56158 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244277; rev:1;) alert tcp $HOME_NET any -> [49.235.169.136] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244276; rev:1;) alert tcp $HOME_NET any -> [101.133.148.66] 8023 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244275; rev:1;) alert tcp $HOME_NET any -> [43.156.27.199] 804 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244274; rev:1;) alert tcp $HOME_NET any -> [139.180.192.219] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244272; rev:1;) alert tcp $HOME_NET any -> [123.254.107.57] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244273; rev:1;) alert tcp $HOME_NET any -> [139.180.192.219] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"angry-khorana.104-168-102-175.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucaresupport.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nice-torvalds.104-168-102-175.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"167-71-186-178.ipv4.staticdns2.io"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244267; rev:1;) alert tcp $HOME_NET any -> [42.192.4.189] 54333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244265; rev:1;) alert tcp $HOME_NET any -> [38.6.223.9] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-110-41-134-233.compute.hwclouds-dns.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"192.lan-vg2-1.static.rozabg.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.jovial-ellis.104-168-102-175.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dirapushka.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.festive-euclid.104-168-102-175.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adoring-hellman.104-168-102-175.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ucaresupport.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beautiful-fermi.104-168-102-175.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244257; rev:1;) alert tcp $HOME_NET any -> [123.60.159.23] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"1.14.28.172"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"49.233.44.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"80.85.154.37"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"185.81.68.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"49.233.44.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"120.48.5.80"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244242; rev:1;) alert tcp $HOME_NET any -> [103.67.163.213] 9462 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244241/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"121.43.33.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"139.199.180.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.113.195.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"121.4.154.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244235; rev:1;) alert tcp $HOME_NET any -> [45.77.160.60] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.recentbeelive.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244233; rev:1;) alert tcp $HOME_NET any -> [108.61.210.72] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.netiapp.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.netiapp.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"121.4.154.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.71.9.23"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/require-jquery-v1.js"; depth:21; nocase; http.host; content:"47.104.28.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244225; rev:1;) alert tcp $HOME_NET any -> [206.238.199.68] 48458 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvs/inc/c874c1a5333207.php"; depth:27; nocase; http.host; content:"www.texlandbd.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244222; rev:1;) alert tcp $HOME_NET any -> [62.72.185.43] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244176; rev:1;) alert tcp $HOME_NET any -> [62.72.185.45] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244177; rev:1;) alert tcp $HOME_NET any -> [62.72.185.68] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244179; rev:1;) alert tcp $HOME_NET any -> [62.72.185.58] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244178; rev:1;) alert tcp $HOME_NET any -> [62.72.185.92] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244180; rev:1;) alert tcp $HOME_NET any -> [204.76.203.18] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244183; rev:1;) alert tcp $HOME_NET any -> [62.72.185.110] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244181; rev:1;) alert tcp $HOME_NET any -> [204.76.203.17] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244182; rev:1;) alert tcp $HOME_NET any -> [204.76.203.22] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244184; rev:1;) alert tcp $HOME_NET any -> [204.76.203.23] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244185; rev:1;) alert tcp $HOME_NET any -> [204.76.203.24] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244186; rev:1;) alert tcp $HOME_NET any -> [204.76.203.25] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244187; rev:1;) alert tcp $HOME_NET any -> [204.76.203.26] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244188; rev:1;) alert tcp $HOME_NET any -> [204.76.203.27] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244189; rev:1;) alert tcp $HOME_NET any -> [204.76.203.28] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244190; rev:1;) alert tcp $HOME_NET any -> [204.76.203.29] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244191; rev:1;) alert tcp $HOME_NET any -> [204.76.203.30] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244192; rev:1;) alert tcp $HOME_NET any -> [204.76.203.31] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244193; rev:1;) alert tcp $HOME_NET any -> [204.76.203.34] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244194; rev:1;) alert tcp $HOME_NET any -> [204.76.203.242] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244195; rev:1;) alert tcp $HOME_NET any -> [204.76.203.244] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244196; rev:1;) alert tcp $HOME_NET any -> [5.181.80.50] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244199; rev:1;) alert tcp $HOME_NET any -> [204.76.203.248] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244197; rev:1;) alert tcp $HOME_NET any -> [5.181.80.49] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244198; rev:1;) alert tcp $HOME_NET any -> [5.181.80.52] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244200; rev:1;) alert tcp $HOME_NET any -> [5.181.80.56] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244201; rev:1;) alert tcp $HOME_NET any -> [5.181.80.82] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244202; rev:1;) alert tcp $HOME_NET any -> [5.181.80.83] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244203; rev:1;) alert tcp $HOME_NET any -> [5.181.80.102] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244205; rev:1;) alert tcp $HOME_NET any -> [5.181.80.123] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244206; rev:1;) alert tcp $HOME_NET any -> [5.181.80.156] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244207; rev:1;) alert tcp $HOME_NET any -> [5.181.80.100] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244204; rev:1;) alert tcp $HOME_NET any -> [5.181.80.173] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244208; rev:1;) alert tcp $HOME_NET any -> [5.181.80.174] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244209; rev:1;) alert tcp $HOME_NET any -> [5.181.80.175] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244210; rev:1;) alert tcp $HOME_NET any -> [5.181.80.176] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244211; rev:1;) alert tcp $HOME_NET any -> [5.181.80.178] 3090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244212; rev:1;) alert tcp $HOME_NET any -> [5.181.80.192] 38421 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244213; rev:1;) alert tcp $HOME_NET any -> [46.101.135.216] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244214; rev:1;) alert tcp $HOME_NET any -> [138.197.171.172] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244215; rev:1;) alert tcp $HOME_NET any -> [143.110.247.222] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244216; rev:1;) alert tcp $HOME_NET any -> [147.182.149.112] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244217; rev:1;) alert tcp $HOME_NET any -> [147.182.149.113] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244218; rev:1;) alert tcp $HOME_NET any -> [159.89.191.108] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244219; rev:1;) alert tcp $HOME_NET any -> [167.99.190.250] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244220; rev:1;) alert tcp $HOME_NET any -> [178.62.242.26] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244221; rev:1;) alert tcp $HOME_NET any -> [62.72.185.34] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244175; rev:1;) alert tcp $HOME_NET any -> [62.72.185.28] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244174; rev:1;) alert tcp $HOME_NET any -> [142.171.8.138] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244173/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244173; rev:1;) alert tcp $HOME_NET any -> [79.137.207.163] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244172; rev:1;) alert tcp $HOME_NET any -> [78.129.165.233] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244171/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244171; rev:1;) alert tcp $HOME_NET any -> [3.112.78.101] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244170/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244170; rev:1;) alert tcp $HOME_NET any -> [45.32.91.55] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244169/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244169; rev:1;) alert tcp $HOME_NET any -> [185.203.116.51] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244168/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244168; rev:1;) alert tcp $HOME_NET any -> [109.248.150.210] 50270 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244167/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244167; rev:1;) alert tcp $HOME_NET any -> [34.31.226.230] 37558 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244164; rev:1;) alert tcp $HOME_NET any -> [103.186.117.243] 1947 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"originwealth.ydns.eu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244165/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sew/inc/10a5031d37bc79.php"; depth:27; nocase; http.host; content:"originwealth.ydns.eu"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receive.php"; depth:12; nocase; http.host; content:"ct46452.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.92.99.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c44a765f550f6a2f.php"; depth:21; nocase; http.host; content:"89.105.201.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244160; rev:1;) alert tcp $HOME_NET any -> [20.84.67.57] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244159/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91244159; rev:1;) alert tcp $HOME_NET any -> [82.120.216.108] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244158/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91244158; rev:1;) alert tcp $HOME_NET any -> [216.238.83.84] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244157/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91244157; rev:1;) alert tcp $HOME_NET any -> [74.48.220.34] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244156/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91244156; rev:1;) alert tcp $HOME_NET any -> [45.67.228.91] 3666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244155/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91244155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalimagevideopipetempdownloads.php"; depth:39; nocase; http.host; content:"82.146.60.218"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244154; rev:1;) alert tcp $HOME_NET any -> [136.244.118.172] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244149/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91244149; rev:1;) alert tcp $HOME_NET any -> [143.198.136.173] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244150/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91244150; rev:1;) alert tcp $HOME_NET any -> [146.190.128.252] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244151/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91244151; rev:1;) alert tcp $HOME_NET any -> [159.223.67.132] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244152/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91244152; rev:1;) alert tcp $HOME_NET any -> [78.141.224.44] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244153/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91244153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.141.224.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"146.190.128.252"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.223.67.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"143.198.136.173"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"136.244.118.172"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pe/build.php"; depth:13; nocase; http.host; content:"yarnglove.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pstbbk.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/du.php"; depth:7; nocase; http.host; content:"glovefire.site"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dub.php"; depth:8; nocase; http.host; content:"glovefire.site"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gdfjkghndfjkghdfjkghdf.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pp.php"; depth:7; nocase; http.host; content:"chessfang.online"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244139; rev:1;) alert tcp $HOME_NET any -> [47.236.111.110] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244137/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244137; rev:1;) alert tcp $HOME_NET any -> [119.29.225.65] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244136/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244136; rev:1;) alert tcp $HOME_NET any -> [114.215.183.77] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244135/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244135; rev:1;) alert tcp $HOME_NET any -> [89.208.253.204] 4433 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244134/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244134; rev:1;) alert tcp $HOME_NET any -> [38.6.164.8] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244133/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244133; rev:1;) alert tcp $HOME_NET any -> [193.233.132.113] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244132/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244132; rev:1;) alert tcp $HOME_NET any -> [193.233.132.194] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244131/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244131; rev:1;) alert tcp $HOME_NET any -> [87.241.217.87] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244130/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244130; rev:1;) alert tcp $HOME_NET any -> [65.0.98.39] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244129/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244129; rev:1;) alert tcp $HOME_NET any -> [185.62.57.11] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244128/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244128; rev:1;) alert tcp $HOME_NET any -> [184.144.200.107] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244127/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244127; rev:1;) alert tcp $HOME_NET any -> [213.142.159.91] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244126/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244126; rev:1;) alert tcp $HOME_NET any -> [94.98.194.203] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244125/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244125; rev:1;) alert tcp $HOME_NET any -> [94.96.157.6] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244124/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244124; rev:1;) alert tcp $HOME_NET any -> [94.49.180.101] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244123/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244123; rev:1;) alert tcp $HOME_NET any -> [64.237.212.192] 1800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244122/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244122; rev:1;) alert tcp $HOME_NET any -> [41.109.32.78] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244121; rev:1;) alert tcp $HOME_NET any -> [140.82.54.39] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244120; rev:1;) alert tcp $HOME_NET any -> [45.74.60.199] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244119; rev:1;) alert tcp $HOME_NET any -> [185.29.11.37] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244118; rev:1;) alert tcp $HOME_NET any -> [41.68.133.39] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244117/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244117; rev:1;) alert tcp $HOME_NET any -> [38.146.219.232] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244116/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244116; rev:1;) alert tcp $HOME_NET any -> [50.3.70.191] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244115/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244115; rev:1;) alert tcp $HOME_NET any -> [45.88.186.108] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244114/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244114; rev:1;) alert tcp $HOME_NET any -> [185.169.180.151] 82 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244113/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244113; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 1741 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244112/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244112; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 1925 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244111/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244111; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2154 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244110/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244110; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2081 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244109/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244109; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244108/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244108; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244107/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244107; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244106/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244106; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2121 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244105/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244105; rev:1;) alert tcp $HOME_NET any -> [187.135.86.23] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244104/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244104; rev:1;) alert tcp $HOME_NET any -> [198.50.138.20] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244103/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244103; rev:1;) alert tcp $HOME_NET any -> [198.27.120.255] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244102/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244102; rev:1;) alert tcp $HOME_NET any -> [80.253.246.36] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244101/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244101; rev:1;) alert tcp $HOME_NET any -> [187.135.83.6] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244100/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244100; rev:1;) alert tcp $HOME_NET any -> [187.135.83.6] 2121 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244099/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244099; rev:1;) alert tcp $HOME_NET any -> [31.156.119.149] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244098/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244098; rev:1;) alert tcp $HOME_NET any -> [88.243.82.116] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244097/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244097; rev:1;) alert tcp $HOME_NET any -> [187.135.83.7] 2002 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244096/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244096; rev:1;) alert tcp $HOME_NET any -> [185.219.177.105] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244095/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244095; rev:1;) alert tcp $HOME_NET any -> [83.229.84.160] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244094/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244094; rev:1;) alert tcp $HOME_NET any -> [193.222.96.115] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244093/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244093; rev:1;) alert tcp $HOME_NET any -> [87.120.84.188] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244092/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244092; rev:1;) alert tcp $HOME_NET any -> [213.14.155.98] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244091/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244091; rev:1;) alert tcp $HOME_NET any -> [108.165.106.7] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244090/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244090; rev:1;) alert tcp $HOME_NET any -> [154.197.98.85] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244089/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244089; rev:1;) alert tcp $HOME_NET any -> [87.121.87.101] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244088/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244088; rev:1;) alert tcp $HOME_NET any -> [159.65.150.184] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244087/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244087; rev:1;) alert tcp $HOME_NET any -> [47.92.246.30] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244086/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244086; rev:1;) alert tcp $HOME_NET any -> [129.226.154.245] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244085/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244085; rev:1;) alert tcp $HOME_NET any -> [42.193.16.213] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244084/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244084; rev:1;) alert tcp $HOME_NET any -> [47.97.110.109] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244083/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244083; rev:1;) alert tcp $HOME_NET any -> [81.70.0.37] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244082/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244082; rev:1;) alert tcp $HOME_NET any -> [117.50.182.87] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244081/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244081; rev:1;) alert tcp $HOME_NET any -> [39.105.101.138] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244080/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244080; rev:1;) alert tcp $HOME_NET any -> [8.222.165.110] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244079/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244079; rev:1;) alert tcp $HOME_NET any -> [101.43.161.148] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244078/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244078; rev:1;) alert tcp $HOME_NET any -> [59.110.142.91] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244077/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244077; rev:1;) alert tcp $HOME_NET any -> [110.41.134.233] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244076/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244076; rev:1;) alert tcp $HOME_NET any -> [103.191.15.10] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244075/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244075; rev:1;) alert tcp $HOME_NET any -> [119.3.220.200] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244074/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244074; rev:1;) alert tcp $HOME_NET any -> [101.133.164.210] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244073/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244073; rev:1;) alert tcp $HOME_NET any -> [43.136.71.208] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244072/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244072; rev:1;) alert tcp $HOME_NET any -> [47.119.19.34] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244071/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244071; rev:1;) alert tcp $HOME_NET any -> [114.132.218.55] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244070/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244070; rev:1;) alert tcp $HOME_NET any -> [139.9.41.156] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244069/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244069; rev:1;) alert tcp $HOME_NET any -> [39.104.230.184] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244068/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244068; rev:1;) alert tcp $HOME_NET any -> [121.40.63.121] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244067/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244067; rev:1;) alert tcp $HOME_NET any -> [34.82.156.114] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244066/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244066; rev:1;) alert tcp $HOME_NET any -> [104.225.235.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244065/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244065; rev:1;) alert tcp $HOME_NET any -> [137.220.197.164] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244064/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244064; rev:1;) alert tcp $HOME_NET any -> [81.19.138.57] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244063/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244063; rev:1;) alert tcp $HOME_NET any -> [149.88.75.24] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244062/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244062; rev:1;) alert tcp $HOME_NET any -> [204.93.201.161] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244061/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244061; rev:1;) alert tcp $HOME_NET any -> [47.76.140.200] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244060/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244060; rev:1;) alert tcp $HOME_NET any -> [15.168.110.184] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244059/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244059; rev:1;) alert tcp $HOME_NET any -> [107.172.196.196] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244058/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244058; rev:1;) alert tcp $HOME_NET any -> [103.163.208.121] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244057/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244057; rev:1;) alert tcp $HOME_NET any -> [45.86.162.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244056/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244056; rev:1;) alert tcp $HOME_NET any -> [88.214.27.74] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244055/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244055; rev:1;) alert tcp $HOME_NET any -> [64.23.179.131] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244054/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244054; rev:1;) alert tcp $HOME_NET any -> [107.151.240.201] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244053/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244053; rev:1;) alert tcp $HOME_NET any -> [104.21.67.23] 443 (msg:"ThreatFox MintStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244052/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244052; rev:1;) alert tcp $HOME_NET any -> [85.114.96.2] 80 (msg:"ThreatFox MintStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244051/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244051; rev:1;) alert tcp $HOME_NET any -> [172.67.211.144] 80 (msg:"ThreatFox MintStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244050/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244050; rev:1;) alert tcp $HOME_NET any -> [54.221.151.132] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244049/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244049; rev:1;) alert tcp $HOME_NET any -> [13.232.135.125] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244048/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244048; rev:1;) alert tcp $HOME_NET any -> [54.221.151.132] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244047/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244047; rev:1;) alert tcp $HOME_NET any -> [103.86.130.103] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244046/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244046; rev:1;) alert tcp $HOME_NET any -> [103.86.130.78] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244045/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244045; rev:1;) alert tcp $HOME_NET any -> [103.86.131.147] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244044/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244044; rev:1;) alert tcp $HOME_NET any -> [220.69.33.81] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244043/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244043; rev:1;) alert tcp $HOME_NET any -> [103.86.131.60] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244042/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244042; rev:1;) alert tcp $HOME_NET any -> [13.37.127.130] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244041/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244041; rev:1;) alert tcp $HOME_NET any -> [45.67.231.21] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244040/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244040; rev:1;) alert tcp $HOME_NET any -> [18.232.250.39] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244039/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244039; rev:1;) alert tcp $HOME_NET any -> [172.233.33.155] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244038/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244038; rev:1;) alert tcp $HOME_NET any -> [52.87.175.64] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244037/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244037; rev:1;) alert tcp $HOME_NET any -> [159.100.13.218] 8889 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244036/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244036; rev:1;) alert tcp $HOME_NET any -> [89.117.49.133] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244035/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244035; rev:1;) alert tcp $HOME_NET any -> [4.245.215.11] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244034/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244034; rev:1;) alert tcp $HOME_NET any -> [13.232.153.222] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244033/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244033; rev:1;) alert tcp $HOME_NET any -> [175.136.80.148] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244032/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244032; rev:1;) alert tcp $HOME_NET any -> [38.87.196.103] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244031/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244031; rev:1;) alert tcp $HOME_NET any -> [91.92.241.10] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244030/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244030; rev:1;) alert tcp $HOME_NET any -> [13.233.120.71] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244029/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244029; rev:1;) alert tcp $HOME_NET any -> [109.123.247.164] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244028/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244028; rev:1;) alert tcp $HOME_NET any -> [144.217.238.169] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244027/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244027; rev:1;) alert tcp $HOME_NET any -> [159.223.86.91] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244026/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244026; rev:1;) alert tcp $HOME_NET any -> [77.91.74.224] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244025/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244025; rev:1;) alert tcp $HOME_NET any -> [46.4.162.29] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244024/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244024; rev:1;) alert tcp $HOME_NET any -> [207.154.218.205] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244023/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244023; rev:1;) alert tcp $HOME_NET any -> [43.204.111.25] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244022/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244022; rev:1;) alert tcp $HOME_NET any -> [38.92.97.13] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244021/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244021; rev:1;) alert tcp $HOME_NET any -> [145.239.230.233] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244020/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244020; rev:1;) alert tcp $HOME_NET any -> [201.230.41.153] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244019/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244019; rev:1;) alert tcp $HOME_NET any -> [128.46.157.249] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244018/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244018; rev:1;) alert tcp $HOME_NET any -> [108.59.196.9] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244017/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244017; rev:1;) alert tcp $HOME_NET any -> [38.87.198.48] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244016/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244016; rev:1;) alert tcp $HOME_NET any -> [45.134.225.247] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244015/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244015; rev:1;) alert tcp $HOME_NET any -> [206.188.196.251] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244014/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244014; rev:1;) alert tcp $HOME_NET any -> [5.255.102.67] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244013/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244013; rev:1;) alert tcp $HOME_NET any -> [198.52.128.72] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244012/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244012; rev:1;) alert tcp $HOME_NET any -> [64.190.113.198] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244011/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244011; rev:1;) alert tcp $HOME_NET any -> [54.193.250.83] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244010/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244010; rev:1;) alert tcp $HOME_NET any -> [173.249.11.184] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244009/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244009; rev:1;) alert tcp $HOME_NET any -> [217.160.39.160] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244008/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244008; rev:1;) alert tcp $HOME_NET any -> [34.16.167.198] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244007/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244007; rev:1;) alert tcp $HOME_NET any -> [123.16.208.62] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244006/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244006; rev:1;) alert tcp $HOME_NET any -> [51.116.102.221] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244005/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244005; rev:1;) alert tcp $HOME_NET any -> [41.216.183.181] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244004/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244004; rev:1;) alert tcp $HOME_NET any -> [193.32.162.64] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244003/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244003; rev:1;) alert tcp $HOME_NET any -> [185.81.114.195] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244002/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244002; rev:1;) alert tcp $HOME_NET any -> [78.38.80.242] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244001/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244001; rev:1;) alert tcp $HOME_NET any -> [60.204.215.22] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244000/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244000; rev:1;) alert tcp $HOME_NET any -> [176.123.3.245] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243999/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243999; rev:1;) alert tcp $HOME_NET any -> [152.89.198.72] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243998/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243998; rev:1;) alert tcp $HOME_NET any -> [41.216.189.203] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243997/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243997; rev:1;) alert tcp $HOME_NET any -> [49.13.130.177] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243996/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243996; rev:1;) alert tcp $HOME_NET any -> [194.0.206.23] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243995/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243995; rev:1;) alert tcp $HOME_NET any -> [107.175.0.200] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243994/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243994; rev:1;) alert tcp $HOME_NET any -> [213.109.202.135] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243993/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243993; rev:1;) alert tcp $HOME_NET any -> [158.255.1.15] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243992/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243992; rev:1;) alert tcp $HOME_NET any -> [175.136.87.155] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243991/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243991; rev:1;) alert tcp $HOME_NET any -> [185.158.248.34] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243990/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243990; rev:1;) alert tcp $HOME_NET any -> [141.98.234.46] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243989/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243989; rev:1;) alert tcp $HOME_NET any -> [108.30.148.85] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243988/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243988; rev:1;) alert tcp $HOME_NET any -> [77.105.166.172] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243987/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243987; rev:1;) alert tcp $HOME_NET any -> [83.41.137.16] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243986/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243986; rev:1;) alert tcp $HOME_NET any -> [38.99.82.235] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243985/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243985; rev:1;) alert tcp $HOME_NET any -> [88.119.167.206] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243984/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243984; rev:1;) alert tcp $HOME_NET any -> [37.27.5.78] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243983/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243983; rev:1;) alert tcp $HOME_NET any -> [95.216.221.12] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243982/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243982; rev:1;) alert tcp $HOME_NET any -> [45.227.254.4] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243981/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243981; rev:1;) alert tcp $HOME_NET any -> [130.51.22.23] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243980/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243980; rev:1;) alert tcp $HOME_NET any -> [47.250.145.12] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243979/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243979; rev:1;) alert tcp $HOME_NET any -> [138.201.10.112] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243978/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagecpusql.php"; depth:16; nocase; http.host; content:"058493cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243977; rev:1;) alert tcp $HOME_NET any -> [35.197.194.79] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243976/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243976; rev:1;) alert tcp $HOME_NET any -> [35.195.225.207] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243975/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243975; rev:1;) alert tcp $HOME_NET any -> [220.158.216.145] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243974/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243974; rev:1;) alert tcp $HOME_NET any -> [35.228.165.245] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243973/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243973; rev:1;) alert tcp $HOME_NET any -> [34.88.169.69] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243972/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243972; rev:1;) alert tcp $HOME_NET any -> [38.60.191.190] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243971/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243971; rev:1;) alert tcp $HOME_NET any -> [93.66.153.13] 9002 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243970/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243970; rev:1;) alert tcp $HOME_NET any -> [52.91.67.138] 8084 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243969/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243969; rev:1;) alert tcp $HOME_NET any -> [49.232.250.192] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243968/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243968; rev:1;) alert tcp $HOME_NET any -> [182.23.67.109] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243967/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243967; rev:1;) alert tcp $HOME_NET any -> [47.103.218.35] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243966/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243966; rev:1;) alert tcp $HOME_NET any -> [3.146.206.189] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243965/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243965; rev:1;) alert tcp $HOME_NET any -> [121.43.58.124] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243964/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243964; rev:1;) alert tcp $HOME_NET any -> [38.180.105.19] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243963/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243963; rev:1;) alert tcp $HOME_NET any -> [111.231.140.197] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243962/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243962; rev:1;) alert tcp $HOME_NET any -> [38.47.123.60] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243961/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243961; rev:1;) alert tcp $HOME_NET any -> [101.43.191.108] 9998 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243960/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243960; rev:1;) alert tcp $HOME_NET any -> [107.191.53.240] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243959/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243959; rev:1;) alert tcp $HOME_NET any -> [47.96.174.24] 8060 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243958/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243958; rev:1;) alert tcp $HOME_NET any -> [49.233.44.237] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243957/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243957; rev:1;) alert tcp $HOME_NET any -> [80.85.154.37] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243956/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243956; rev:1;) alert tcp $HOME_NET any -> [49.233.44.237] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243955/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243955; rev:1;) alert tcp $HOME_NET any -> [94.156.64.143] 9821 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243954/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91243954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/topipe3process/javascripttemporarytrackcdn/universaldb1process/uploadslocalcpu/windows/externalvmproviderline/linux/10sql/1authvoiddb/updatetraffic/pipe/generatorflowersql/trafficgamevideo/tracklocal3http/authpublicupdatewindows/geocpudatalifejs/geo/poll_cpuvm/cpuprocessordefaultdblinuxgeneratordownloadstemporary.php"; depth:319; nocase; http.host; content:"80.78.243.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243953; rev:1;) alert tcp $HOME_NET any -> [46.23.108.249] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243946; rev:1;) alert tcp $HOME_NET any -> [45.125.66.102] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243949; rev:1;) alert tcp $HOME_NET any -> [46.23.108.250] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243947; rev:1;) alert tcp $HOME_NET any -> [46.23.108.251] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243948; rev:1;) alert tcp $HOME_NET any -> [45.125.66.100] 61616 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"111.231.140.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"112.252.202.220"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243945/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jdkgradle.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243944; rev:1;) alert tcp $HOME_NET any -> [84.54.51.142] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243943; rev:1;) alert tcp $HOME_NET any -> [107.148.1.128] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"107.148.1.128"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"129.211.211.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"120.26.196.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin"; depth:9; nocase; http.host; content:"43.134.23.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243938; rev:1;) alert tcp $HOME_NET any -> [135.181.241.148] 49113 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243907; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 12125 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91243908; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 12125 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243909/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91243909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/check.php"; depth:10; nocase; http.host; content:"5.42.65.20"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sosorry.php"; depth:12; nocase; http.host; content:"5.42.65.20"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bebrik.php"; depth:11; nocase; http.host; content:"5.42.65.20"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243912; rev:1;) alert tcp $HOME_NET any -> [5.42.65.20] 80 (msg:"ThreatFox Phonk botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzdinzu5njjkztnm/"; depth:18; nocase; http.host; content:"185.198.69.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243920; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 14744 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243923/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91243923; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 14744 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91243924; rev:1;) alert tcp $HOME_NET any -> [62.109.6.72] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243937/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243937; rev:1;) alert tcp $HOME_NET any -> [91.240.84.52] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243936; rev:1;) alert tcp $HOME_NET any -> [92.246.139.121] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243935; rev:1;) alert tcp $HOME_NET any -> [198.46.226.223] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243934; rev:1;) alert tcp $HOME_NET any -> [147.45.47.41] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243933; rev:1;) alert tcp $HOME_NET any -> [91.202.233.190] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243932; rev:1;) alert tcp $HOME_NET any -> [103.61.225.212] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243931; rev:1;) alert tcp $HOME_NET any -> [104.238.60.87] 5995 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243930; rev:1;) alert tcp $HOME_NET any -> [142.129.135.121] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243929; rev:1;) alert tcp $HOME_NET any -> [34.124.224.8] 10002 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"125.46.203.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pushkinorigin.ydns.eu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wiz/inc/1d7c50187af637.php"; depth:27; nocase; http.host; content:"pushkinorigin.ydns.eu"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243925; rev:1;) alert tcp $HOME_NET any -> [154.27.70.229] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91243922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9625229d.php"; depth:13; nocase; http.host; content:"a0925146.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab3a3bb6.php"; depth:13; nocase; http.host; content:"a0922245.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243919; rev:1;) alert tcp $HOME_NET any -> [170.130.55.139] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/accounts/v1/basic-accounts/pinned"; depth:38; nocase; http.host; content:"realzoogroup.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"realzoogroup.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243917; rev:1;) alert tcp $HOME_NET any -> [88.214.25.254] 3389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab.html"; depth:8; nocase; http.host; content:"86.106.20.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243914; rev:1;) alert tcp $HOME_NET any -> [104.167.221.222] 555 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243906/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243906; rev:1;) alert tcp $HOME_NET any -> [51.250.20.138] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243905; rev:1;) alert tcp $HOME_NET any -> [31.190.68.42] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243904; rev:1;) alert tcp $HOME_NET any -> [64.74.160.238] 5432 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243903; rev:1;) alert tcp $HOME_NET any -> [45.55.128.82] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243902; rev:1;) alert tcp $HOME_NET any -> [218.28.172.4] 80 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243901; rev:1;) alert tcp $HOME_NET any -> [91.92.253.185] 6996 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243900/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metis-info.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"who.juniorfoxy.ooo"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juniorfoxy.ooo"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ravec2.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"what.ravec2.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heihuo8.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botce.heihuo8.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243893; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 10202 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243887/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243887; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 49833 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243888/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243888; rev:1;) alert tcp $HOME_NET any -> [209.25.141.2] 42754 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243889/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243889; rev:1;) alert tcp $HOME_NET any -> [209.25.141.2] 43778 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243890/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243890; rev:1;) alert tcp $HOME_NET any -> [209.25.141.2] 41730 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243891/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243891; rev:1;) alert tcp $HOME_NET any -> [209.25.141.2] 41735 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243892/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"remasterprodelherskjs.com"; depth:25; nocase; reference:url, threatfox.abuse.ch/ioc/1243881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cayennesxque.boo"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1243882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"porsherses.com"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1243883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"remasterprodelherskjs.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cayennesxque.boo"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"porsherses.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243886; rev:1;) alert tcp $HOME_NET any -> [89.117.23.25] 35888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243823/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243823; rev:1;) alert tcp $HOME_NET any -> [198.46.176.140] 666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243835; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 12765 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243821/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgq4mde1zdk3nzc1/"; depth:18; nocase; http.host; content:"usdtzshlavkovalasgo.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243822; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 12765 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243819/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243819; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 12765 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243817/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243817; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 12765 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243818/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243818; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 17526 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243815/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243815; rev:1;) alert tcp $HOME_NET any -> [198.27.120.241] 1337 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243607/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243607; rev:1;) alert tcp $HOME_NET any -> [144.172.73.36] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243610; rev:1;) alert tcp $HOME_NET any -> [91.92.252.32] 2112 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243609; rev:1;) alert tcp $HOME_NET any -> [198.46.203.232] 8723 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243836; rev:1;) alert tcp $HOME_NET any -> [91.92.254.23] 5656 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243837; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 19080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243844/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243844; rev:1;) alert tcp $HOME_NET any -> [91.92.253.177] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243838; rev:1;) alert tcp $HOME_NET any -> [91.92.242.8] 6996 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243839; rev:1;) alert tcp $HOME_NET any -> [94.156.8.116] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243845; rev:1;) alert tcp $HOME_NET any -> [94.156.8.80] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243846; rev:1;) alert tcp $HOME_NET any -> [136.243.156.120] 53252 (msg:"ThreatFox unidentified_001 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243855; rev:1;) alert tcp $HOME_NET any -> [210.117.212.93] 4242 (msg:"ThreatFox unidentified_001 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tempdownloads.php"; depth:18; nocase; http.host; content:"007017cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.71.130.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.143.143.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"129.211.211.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"101.43.191.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.93.216.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"159.223.220.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"107.174.241.206"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243873; rev:1;) alert tcp $HOME_NET any -> [18.116.36.101] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"18.116.36.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"111.231.146.154"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aerh.azureedge.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243868; rev:1;) alert tcp $HOME_NET any -> [159.89.187.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w3c.js"; depth:7; nocase; http.host; content:"aerh.azureedge.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.92.146.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"185.11.61.168"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"47.96.174.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"185.11.61.168"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.181.70.150"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243861; rev:1;) alert tcp $HOME_NET any -> [38.181.70.150] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.134.221.219"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"107.174.241.206"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243859; rev:1;) alert tcp $HOME_NET any -> [101.34.83.35] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.34.83.35"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243857; rev:1;) alert tcp $HOME_NET any -> [186.195.175.239] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243854; rev:1;) alert tcp $HOME_NET any -> [47.96.143.115] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243853; rev:1;) alert tcp $HOME_NET any -> [124.168.78.165] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243852/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243852; rev:1;) alert tcp $HOME_NET any -> [64.74.160.238] 1433 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243851/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243851; rev:1;) alert tcp $HOME_NET any -> [159.203.25.245] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dingo"; depth:6; nocase; http.host; content:"159.203.25.237"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.shelter-paws.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"www.shelter-paws.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243847; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 19080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243843; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 19080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243841; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 19080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243842; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 19080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243840; rev:1;) alert tcp $HOME_NET any -> [45.144.166.168] 1234 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243834; rev:1;) alert tcp $HOME_NET any -> [45.77.72.150] 13917 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243833/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243833; rev:1;) alert tcp $HOME_NET any -> [43.245.199.191] 10 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243832/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243832; rev:1;) alert tcp $HOME_NET any -> [138.2.37.89] 36541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243831/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243831; rev:1;) alert tcp $HOME_NET any -> [81.161.238.67] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243830/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243830; rev:1;) alert tcp $HOME_NET any -> [134.209.106.235] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243829/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243829; rev:1;) alert tcp $HOME_NET any -> [193.233.132.67] 666 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243828/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243828; rev:1;) alert tcp $HOME_NET any -> [82.146.45.177] 80 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243827/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243827; rev:1;) alert tcp $HOME_NET any -> [185.142.238.152] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243826/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243826; rev:1;) alert tcp $HOME_NET any -> [94.131.106.24] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243825/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243825; rev:1;) alert tcp $HOME_NET any -> [45.137.22.243] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calculate/in/s94apdy8m"; depth:23; nocase; http.host; content:"47.94.138.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0922009.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243816; rev:1;) alert tcp $HOME_NET any -> [52.57.248.145] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243814; rev:1;) alert tcp $HOME_NET any -> [34.246.235.101] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243813; rev:1;) alert tcp $HOME_NET any -> [185.84.162.165] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243812; rev:1;) alert tcp $HOME_NET any -> [185.45.195.223] 44133 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243811; rev:1;) alert tcp $HOME_NET any -> [20.161.143.69] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243809; rev:1;) alert tcp $HOME_NET any -> [20.53.122.123] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243810; rev:1;) alert tcp $HOME_NET any -> [40.124.178.11] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243808; rev:1;) alert tcp $HOME_NET any -> [3.230.227.93] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243807; rev:1;) alert tcp $HOME_NET any -> [172.166.109.238] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243806; rev:1;) alert tcp $HOME_NET any -> [20.246.36.189] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243804; rev:1;) alert tcp $HOME_NET any -> [148.135.18.146] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243805; rev:1;) alert tcp $HOME_NET any -> [88.92.248.233] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243803; rev:1;) alert tcp $HOME_NET any -> [203.150.107.51] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243802; rev:1;) alert tcp $HOME_NET any -> [20.96.214.209] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243801; rev:1;) alert tcp $HOME_NET any -> [47.101.199.4] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243800; rev:1;) alert tcp $HOME_NET any -> [23.102.177.73] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243799; rev:1;) alert tcp $HOME_NET any -> [13.246.74.195] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243798; rev:1;) alert tcp $HOME_NET any -> [159.65.154.173] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243797; rev:1;) alert tcp $HOME_NET any -> [64.23.192.202] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243796; rev:1;) alert tcp $HOME_NET any -> [52.21.238.43] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243795; rev:1;) alert tcp $HOME_NET any -> [3.248.97.215] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243793; rev:1;) alert tcp $HOME_NET any -> [4.195.13.65] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243794; rev:1;) alert tcp $HOME_NET any -> [209.126.11.205] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243792; rev:1;) alert tcp $HOME_NET any -> [52.230.156.245] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243791; rev:1;) alert tcp $HOME_NET any -> [141.95.103.204] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243790; rev:1;) alert tcp $HOME_NET any -> [3.17.238.239] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243789; rev:1;) alert tcp $HOME_NET any -> [172.105.90.105] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243788; rev:1;) alert tcp $HOME_NET any -> [35.91.72.47] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243787; rev:1;) alert tcp $HOME_NET any -> [164.90.225.172] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243786; rev:1;) alert tcp $HOME_NET any -> [139.224.226.16] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243785; rev:1;) alert tcp $HOME_NET any -> [46.101.67.13] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243784; rev:1;) alert tcp $HOME_NET any -> [143.198.142.205] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243783; rev:1;) alert tcp $HOME_NET any -> [185.67.144.27] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243782; rev:1;) alert tcp $HOME_NET any -> [172.166.104.143] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243781; rev:1;) alert tcp $HOME_NET any -> [79.136.1.62] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243780; rev:1;) alert tcp $HOME_NET any -> [148.251.70.245] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243779; rev:1;) alert tcp $HOME_NET any -> [34.16.179.120] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243778; rev:1;) alert tcp $HOME_NET any -> [52.91.198.222] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243777; rev:1;) alert tcp $HOME_NET any -> [20.197.1.237] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"louiseanderson.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.afld.afld.email"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mehdi.fargan.fun"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243773; rev:1;) alert tcp $HOME_NET any -> [120.27.130.110] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243772; rev:1;) alert tcp $HOME_NET any -> [38.6.217.139] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243771; rev:1;) alert tcp $HOME_NET any -> [124.223.60.44] 59988 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243770; rev:1;) alert tcp $HOME_NET any -> [209.141.35.155] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.telefonemusk.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.55.253.216.95.clients.your-server.de"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243767; rev:1;) alert tcp $HOME_NET any -> [94.156.65.239] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243766; rev:1;) alert tcp $HOME_NET any -> [94.156.65.239] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243765; rev:1;) alert tcp $HOME_NET any -> [144.172.73.36] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243764; rev:1;) alert tcp $HOME_NET any -> [137.175.17.137] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243763; rev:1;) alert tcp $HOME_NET any -> [194.116.216.83] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243761; rev:1;) alert tcp $HOME_NET any -> [194.48.250.11] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fsdjkhfkjsdhfkjdhfgg.cfd"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dqspduqsfjksdfhgjks.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-234-189-192.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.onceuponatimeiwent.online"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"89-73-53-34.dynamic.chello.pl"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243756; rev:1;) alert tcp $HOME_NET any -> [89.73.53.34] 443 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243755; rev:1;) alert tcp $HOME_NET any -> [158.255.74.150] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243754; rev:1;) alert tcp $HOME_NET any -> [94.156.69.44] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243753; rev:1;) alert tcp $HOME_NET any -> [94.156.69.44] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243752; rev:1;) alert tcp $HOME_NET any -> [20.0.153.70] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243751; rev:1;) alert tcp $HOME_NET any -> [103.215.124.119] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243750; rev:1;) alert tcp $HOME_NET any -> [111.90.145.26] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243748; rev:1;) alert tcp $HOME_NET any -> [103.215.124.60] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243749; rev:1;) alert tcp $HOME_NET any -> [188.119.112.64] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243747; rev:1;) alert tcp $HOME_NET any -> [94.156.8.224] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243746; rev:1;) alert tcp $HOME_NET any -> [103.155.214.134] 443 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243745; rev:1;) alert tcp $HOME_NET any -> [181.215.4.52] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kcrn.sk"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test-control.rnb-team.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"211.20.97.83.ro.ovo.sc"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243742; rev:1;) alert tcp $HOME_NET any -> [195.214.254.161] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243740; rev:1;) alert tcp $HOME_NET any -> [181.161.15.137] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243738; rev:1;) alert tcp $HOME_NET any -> [51.178.185.143] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coinprime.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grinevitchnicolas3.fvds.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243736; rev:1;) alert tcp $HOME_NET any -> [109.116.212.249] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip181.ip-51-81-90.us"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243733; rev:1;) alert tcp $HOME_NET any -> [93.148.180.205] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243732; rev:1;) alert tcp $HOME_NET any -> [51.195.231.121] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243731; rev:1;) alert tcp $HOME_NET any -> [185.174.101.80] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243729; rev:1;) alert tcp $HOME_NET any -> [172.111.148.11] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243730; rev:1;) alert tcp $HOME_NET any -> [216.250.255.99] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243728; rev:1;) alert tcp $HOME_NET any -> [216.250.255.99] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243727; rev:1;) alert tcp $HOME_NET any -> [38.180.30.53] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243726; rev:1;) alert tcp $HOME_NET any -> [51.89.109.154] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243724; rev:1;) alert tcp $HOME_NET any -> [51.89.109.154] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243725; rev:1;) alert tcp $HOME_NET any -> [147.124.217.110] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243723; rev:1;) alert tcp $HOME_NET any -> [147.124.217.110] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243722; rev:1;) alert tcp $HOME_NET any -> [91.92.246.152] 4747 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243721; rev:1;) alert tcp $HOME_NET any -> [91.92.246.134] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243720; rev:1;) alert tcp $HOME_NET any -> [142.11.201.125] 8712 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243718; rev:1;) alert tcp $HOME_NET any -> [94.156.69.174] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243719; rev:1;) alert tcp $HOME_NET any -> [89.117.49.133] 6006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243717; rev:1;) alert tcp $HOME_NET any -> [89.117.49.133] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243716; rev:1;) alert tcp $HOME_NET any -> [69.64.95.233] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243715; rev:1;) alert tcp $HOME_NET any -> [94.156.69.251] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243714; rev:1;) alert tcp $HOME_NET any -> [193.124.205.80] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243712; rev:1;) alert tcp $HOME_NET any -> [188.126.90.14] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243713; rev:1;) alert tcp $HOME_NET any -> [128.90.122.163] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243711; rev:1;) alert tcp $HOME_NET any -> [192.159.99.54] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243710; rev:1;) alert tcp $HOME_NET any -> [172.245.134.75] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243709; rev:1;) alert tcp $HOME_NET any -> [38.55.204.19] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243708/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243708; rev:1;) alert tcp $HOME_NET any -> [78.89.158.155] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243707/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243707; rev:1;) alert tcp $HOME_NET any -> [78.129.165.233] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243705/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243705; rev:1;) alert tcp $HOME_NET any -> [45.10.246.27] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243706/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243706; rev:1;) alert tcp $HOME_NET any -> [121.43.52.194] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243704/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243704; rev:1;) alert tcp $HOME_NET any -> [104.40.132.124] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243703/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243703; rev:1;) alert tcp $HOME_NET any -> [137.184.114.2] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243702/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243702; rev:1;) alert tcp $HOME_NET any -> [195.201.223.219] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243701/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243701; rev:1;) alert tcp $HOME_NET any -> [105.100.30.87] 1001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243700; rev:1;) alert tcp $HOME_NET any -> [149.28.155.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243699; rev:1;) alert tcp $HOME_NET any -> [176.32.38.186] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243698; rev:1;) alert tcp $HOME_NET any -> [185.81.68.249] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243696; rev:1;) alert tcp $HOME_NET any -> [47.109.149.105] 8085 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243697; rev:1;) alert tcp $HOME_NET any -> [185.81.68.249] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243695; rev:1;) alert tcp $HOME_NET any -> [185.81.68.249] 445 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243694; rev:1;) alert tcp $HOME_NET any -> [101.36.111.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243692; rev:1;) alert tcp $HOME_NET any -> [43.134.20.68] 9520 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243693; rev:1;) alert tcp $HOME_NET any -> [107.172.196.196] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243691; rev:1;) alert tcp $HOME_NET any -> [47.98.232.222] 22311 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243690; rev:1;) alert tcp $HOME_NET any -> [119.91.209.244] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243689; rev:1;) alert tcp $HOME_NET any -> [47.109.106.162] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243687; rev:1;) alert tcp $HOME_NET any -> [94.156.67.192] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243688; rev:1;) alert tcp $HOME_NET any -> [43.140.250.89] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243686; rev:1;) alert tcp $HOME_NET any -> [43.140.250.89] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243685; rev:1;) alert tcp $HOME_NET any -> [182.149.199.249] 8123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243684; rev:1;) alert tcp $HOME_NET any -> [23.26.137.225] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243683; rev:1;) alert tcp $HOME_NET any -> [114.116.18.42] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243681; rev:1;) alert tcp $HOME_NET any -> [43.139.122.66] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243682; rev:1;) alert tcp $HOME_NET any -> [123.57.186.159] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243680; rev:1;) alert tcp $HOME_NET any -> [124.71.9.23] 8500 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243679; rev:1;) alert tcp $HOME_NET any -> [111.231.74.147] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243678; rev:1;) alert tcp $HOME_NET any -> [121.36.77.90] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243677; rev:1;) alert tcp $HOME_NET any -> [118.24.128.204] 8086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243676; rev:1;) alert tcp $HOME_NET any -> [138.201.132.254] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243675; rev:1;) alert tcp $HOME_NET any -> [185.204.0.115] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243674; rev:1;) alert tcp $HOME_NET any -> [154.3.1.95] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243673; rev:1;) alert tcp $HOME_NET any -> [111.229.213.107] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243672; rev:1;) alert tcp $HOME_NET any -> [60.204.151.115] 3214 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243670; rev:1;) alert tcp $HOME_NET any -> [8.130.95.105] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243671; rev:1;) alert tcp $HOME_NET any -> [175.27.162.205] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243669; rev:1;) alert tcp $HOME_NET any -> [39.107.89.22] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243668; rev:1;) alert tcp $HOME_NET any -> [39.105.204.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nebula-cdn.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243666; rev:1;) alert tcp $HOME_NET any -> [123.56.251.159] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243665; rev:1;) alert tcp $HOME_NET any -> [43.153.228.97] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243663; rev:1;) alert tcp $HOME_NET any -> [43.153.228.97] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243664; rev:1;) alert tcp $HOME_NET any -> [39.109.127.135] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243662; rev:1;) alert tcp $HOME_NET any -> [159.75.104.8] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243661; rev:1;) alert tcp $HOME_NET any -> [47.98.120.157] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243659; rev:1;) alert tcp $HOME_NET any -> [117.72.46.146] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243660; rev:1;) alert tcp $HOME_NET any -> [47.245.122.5] 2052 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243658; rev:1;) alert tcp $HOME_NET any -> [119.91.214.99] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243657; rev:1;) alert tcp $HOME_NET any -> [8.134.221.219] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243655; rev:1;) alert tcp $HOME_NET any -> [119.91.214.99] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243656; rev:1;) alert tcp $HOME_NET any -> [172.105.37.93] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243654; rev:1;) alert tcp $HOME_NET any -> [103.243.212.108] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243653; rev:1;) alert tcp $HOME_NET any -> [8.217.186.171] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"odoo.tendadaalma.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243652; rev:1;) alert tcp $HOME_NET any -> [141.98.81.98] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243650; rev:1;) alert tcp $HOME_NET any -> [74.235.140.183] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243649; rev:1;) alert tcp $HOME_NET any -> [118.89.124.242] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.distracted-cannon.104-168-102-175.plesk.page"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pensive-cerf.104-168-102-175.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hungry-dijkstra.104-168-102-175.plesk.page"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.adoring-hellman.104-168-102-175.plesk.page"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243645; rev:1;) alert tcp $HOME_NET any -> [120.79.44.225] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-116-36-101.us-east-2.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.confident-bouman.104-168-102-175.plesk.page"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.friendly-dirac.104-168-102-175.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fra-col.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"optimistic-rubin.104-168-102-175.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nice-torvalds.104-168-102-175.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-75-210-134.eu-central-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.vigilant-kare.104-168-102-175.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"friendly-dirac.104-168-102-175.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243634; rev:1;) alert tcp $HOME_NET any -> [5.35.99.203] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243633; rev:1;) alert tcp $HOME_NET any -> [193.176.79.54] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243632; rev:1;) alert tcp $HOME_NET any -> [80.253.246.232] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243631; rev:1;) alert tcp $HOME_NET any -> [217.197.107.145] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243630; rev:1;) alert tcp $HOME_NET any -> [65.20.69.208] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243629/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243629; rev:1;) alert tcp $HOME_NET any -> [180.140.129.152] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243628; rev:1;) alert tcp $HOME_NET any -> [193.92.248.35] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243627; rev:1;) alert tcp $HOME_NET any -> [167.56.207.87] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243626/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243626; rev:1;) alert tcp $HOME_NET any -> [176.44.108.225] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243625/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243625; rev:1;) alert tcp $HOME_NET any -> [185.174.8.138] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243624/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243624; rev:1;) alert tcp $HOME_NET any -> [200.234.235.200] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243623/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243623; rev:1;) alert tcp $HOME_NET any -> [185.225.70.160] 27311 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243622/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243622; rev:1;) alert tcp $HOME_NET any -> [104.200.72.113] 40484 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243621/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243621; rev:1;) alert tcp $HOME_NET any -> [64.74.160.238] 3306 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243620/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243620; rev:1;) alert tcp $HOME_NET any -> [157.230.175.190] 49553 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243619/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243619; rev:1;) alert tcp $HOME_NET any -> [45.137.22.156] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243618; rev:1;) alert tcp $HOME_NET any -> [2.58.85.145] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243617; rev:1;) alert tcp $HOME_NET any -> [194.87.252.184] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpserver0windows/wppublicjs/proton_vmpacket/generator8wpbase/external_/_wplow8/universalflower/3/line62/7publicpacket/geocpuupdatedefaultasyncpublicprivateuploadsdownloads.php"; depth:178; nocase; http.host; content:"176.124.192.196"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243615; rev:1;) alert tcp $HOME_NET any -> [185.161.208.123] 8763 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9cf11b76.php"; depth:13; nocase; http.host; content:"pipikaka-ggg.000webhostapp.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243613; rev:1;) alert tcp $HOME_NET any -> [162.19.208.109] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243612; rev:1;) alert tcp $HOME_NET any -> [94.131.11.34] 10006 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243611; rev:1;) alert tcp $HOME_NET any -> [185.222.58.81] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243608; rev:1;) alert tcp $HOME_NET any -> [42.237.25.52] 7899 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/errorpage/catzx.scr"; depth:20; nocase; http.host; content:"universalmovies.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pollsql.php"; depth:12; nocase; http.host; content:"185.130.46.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0924648.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243603; rev:1;) alert tcp $HOME_NET any -> [91.92.244.104] 655 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243582/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243582; rev:1;) alert tcp $HOME_NET any -> [103.173.255.143] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243600/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"srophuchung.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243601/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243601; rev:1;) alert tcp $HOME_NET any -> [43.249.193.230] 8712 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"qq.qqweixinzhuce.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qq.qqweixinzhuce.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"8.222.150.46"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"111.229.198.177"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243595; rev:1;) alert tcp $HOME_NET any -> [111.229.198.177] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"8.222.150.46"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"120.27.131.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243592; rev:1;) alert tcp $HOME_NET any -> [107.151.246.236] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cs"; depth:3; nocase; http.host; content:"www.micshcnds.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.micshcnds.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.113.195.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243588; rev:1;) alert tcp $HOME_NET any -> [18.192.209.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/accelerate/v3.33/1f7jw12fqr2v"; depth:30; nocase; http.host; content:"18.192.209.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"test.qqweixinzhuce.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.qqweixinzhuce.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243585; rev:1;) alert tcp $HOME_NET any -> [139.64.172.17] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243583/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"43.134.183.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"162.14.107.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"139.199.180.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243573; rev:1;) alert tcp $HOME_NET any -> [118.89.124.242] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/facvicon.jpg"; depth:19; nocase; http.host; content:"117.50.47.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243570; rev:1;) alert tcp $HOME_NET any -> [143.244.186.189] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn043sc.azureedge.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ms-settings-proximity"; depth:22; nocase; http.host; content:"cdn043sc.azureedge.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nv"; depth:3; nocase; http.host; content:"45.148.120.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243566; rev:1;) alert tcp $HOME_NET any -> [47.92.171.109] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.92.171.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.14"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.112.251"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243562; rev:1;) alert tcp $HOME_NET any -> [88.198.112.251] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243560; rev:1;) alert tcp $HOME_NET any -> [95.217.28.14] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"aljannatquranteach.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"aljannatquranteach.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"aljannatquranteach.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243508; rev:1;) alert tcp $HOME_NET any -> [45.142.182.90] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243509/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"varinspector.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243515; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 18909 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243525/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"888juantriana88.dynuddns.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243527/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243527; rev:1;) alert tcp $HOME_NET any -> [147.124.205.158] 9561 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243540/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243540; rev:1;) alert tcp $HOME_NET any -> [104.194.157.55] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243559/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243559; rev:1;) alert tcp $HOME_NET any -> [104.194.157.55] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243558/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243558; rev:1;) alert tcp $HOME_NET any -> [46.226.164.60] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243557/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243557; rev:1;) alert tcp $HOME_NET any -> [65.20.73.169] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243556/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243556; rev:1;) alert tcp $HOME_NET any -> [45.32.31.179] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243555/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243555; rev:1;) alert tcp $HOME_NET any -> [46.246.4.11] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243554/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243554; rev:1;) alert tcp $HOME_NET any -> [90.52.128.121] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243553/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243553; rev:1;) alert tcp $HOME_NET any -> [173.207.111.8] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243552/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243552; rev:1;) alert tcp $HOME_NET any -> [41.97.68.49] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243551/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243551; rev:1;) alert tcp $HOME_NET any -> [175.13.35.124] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243550/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243550; rev:1;) alert tcp $HOME_NET any -> [72.27.146.121] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243549/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243549; rev:1;) alert tcp $HOME_NET any -> [106.75.66.128] 53 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243548; rev:1;) alert tcp $HOME_NET any -> [130.193.40.155] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243547/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243547; rev:1;) alert tcp $HOME_NET any -> [201.174.9.2] 3392 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243546; rev:1;) alert tcp $HOME_NET any -> [92.39.211.142] 4444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243545/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243545; rev:1;) alert tcp $HOME_NET any -> [35.193.229.206] 60000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243544/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243544; rev:1;) alert tcp $HOME_NET any -> [170.187.200.132] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243543/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243543; rev:1;) alert tcp $HOME_NET any -> [37.1.208.20] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243542/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243542; rev:1;) alert tcp $HOME_NET any -> [103.150.208.227] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243541/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v5jh"; depth:5; nocase; http.host; content:"103.191.15.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243539/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243539; rev:1;) alert tcp $HOME_NET any -> [5.42.65.55] 5000 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243538/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_01; classtype:trojan-activity; sid:91243538; rev:1;) alert tcp $HOME_NET any -> [5.42.65.107] 5000 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243537/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_01; classtype:trojan-activity; sid:91243537; rev:1;) alert tcp $HOME_NET any -> [171.80.216.99] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243536/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_01; classtype:trojan-activity; sid:91243536; rev:1;) alert tcp $HOME_NET any -> [89.23.107.13] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243535/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_01; classtype:trojan-activity; sid:91243535; rev:1;) alert tcp $HOME_NET any -> [193.178.147.164] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243534/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_01; classtype:trojan-activity; sid:91243534; rev:1;) alert tcp $HOME_NET any -> [39.100.103.225] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"30ht.com.w.kunlunpi.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"30ht.com.w.kunlunpi.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243531; rev:1;) alert tcp $HOME_NET any -> [39.108.147.5] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"39.108.147.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243529; rev:1;) alert tcp $HOME_NET any -> [39.100.103.225] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243528; rev:1;) alert tcp $HOME_NET any -> [191.89.247.6] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243526; rev:1;) alert tcp $HOME_NET any -> [46.250.238.168] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243524/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243524; rev:1;) alert tcp $HOME_NET any -> [192.248.159.76] 2222 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243523/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243523; rev:1;) alert tcp $HOME_NET any -> [23.95.44.73] 65535 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243522/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243522; rev:1;) alert tcp $HOME_NET any -> [39.40.163.25] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243521/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243521; rev:1;) alert tcp $HOME_NET any -> [86.225.209.225] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243520/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243520; rev:1;) alert tcp $HOME_NET any -> [206.81.31.145] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243519/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243519; rev:1;) alert tcp $HOME_NET any -> [198.13.47.158] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243518/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243518; rev:1;) alert tcp $HOME_NET any -> [151.236.16.11] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243517/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243517; rev:1;) alert tcp $HOME_NET any -> [128.14.226.110] 143 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243516/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0/central3cputemp/6trafficeternalgeo/dump4requestmariadb/dbexternal/cpuprotonpoll4/longpollmariadb/dlejsauthrequest/cdn/1cpubasedle/36/external9traffic/7/update/lowlocalpython/videojs_updatedefaultgeneratorwordpress.php"; depth:220; nocase; http.host; content:"193.233.255.228"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243514; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 12607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243513; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 12607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerpythonhttplowupdateflowertrackwordpress.php"; depth:52; nocase; http.host; content:"147.45.197.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243511; rev:1;) alert tcp $HOME_NET any -> [198.44.174.170] 10086 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243510; rev:1;) alert tcp $HOME_NET any -> [18.162.156.152] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d9msk9dy9tbnk.cloudfront.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243503; rev:1;) alert tcp $HOME_NET any -> [4.158.105.167] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-2.8.4.min.js"; depth:20; nocase; http.host; content:"d9msk9dy9tbnk.cloudfront.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.100.170.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.159.136.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"121.43.62.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243499; rev:1;) alert tcp $HOME_NET any -> [18.231.151.211] 333 (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-f8oy6qld-1322248009.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-f8oy6qld-1322248009.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"intl.ccb.com.w.cdngslb.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"intl.ccb.com.w.cdngslb.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"all.mbblitz.net.w.cdngslb.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"all.mbblitz.net.w.cdngslb.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"udptestsh6062.ialicdn.com.w.cdngslb.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"udptestsh6062.ialicdn.com.w.cdngslb.com"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"61.170.44.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"36.150.211.193"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"119.167.249.113"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"117.34.18.87"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"61.170.88.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243485; rev:1;) alert tcp $HOME_NET any -> [154.38.160.55] 35888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternal3/0server/downloads/better/7linuxdle/traffic/processorto4default/external/wordpressimage/phpwp/lowuploads0/6processorsql/updateprocessortest/packetbigload.php"; depth:166; nocase; http.host; content:"188.120.229.213"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243483; rev:1;) alert tcp $HOME_NET any -> [107.175.113.194] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243482; rev:1;) alert tcp $HOME_NET any -> [162.19.25.207] 8080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243479/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_29; classtype:trojan-activity; sid:91243479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mrado.kozow.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243480/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_29; classtype:trojan-activity; sid:91243480; rev:1;) alert tcp $HOME_NET any -> [103.77.243.215] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243481/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_29; classtype:trojan-activity; sid:91243481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"121.43.62.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pzfdmserv275.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pzlkxadvert475.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shopweb95.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"straightsboycott.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ventafones.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wprogs.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yan0212.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yan0212.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zl0yy.ru"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243318; rev:1;) alert tcp $HOME_NET any -> [138.201.196.90] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243319; rev:1;) alert tcp $HOME_NET any -> [153.92.222.162] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243320; rev:1;) alert tcp $HOME_NET any -> [185.236.232.20] 445 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243321; rev:1;) alert tcp $HOME_NET any -> [185.73.124.42] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243322; rev:1;) alert tcp $HOME_NET any -> [192.53.123.202] 8080 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243323; rev:1;) alert tcp $HOME_NET any -> [45.15.159.28] 8080 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243325; rev:1;) alert tcp $HOME_NET any -> [45.63.66.10] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243326; rev:1;) alert tcp $HOME_NET any -> [64.176.214.51] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243327; rev:1;) alert tcp $HOME_NET any -> [45.147.231.86] 4254 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243324; rev:1;) alert tcp $HOME_NET any -> [69.10.60.115] 4018 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243328; rev:1;) alert tcp $HOME_NET any -> [80.85.84.79] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243329; rev:1;) alert tcp $HOME_NET any -> [89.187.184.206] 4299 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243330; rev:1;) alert tcp $HOME_NET any -> [94.198.51.247] 4337 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243332; rev:1;) alert tcp $HOME_NET any -> [94.156.69.109] 4372 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243331; rev:1;) alert tcp $HOME_NET any -> [94.198.55.181] 4337 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243333; rev:1;) alert tcp $HOME_NET any -> [82.153.138.25] 13338 (msg:"ThreatFox xmrig payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243429/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243429; rev:1;) alert tcp $HOME_NET any -> [15.204.223.194] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243443/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_29; classtype:trojan-activity; sid:91243443; rev:1;) alert tcp $HOME_NET any -> [79.228.201.177] 666 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243444/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_29; classtype:trojan-activity; sid:91243444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzi4mgfhzji2mmm5/"; depth:18; nocase; http.host; content:"karmelinanoonethousandbaby.net"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243445; rev:1;) alert tcp $HOME_NET any -> [147.45.197.186] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mainnetwork.sysromeu.eu.org"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1243476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.11.93.150"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1243477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leadsoftware.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"advertsp74.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gam0ver.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lkk.collection.aixpirts.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"collection.aixpirts.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"visitclouds.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243253; rev:1;) alert tcp $HOME_NET any -> [185.172.129.234] 34244 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243474; rev:1;) alert tcp $HOME_NET any -> [103.114.104.158] 7800 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0923143.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243472; rev:1;) alert tcp $HOME_NET any -> [46.226.164.18] 50555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243471; rev:1;) alert tcp $HOME_NET any -> [106.75.66.128] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243470/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243470; rev:1;) alert tcp $HOME_NET any -> [139.9.65.87] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243469/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243469; rev:1;) alert tcp $HOME_NET any -> [50.35.137.22] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243468/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243468; rev:1;) alert tcp $HOME_NET any -> [24.177.42.139] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0922949.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243466; rev:1;) alert tcp $HOME_NET any -> [173.249.27.72] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243465/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243465; rev:1;) alert tcp $HOME_NET any -> [43.138.70.217] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243464/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243464; rev:1;) alert tcp $HOME_NET any -> [94.156.67.85] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243463/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243463; rev:1;) alert tcp $HOME_NET any -> [82.97.251.102] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243462/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243462; rev:1;) alert tcp $HOME_NET any -> [70.31.125.177] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243461/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243461; rev:1;) alert tcp $HOME_NET any -> [41.96.34.101] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243460/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243460; rev:1;) alert tcp $HOME_NET any -> [43.139.235.226] 5003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243459/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243459; rev:1;) alert tcp $HOME_NET any -> [139.196.191.50] 3389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243458/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243458; rev:1;) alert tcp $HOME_NET any -> [8.218.157.182] 4488 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243457/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243457; rev:1;) alert tcp $HOME_NET any -> [193.233.132.48] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243456/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243456; rev:1;) alert tcp $HOME_NET any -> [193.233.132.10] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243455/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243455; rev:1;) alert tcp $HOME_NET any -> [41.216.183.184] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243454/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243454; rev:1;) alert tcp $HOME_NET any -> [5.75.211.82] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243453/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243453; rev:1;) alert tcp $HOME_NET any -> [65.109.240.92] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243452/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243452; rev:1;) alert tcp $HOME_NET any -> [95.217.240.158] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243451/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243451; rev:1;) alert tcp $HOME_NET any -> [65.109.242.251] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243450/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243450; rev:1;) alert tcp $HOME_NET any -> [5.75.209.178] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243449/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243449; rev:1;) alert tcp $HOME_NET any -> [128.90.108.211] 4433 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243448/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243448; rev:1;) alert tcp $HOME_NET any -> [110.41.44.130] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243447/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243447; rev:1;) alert tcp $HOME_NET any -> [103.74.172.161] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243446/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243446; rev:1;) alert tcp $HOME_NET any -> [175.197.65.135] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/rtrovpivygzklxemdw38"; depth:25; nocase; http.host; content:"175.197.65.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243441; rev:1;) alert tcp $HOME_NET any -> [15.228.170.102] 5000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243440/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243440; rev:1;) alert tcp $HOME_NET any -> [186.170.114.55] 1111 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243439; rev:1;) alert tcp $HOME_NET any -> [83.213.157.103] 1515 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243438; rev:1;) alert tcp $HOME_NET any -> [147.45.68.159] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243437/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243437; rev:1;) alert tcp $HOME_NET any -> [187.213.196.57] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243436/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243436; rev:1;) alert tcp $HOME_NET any -> [105.102.19.215] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243435/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243435; rev:1;) alert tcp $HOME_NET any -> [45.120.106.149] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243434/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243434; rev:1;) alert tcp $HOME_NET any -> [5.161.64.218] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243433/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243433; rev:1;) alert tcp $HOME_NET any -> [45.61.138.43] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243432/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"122.51.118.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243431; rev:1;) alert tcp $HOME_NET any -> [74.81.46.139] 44085 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"117.50.185.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.110.253.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243424; rev:1;) alert tcp $HOME_NET any -> [45.32.7.25] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243423; rev:1;) alert tcp $HOME_NET any -> [143.110.247.233] 8008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243422; rev:1;) alert tcp $HOME_NET any -> [123.206.115.56] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243421; rev:1;) alert tcp $HOME_NET any -> [185.43.222.193] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243420; rev:1;) alert tcp $HOME_NET any -> [185.43.221.137] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243419; rev:1;) alert tcp $HOME_NET any -> [3.65.151.202] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243418; rev:1;) alert tcp $HOME_NET any -> [172.201.219.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243417; rev:1;) alert tcp $HOME_NET any -> [213.171.15.75] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243416; rev:1;) alert tcp $HOME_NET any -> [124.71.205.116] 13333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243415; rev:1;) alert tcp $HOME_NET any -> [159.138.58.51] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243414; rev:1;) alert tcp $HOME_NET any -> [170.64.213.114] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243413; rev:1;) alert tcp $HOME_NET any -> [123.60.185.117] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243412; rev:1;) alert tcp $HOME_NET any -> [37.251.160.104] 54043 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243411; rev:1;) alert tcp $HOME_NET any -> [124.220.97.65] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243410; rev:1;) alert tcp $HOME_NET any -> [135.181.16.103] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243409; rev:1;) alert tcp $HOME_NET any -> [34.101.73.141] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssl.deenpel.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243407; rev:1;) alert tcp $HOME_NET any -> [1.117.229.230] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243406; rev:1;) alert tcp $HOME_NET any -> [49.51.68.151] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243405; rev:1;) alert tcp $HOME_NET any -> [154.201.66.219] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243404; rev:1;) alert tcp $HOME_NET any -> [150.158.137.47] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trustabletechsupport.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gfdjlgkdjfgkdfjgkml.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-230-177-18.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcalendars.inspirestudiosteam.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mg.inspirestudiosteam.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243398; rev:1;) alert tcp $HOME_NET any -> [154.8.204.75] 58082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243397; rev:1;) alert tcp $HOME_NET any -> [193.222.96.238] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243396; rev:1;) alert tcp $HOME_NET any -> [20.65.178.69] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243395; rev:1;) alert tcp $HOME_NET any -> [20.82.182.10] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243394; rev:1;) alert tcp $HOME_NET any -> [20.251.169.136] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243393; rev:1;) alert tcp $HOME_NET any -> [188.27.189.235] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lemon.haryadi.my.id"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cardiochallenge.at"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bignas.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"23-227-193-214.static.hvvc.us"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-84-126-255.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243388; rev:1;) alert tcp $HOME_NET any -> [223.155.16.116] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243386; rev:1;) alert tcp $HOME_NET any -> [5.144.177.67] 6090 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243385; rev:1;) alert tcp $HOME_NET any -> [194.33.191.159] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243384; rev:1;) alert tcp $HOME_NET any -> [213.183.63.187] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243383; rev:1;) alert tcp $HOME_NET any -> [107.155.112.166] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cryptobetix.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"212-70-149-199.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243380; rev:1;) alert tcp $HOME_NET any -> [151.81.14.228] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243378; rev:1;) alert tcp $HOME_NET any -> [216.250.255.99] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243377; rev:1;) alert tcp $HOME_NET any -> [45.134.83.165] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243376; rev:1;) alert tcp $HOME_NET any -> [191.88.250.63] 4210 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243374; rev:1;) alert tcp $HOME_NET any -> [172.111.148.61] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243375; rev:1;) alert tcp $HOME_NET any -> [128.90.113.56] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243373; rev:1;) alert tcp $HOME_NET any -> [178.73.192.17] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243372; rev:1;) alert tcp $HOME_NET any -> [206.123.132.164] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243371; rev:1;) alert tcp $HOME_NET any -> [23.227.194.232] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243370/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_28; classtype:trojan-activity; sid:91243370; rev:1;) alert tcp $HOME_NET any -> [187.135.83.7] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243369; rev:1;) alert tcp $HOME_NET any -> [187.135.83.7] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243368; rev:1;) alert tcp $HOME_NET any -> [187.135.83.7] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243366; rev:1;) alert tcp $HOME_NET any -> [187.135.83.7] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243367; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 15443 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243365; rev:1;) alert tcp $HOME_NET any -> [105.102.242.10] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243364; rev:1;) alert tcp $HOME_NET any -> [124.156.162.162] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243363; rev:1;) alert tcp $HOME_NET any -> [1.14.69.16] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243361; rev:1;) alert tcp $HOME_NET any -> [1.14.69.16] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243362; rev:1;) alert tcp $HOME_NET any -> [1.14.69.16] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243360; rev:1;) alert tcp $HOME_NET any -> [23.224.176.9] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243359; rev:1;) alert tcp $HOME_NET any -> [120.27.131.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243357; rev:1;) alert tcp $HOME_NET any -> [218.93.206.191] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243358; rev:1;) alert tcp $HOME_NET any -> [124.222.51.98] 60081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243355; rev:1;) alert tcp $HOME_NET any -> [62.234.32.192] 8085 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243356; rev:1;) alert tcp $HOME_NET any -> [47.98.168.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243354; rev:1;) alert tcp $HOME_NET any -> [106.52.244.189] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243353; rev:1;) alert tcp $HOME_NET any -> [185.11.61.168] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243351; rev:1;) alert tcp $HOME_NET any -> [143.110.176.113] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243352; rev:1;) alert tcp $HOME_NET any -> [185.11.61.168] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243350; rev:1;) alert tcp $HOME_NET any -> [150.158.137.47] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243349; rev:1;) alert tcp $HOME_NET any -> [1.14.64.150] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243348; rev:1;) alert tcp $HOME_NET any -> [3.75.210.134] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243347; rev:1;) alert tcp $HOME_NET any -> [122.51.118.39] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243346; rev:1;) alert tcp $HOME_NET any -> [91.245.253.85] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rns.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"distracted-cannon.104-168-102-175.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243344; rev:1;) alert tcp $HOME_NET any -> [114.116.224.74] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.practical-black.104-168-102-175.plesk.page"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"167-71-186-178.ipv4.staticdns3.io"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243340; rev:1;) alert tcp $HOME_NET any -> [52.190.15.163] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fairyfoxgames.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dirapushka.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"practical-black.104-168-102-175.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dyn.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-91-59-255.compute-1.amazonaws.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243334; rev:1;) alert tcp $HOME_NET any -> [46.183.223.64] 22364 (msg:"ThreatFox AdWind botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assets.samfund.co"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243302; rev:1;) alert tcp $HOME_NET any -> [159.223.86.140] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243303; rev:1;) alert tcp $HOME_NET any -> [159.223.220.165] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243301; rev:1;) alert tcp $HOME_NET any -> [78.141.217.186] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.trailcosolutions.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"106.52.244.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"45.76.196.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"111.231.74.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"121.43.62.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"118.24.128.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243294; rev:1;) alert tcp $HOME_NET any -> [89.185.85.207] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243293/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243293; rev:1;) alert tcp $HOME_NET any -> [172.174.236.21] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243292/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243292; rev:1;) alert tcp $HOME_NET any -> [39.40.128.22] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243291/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243291; rev:1;) alert tcp $HOME_NET any -> [2.88.198.236] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243290/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243290; rev:1;) alert tcp $HOME_NET any -> [108.181.0.232] 58049 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243289/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243289; rev:1;) alert tcp $HOME_NET any -> [178.250.156.165] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243288/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243288; rev:1;) alert tcp $HOME_NET any -> [62.109.15.31] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243287/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243287; rev:1;) alert tcp $HOME_NET any -> [87.120.84.190] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243286/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243286; rev:1;) alert tcp $HOME_NET any -> [62.217.179.132] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243285/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243285; rev:1;) alert tcp $HOME_NET any -> [84.201.143.26] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243284/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux/lineupdateprocessordefaultdleprivate.php"; depth:47; nocase; http.host; content:"89.23.98.146"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243283; rev:1;) alert tcp $HOME_NET any -> [124.223.215.119] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243271/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"117.50.185.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.92.99.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.142.184.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"175.24.130.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"159.223.220.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssjcw.com.w.kunlunpi.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"ssjcw.com.w.kunlunpi.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243261; rev:1;) alert tcp $HOME_NET any -> [122.51.118.39] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"122.51.118.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlvc"; depth:5; nocase; http.host; content:"118.31.75.32"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243258/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.209.178"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.251"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243256; rev:1;) alert tcp $HOME_NET any -> [65.109.242.251] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243254; rev:1;) alert tcp $HOME_NET any -> [5.75.209.178] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243255; rev:1;) alert tcp $HOME_NET any -> [185.217.197.52] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243252; rev:1;) alert tcp $HOME_NET any -> [166.1.173.27] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nl7l"; depth:5; nocase; http.host; content:"118.31.75.32"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243250; rev:1;) alert tcp $HOME_NET any -> [118.31.75.32] 1145 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"berlyndinero.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243227/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243227; rev:1;) alert tcp $HOME_NET any -> [46.246.14.67] 7771 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243226/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243226; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 8651 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243222/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ntbizmm4zdq2mwy2/"; depth:18; nocase; http.host; content:"185.198.69.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzi5odzlngfhyznh/"; depth:18; nocase; http.host; content:"213.109.202.210"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243220; rev:1;) alert tcp $HOME_NET any -> [91.92.252.146] 8008 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243214/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ronymahmoud.casacam.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243213/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243213; rev:1;) alert tcp $HOME_NET any -> [45.95.169.102] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243212/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brainyworkslogos.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243211; rev:1;) alert tcp $HOME_NET any -> [103.173.254.239] 42516 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"212.129.36.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"31.207.37.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243243; rev:1;) alert tcp $HOME_NET any -> [83.69.236.128] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asyncfunctionapi.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"60.204.133.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/layout/fd6pr1n8lq5h"; depth:24; nocase; http.host; content:"47.99.182.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243244; rev:1;) alert tcp $HOME_NET any -> [185.161.248.199] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243241/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243241; rev:1;) alert tcp $HOME_NET any -> [147.135.85.114] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243240/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243240; rev:1;) alert tcp $HOME_NET any -> [46.246.6.6] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243239/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243239; rev:1;) alert tcp $HOME_NET any -> [37.211.19.15] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243238/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243238; rev:1;) alert tcp $HOME_NET any -> [75.164.85.121] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243237/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243237; rev:1;) alert tcp $HOME_NET any -> [70.27.138.200] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243236/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243236; rev:1;) alert tcp $HOME_NET any -> [73.155.10.152] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243235/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243235; rev:1;) alert tcp $HOME_NET any -> [94.237.63.16] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243234/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243234; rev:1;) alert tcp $HOME_NET any -> [172.181.54.61] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243233/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243233; rev:1;) alert tcp $HOME_NET any -> [15.228.57.29] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243232/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243232; rev:1;) alert tcp $HOME_NET any -> [23.227.194.232] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243231/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243231; rev:1;) alert tcp $HOME_NET any -> [213.226.100.35] 53 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243230/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243230; rev:1;) alert tcp $HOME_NET any -> [147.124.208.234] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0923769.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243228; rev:1;) alert tcp $HOME_NET any -> [103.198.26.210] 1902 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243225; rev:1;) alert tcp $HOME_NET any -> [155.94.211.9] 42119 (msg:"ThreatFox AdWind botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243224; rev:1;) alert tcp $HOME_NET any -> [122.52.26.100] 1818 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/unsalted-condensed-soups/"; depth:37; nocase; http.host; content:"pickilish.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243219/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/chunky/"; depth:19; nocase; http.host; content:"pickilish.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243218/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"49.234.185.12"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243216; rev:1;) alert tcp $HOME_NET any -> [49.234.185.12] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243217; rev:1;) alert tcp $HOME_NET any -> [191.88.250.63] 4203 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243215; rev:1;) alert tcp $HOME_NET any -> [65.21.101.232] 6392 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243210; rev:1;) alert tcp $HOME_NET any -> [154.246.13.166] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243209/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243209; rev:1;) alert tcp $HOME_NET any -> [103.179.188.223] 19990 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243206; rev:1;) alert tcp $HOME_NET any -> [2.57.149.235] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243205; rev:1;) alert tcp $HOME_NET any -> [91.92.240.190] 5525 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243131; rev:1;) alert tcp $HOME_NET any -> [91.92.244.84] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243132; rev:1;) alert tcp $HOME_NET any -> [94.156.71.29] 60195 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243133; rev:1;) alert tcp $HOME_NET any -> [37.221.92.112] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243134; rev:1;) alert tcp $HOME_NET any -> [94.156.71.220] 2821 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243135; rev:1;) alert tcp $HOME_NET any -> [45.86.86.176] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243136; rev:1;) alert tcp $HOME_NET any -> [94.103.188.45] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243137; rev:1;) alert tcp $HOME_NET any -> [176.123.2.50] 8872 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243138; rev:1;) alert tcp $HOME_NET any -> [94.156.8.179] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243204; rev:1;) alert tcp $HOME_NET any -> [91.92.253.46] 59962 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243130; rev:1;) alert tcp $HOME_NET any -> [94.156.71.59] 13 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243129; rev:1;) alert tcp $HOME_NET any -> [94.156.66.229] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243128; rev:1;) alert tcp $HOME_NET any -> [193.35.18.164] 60195 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243127; rev:1;) alert tcp $HOME_NET any -> [91.92.254.43] 6666 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243125; rev:1;) alert tcp $HOME_NET any -> [185.196.10.231] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243126; rev:1;) alert tcp $HOME_NET any -> [185.196.11.28] 51231 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243123; rev:1;) alert tcp $HOME_NET any -> [185.196.9.14] 23213 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243124; rev:1;) alert tcp $HOME_NET any -> [185.155.186.25] 443 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243120/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243120; rev:1;) alert tcp $HOME_NET any -> [185.155.184.55] 443 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243119/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243119; rev:1;) alert tcp $HOME_NET any -> [193.203.238.147] 443 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243203; rev:1;) alert tcp $HOME_NET any -> [79.174.2.133] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243202; rev:1;) alert tcp $HOME_NET any -> [3.131.21.160] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243201; rev:1;) alert tcp $HOME_NET any -> [91.221.22.159] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243200; rev:1;) alert tcp $HOME_NET any -> [93.185.167.79] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243197; rev:1;) alert tcp $HOME_NET any -> [8.222.199.64] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243198; rev:1;) alert tcp $HOME_NET any -> [20.56.21.162] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243196; rev:1;) alert tcp $HOME_NET any -> [64.23.182.218] 3443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243195; rev:1;) alert tcp $HOME_NET any -> [128.199.108.110] 2087 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243194; rev:1;) alert tcp $HOME_NET any -> [20.96.212.59] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243193; rev:1;) alert tcp $HOME_NET any -> [64.23.179.200] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243192; rev:1;) alert tcp $HOME_NET any -> [124.222.124.9] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243191; rev:1;) alert tcp $HOME_NET any -> [154.201.80.138] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243190; rev:1;) alert tcp $HOME_NET any -> [123.254.104.237] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243189; rev:1;) alert tcp $HOME_NET any -> [91.92.251.210] 80 (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243188; rev:1;) alert tcp $HOME_NET any -> [91.208.92.66] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243187; rev:1;) alert tcp $HOME_NET any -> [93.123.85.60] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243186; rev:1;) alert tcp $HOME_NET any -> [185.36.81.46] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243185; rev:1;) alert tcp $HOME_NET any -> [18.204.80.51] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asqrecruitment.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243183; rev:1;) alert tcp $HOME_NET any -> [5.199.162.93] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243182; rev:1;) alert tcp $HOME_NET any -> [45.15.159.44] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243180; rev:1;) alert tcp $HOME_NET any -> [20.0.153.70] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243181; rev:1;) alert tcp $HOME_NET any -> [124.156.162.114] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243179; rev:1;) alert tcp $HOME_NET any -> [185.16.39.117] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243178; rev:1;) alert tcp $HOME_NET any -> [223.155.16.52] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243177; rev:1;) alert tcp $HOME_NET any -> [181.162.154.20] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243176; rev:1;) alert tcp $HOME_NET any -> [223.155.16.58] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243175; rev:1;) alert tcp $HOME_NET any -> [193.233.132.32] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cenixcrypto.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243173; rev:1;) alert tcp $HOME_NET any -> [91.142.74.218] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243172; rev:1;) alert tcp $HOME_NET any -> [23.26.201.73] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243170; rev:1;) alert tcp $HOME_NET any -> [51.89.109.154] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243171; rev:1;) alert tcp $HOME_NET any -> [45.134.83.162] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243169; rev:1;) alert tcp $HOME_NET any -> [45.134.83.165] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243168; rev:1;) alert tcp $HOME_NET any -> [46.246.84.11] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243167; rev:1;) alert tcp $HOME_NET any -> [191.88.250.63] 4208 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243166; rev:1;) alert tcp $HOME_NET any -> [128.90.113.242] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243165; rev:1;) alert tcp $HOME_NET any -> [85.99.80.60] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243164; rev:1;) alert tcp $HOME_NET any -> [2.58.85.145] 6004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243163; rev:1;) alert tcp $HOME_NET any -> [195.123.217.139] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243162/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_27; classtype:trojan-activity; sid:91243162; rev:1;) alert tcp $HOME_NET any -> [185.142.184.93] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243161/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_27; classtype:trojan-activity; sid:91243161; rev:1;) alert tcp $HOME_NET any -> [192.210.140.35] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243160/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_27; classtype:trojan-activity; sid:91243160; rev:1;) alert tcp $HOME_NET any -> [69.46.36.210] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243159/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_27; classtype:trojan-activity; sid:91243159; rev:1;) alert tcp $HOME_NET any -> [69.46.36.216] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243158/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_27; classtype:trojan-activity; sid:91243158; rev:1;) alert tcp $HOME_NET any -> [88.214.25.240] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243157/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_27; classtype:trojan-activity; sid:91243157; rev:1;) alert tcp $HOME_NET any -> [1.92.90.232] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243156/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243156; rev:1;) alert tcp $HOME_NET any -> [103.108.41.242] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243155; rev:1;) alert tcp $HOME_NET any -> [103.142.146.7] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243154; rev:1;) alert tcp $HOME_NET any -> [4.210.191.162] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243153; rev:1;) alert tcp $HOME_NET any -> [8.222.150.46] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243152; rev:1;) alert tcp $HOME_NET any -> [213.252.246.7] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243151; rev:1;) alert tcp $HOME_NET any -> [185.196.10.217] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243150; rev:1;) alert tcp $HOME_NET any -> [23.94.240.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243149; rev:1;) alert tcp $HOME_NET any -> [43.138.101.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243148; rev:1;) alert tcp $HOME_NET any -> [136.144.240.165] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243146; rev:1;) alert tcp $HOME_NET any -> [149.104.27.205] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243147; rev:1;) alert tcp $HOME_NET any -> [23.94.240.216] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243145; rev:1;) alert tcp $HOME_NET any -> [120.48.5.80] 6009 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243144; rev:1;) alert tcp $HOME_NET any -> [121.196.221.250] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243142; rev:1;) alert tcp $HOME_NET any -> [103.142.146.6] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243143; rev:1;) alert tcp $HOME_NET any -> [103.142.146.5] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bh8bwt.link"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"was.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243139; rev:1;) alert tcp $HOME_NET any -> [46.246.84.5] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243117/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"clarosecurity-com.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243118/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/665cf811.php"; depth:13; nocase; http.host; content:"f0924067.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243116; rev:1;) alert tcp $HOME_NET any -> [185.244.150.230] 443 (msg:"ThreatFox Dridex botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243095/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"goalmikeas.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"wedshotrag.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243108; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 12780 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243115; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 12780 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243114; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 12780 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243113; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 12780 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243112; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 12780 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"49.234.185.12"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"141.98.81.98"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243109; rev:1;) alert tcp $HOME_NET any -> [70.27.138.200] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243106; rev:1;) alert tcp $HOME_NET any -> [194.26.192.57] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243105/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.236.19.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.251.159.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"20.107.244.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"20.107.244.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"185.193.126.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.120.37.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.142.90.7"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243094; rev:1;) alert tcp $HOME_NET any -> [185.11.61.124] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ku.css"; depth:7; nocase; http.host; content:"185.11.61.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/layout/fd6pr1n8lq5h"; depth:24; nocase; http.host; content:"47.99.182.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v1/get"; depth:7; nocase; http.host; content:"3gjanc04hk.execute-api.us-east-2.amazonaws.com"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3gjanc04hk.execute-api.us-east-2.amazonaws.com"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.43.191.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243088; rev:1;) alert tcp $HOME_NET any -> [47.76.78.183] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"2.57.149.150"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243021/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"2istanbullu2586.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243022/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"3istanbullu2586.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243023/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"4istanbullu2586.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243024/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"5istanbullu2586.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243025/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"6istanbullu2586.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243026/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"8istanbullu2586.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243027/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243027; rev:1;) alert tcp $HOME_NET any -> [67.203.7.148] 2909 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243030; rev:1;) alert tcp $HOME_NET any -> [34.174.78.212] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243039/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blesblochem.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243040/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243040; rev:1;) alert tcp $HOME_NET any -> [20.218.68.91] 7690 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beacon.bin"; depth:11; nocase; http.host; content:"43.129.239.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243084; rev:1;) alert tcp $HOME_NET any -> [91.92.252.146] 8004 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243079/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243079; rev:1;) alert tcp $HOME_NET any -> [155.94.208.137] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243085; rev:1;) alert tcp $HOME_NET any -> [85.239.33.149] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.211.82"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.240.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243082; rev:1;) alert tcp $HOME_NET any -> [65.109.240.92] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243080; rev:1;) alert tcp $HOME_NET any -> [5.75.211.82] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243081; rev:1;) alert tcp $HOME_NET any -> [195.16.74.230] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hotzhuan.com.w.kunlunpi.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243076; rev:1;) alert tcp $HOME_NET any -> [47.92.146.233] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.hotzhuan.com.w.kunlunpi.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"sfzd.tianxuesong.com.w.kunlunpi.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sfzd.tianxuesong.com.w.kunlunpi.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"ss.wfpay.xyz.w.kunlunpi.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ss.wfpay.xyz.w.kunlunpi.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cdnyychanlun.com.w.kunlunpi.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.cdnyychanlun.com.w.kunlunpi.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"767163cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243068; rev:1;) alert tcp $HOME_NET any -> [43.136.20.206] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243067/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243067; rev:1;) alert tcp $HOME_NET any -> [123.253.108.241] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243066/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243066; rev:1;) alert tcp $HOME_NET any -> [38.54.108.163] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243065/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243065; rev:1;) alert tcp $HOME_NET any -> [20.197.231.238] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243064; rev:1;) alert tcp $HOME_NET any -> [201.124.231.216] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243063; rev:1;) alert tcp $HOME_NET any -> [185.17.105.152] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243062; rev:1;) alert tcp $HOME_NET any -> [161.35.79.43] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243061; rev:1;) alert tcp $HOME_NET any -> [103.139.93.20] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243060; rev:1;) alert tcp $HOME_NET any -> [164.92.243.255] 42691 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243058; rev:1;) alert tcp $HOME_NET any -> [94.103.87.88] 1433 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243057; rev:1;) alert tcp $HOME_NET any -> [131.186.22.89] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243056; rev:1;) alert tcp $HOME_NET any -> [124.70.208.179] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243054/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243054; rev:1;) alert tcp $HOME_NET any -> [120.46.69.230] 65500 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243053/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243053; rev:1;) alert tcp $HOME_NET any -> [107.172.5.67] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243052/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243052; rev:1;) alert tcp $HOME_NET any -> [124.223.200.131] 10010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243051/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243051; rev:1;) alert tcp $HOME_NET any -> [187.135.94.233] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243050/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243050; rev:1;) alert tcp $HOME_NET any -> [187.135.94.233] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243049/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243049; rev:1;) alert tcp $HOME_NET any -> [187.135.94.233] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243048/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243048; rev:1;) alert tcp $HOME_NET any -> [187.135.94.233] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243047/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243047; rev:1;) alert tcp $HOME_NET any -> [187.135.142.198] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243046/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243046; rev:1;) alert tcp $HOME_NET any -> [187.135.142.198] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243045/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243045; rev:1;) alert tcp $HOME_NET any -> [66.225.254.138] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243043; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 15443 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243044/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243044; rev:1;) alert tcp $HOME_NET any -> [103.108.41.243] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243042/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243042; rev:1;) alert tcp $HOME_NET any -> [185.133.40.68] 7108 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243041; rev:1;) alert tcp $HOME_NET any -> [182.18.90.146] 34444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243038; rev:1;) alert tcp $HOME_NET any -> [34.86.252.187] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cce379fc.php"; depth:13; nocase; http.host; content:"cs52256.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/checkin"; depth:8; nocase; http.host; content:"84.32.188.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243034; rev:1;) alert tcp $HOME_NET any -> [47.92.99.156] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.92.99.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"111.92.243.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243031; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 43389 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"825947295cm.whiteproducts.ru"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243028; rev:1;) alert tcp $HOME_NET any -> [149.102.235.115] 3000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonwindows.php"; depth:18; nocase; http.host; content:"597359lm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"185.195.24.252"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243018; rev:1;) alert tcp $HOME_NET any -> [191.88.249.121] 4433 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243017/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243017; rev:1;) alert tcp $HOME_NET any -> [2.88.117.178] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243016/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243016; rev:1;) alert tcp $HOME_NET any -> [94.49.209.30] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243015/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243015; rev:1;) alert tcp $HOME_NET any -> [78.166.15.66] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243014/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243014; rev:1;) alert tcp $HOME_NET any -> [31.117.7.53] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243013/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243013; rev:1;) alert tcp $HOME_NET any -> [154.247.5.62] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243012/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243012; rev:1;) alert tcp $HOME_NET any -> [143.110.250.237] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243011/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243011; rev:1;) alert tcp $HOME_NET any -> [103.139.93.20] 3306 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243010/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243009; rev:1;) alert tcp $HOME_NET any -> [45.134.225.247] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"45.134.225.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243007; rev:1;) alert tcp $HOME_NET any -> [54.94.248.37] 12778 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243005/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91243005; rev:1;) alert tcp $HOME_NET any -> [204.44.127.146] 20188 (msg:"ThreatFox AdWind botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243006; rev:1;) alert tcp $HOME_NET any -> [18.229.146.63] 12778 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243003; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 12778 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243004; rev:1;) alert tcp $HOME_NET any -> [18.228.115.60] 12778 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243002; rev:1;) alert tcp $HOME_NET any -> [18.229.248.167] 12778 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"gulfcoastcoffeeroasters.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"inc.sshadowso.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"mail.garciaprints.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"mail.inspirestudiosteam.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"nice-margulis.45-138-16-132.plesk.page"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"panel.swain.ir"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"pars.northpm.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"skinsmonkey.complete.homsiknet.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"sw.sono.pw"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"fleekbusiness.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"garciaprints.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"eloquent-germain.45-138-16-132.plesk.page"; depth:41; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"ebookza.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"cpcontacts.inspirestudiosteam.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"cpanel.inspirestudiosteam.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"cpanel.garciaprints.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"buygamingnfts.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"blazebit.bet"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"autodiscover.inspirestudiosteam.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.208.103.177.sslip.io"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.73.150.sslip.io"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.138.74.228.sslip.io"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"147.45.42.25.sslip.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.107.181.83.sslip.io"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"vpnu.top"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"webdisk.inspirestudiosteam.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"webmail.inspirestudiosteam.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.ebookza.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.fleekbusiness.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.garciaprints.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.gulfcoastcoffeeroasters.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.inspirestudiosteam.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.mg.inspirestudiosteam.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.mzile.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"yes.homeshopdigital.site"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"yes1.homeshopdigital.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242697; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 16653 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"45.138.74.228.sslip.io"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5.42.73.150.sslip.io"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"89.208.103.177.sslip.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"autodiscover.inspirestudiosteam.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nice-margulis.45-138-16-132.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.garciaprints.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.inspirestudiosteam.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inc.sshadowso.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gulfcoastcoffeeroasters.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fleekbusiness.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"garciaprints.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eloquent-germain.45-138-16-132.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ebookza.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcontacts.inspirestudiosteam.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.inspirestudiosteam.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.garciaprints.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blazebit.bet"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buygamingnfts.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panel.swain.ir"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pars.northpm.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skinsmonkey.complete.homsiknet.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpnu.top"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webdisk.inspirestudiosteam.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.inspirestudiosteam.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ebookza.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fleekbusiness.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.garciaprints.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gulfcoastcoffeeroasters.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.inspirestudiosteam.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mg.inspirestudiosteam.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mzile.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yes.homeshopdigital.site"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yes1.homeshopdigital.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.105.147.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.138.74.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"147.45.42.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.107.181.83"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.202.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.138.16.132"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.73.150"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"92.246.136.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"94.228.162.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"104.21.12.116"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"104.21.44.13"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"172.67.152.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"172.67.192.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"175.110.115.65"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"198.44.171.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242745; rev:1;) alert tcp $HOME_NET any -> [54.234.189.192] 80 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242981; rev:1;) alert tcp $HOME_NET any -> [54.237.138.159] 80 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242971; rev:1;) alert tcp $HOME_NET any -> [52.23.117.205] 80 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242969; rev:1;) alert tcp $HOME_NET any -> [52.22.239.204] 80 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242968; rev:1;) alert tcp $HOME_NET any -> [44.196.101.127] 80 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242966; rev:1;) alert tcp $HOME_NET any -> [52.205.60.154] 80 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242964; rev:1;) alert tcp $HOME_NET any -> [34.197.122.235] 80 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242965; rev:1;) alert tcp $HOME_NET any -> [5.161.113.150] 25658 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242963/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"bbsupplyandsalon.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"bbsupplyandsalon.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"bbsupplyandsalon.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242792; rev:1;) alert tcp $HOME_NET any -> [192.151.243.135] 55650 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242650; rev:1;) alert tcp $HOME_NET any -> [185.91.127.216] 5555 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"bigcuda.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"bigcuda.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"bigcuda.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4stvghabsy3dg893uhszgtyerecs44axutq5unuvsa7u8833eb.nl"; depth:53; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"refinedruffles.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"q65fpfr2wpjugu7y3ldvjjdgz8uzqak2.nl"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pve.pezow.ovh"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242601; rev:1;) alert tcp $HOME_NET any -> [185.196.9.97] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242603/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mnmn.espontaneo.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242604/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"route.qyhgroup.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242605/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"multi-bidding.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242617/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wwv.bmjz.vip"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/voolkisms"; depth:10; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.158"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.112.251"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/neoschats"; depth:10; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199644883218"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242996; rev:1;) alert tcp $HOME_NET any -> [88.198.112.251] 10050 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242994; rev:1;) alert tcp $HOME_NET any -> [95.217.240.158] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nxsisgod.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242993; rev:1;) alert tcp $HOME_NET any -> [104.129.20.167] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242989; rev:1;) alert tcp $HOME_NET any -> [103.124.104.22] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242990; rev:1;) alert tcp $HOME_NET any -> [204.44.125.68] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242991; rev:1;) alert tcp $HOME_NET any -> [66.63.188.19] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242992; rev:1;) alert tcp $HOME_NET any -> [146.19.213.36] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242982; rev:1;) alert tcp $HOME_NET any -> [89.117.2.33] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242983; rev:1;) alert tcp $HOME_NET any -> [176.123.2.146] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242984; rev:1;) alert tcp $HOME_NET any -> [89.117.1.161] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242985; rev:1;) alert tcp $HOME_NET any -> [89.117.2.34] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242986; rev:1;) alert tcp $HOME_NET any -> [89.117.1.160] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242987; rev:1;) alert tcp $HOME_NET any -> [103.124.104.76] 445 (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242988; rev:1;) alert tcp $HOME_NET any -> [128.199.23.68] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242962; rev:1;) alert tcp $HOME_NET any -> [20.161.150.170] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242961; rev:1;) alert tcp $HOME_NET any -> [3.28.252.232] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242960; rev:1;) alert tcp $HOME_NET any -> [167.71.231.127] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242958; rev:1;) alert tcp $HOME_NET any -> [139.196.100.176] 60080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242959; rev:1;) alert tcp $HOME_NET any -> [128.199.141.212] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242957; rev:1;) alert tcp $HOME_NET any -> [165.22.73.33] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242955; rev:1;) alert tcp $HOME_NET any -> [80.249.164.234] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242956; rev:1;) alert tcp $HOME_NET any -> [34.125.92.141] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242954; rev:1;) alert tcp $HOME_NET any -> [43.136.182.96] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242953; rev:1;) alert tcp $HOME_NET any -> [157.230.24.185] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242952; rev:1;) alert tcp $HOME_NET any -> [20.88.9.79] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242951; rev:1;) alert tcp $HOME_NET any -> [54.194.190.84] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242950; rev:1;) alert tcp $HOME_NET any -> [18.156.23.188] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242949; rev:1;) alert tcp $HOME_NET any -> [3.231.20.29] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242948; rev:1;) alert tcp $HOME_NET any -> [89.26.253.61] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242947; rev:1;) alert tcp $HOME_NET any -> [206.221.176.188] 10718 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242946; rev:1;) alert tcp $HOME_NET any -> [196.50.10.35] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242945; rev:1;) alert tcp $HOME_NET any -> [107.174.250.230] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242944; rev:1;) alert tcp $HOME_NET any -> [34.250.158.249] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242942; rev:1;) alert tcp $HOME_NET any -> [185.43.222.163] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242943; rev:1;) alert tcp $HOME_NET any -> [178.154.201.213] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242941; rev:1;) alert tcp $HOME_NET any -> [64.227.66.1] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242940; rev:1;) alert tcp $HOME_NET any -> [178.128.212.97] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"accounts.deenpel.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"port.deenpel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogs.deenpel.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www3.deenpel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242935; rev:1;) alert tcp $HOME_NET any -> [103.118.41.143] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242934; rev:1;) alert tcp $HOME_NET any -> [47.109.142.156] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242933; rev:1;) alert tcp $HOME_NET any -> [118.89.91.229] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242932; rev:1;) alert tcp $HOME_NET any -> [123.60.16.239] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242931; rev:1;) alert tcp $HOME_NET any -> [103.118.41.127] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242930; rev:1;) alert tcp $HOME_NET any -> [152.42.162.0] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242928; rev:1;) alert tcp $HOME_NET any -> [117.84.36.29] 8008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242929; rev:1;) alert tcp $HOME_NET any -> [18.183.219.84] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-16-62-149-189.eu-central-2.compute.amazonaws.com"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nic-ns3-153548.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242925; rev:1;) alert tcp $HOME_NET any -> [91.208.92.66] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"telligenc.rest"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242924; rev:1;) alert tcp $HOME_NET any -> [93.123.85.142] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242922; rev:1;) alert tcp $HOME_NET any -> [51.195.83.140] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242920; rev:1;) alert tcp $HOME_NET any -> [51.195.83.140] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242921; rev:1;) alert tcp $HOME_NET any -> [51.195.83.140] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dhjkfgdfkhjghdfjkgjdfoigjpi.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epsilonyouknow.party"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"my.attuneiot.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-23-117-205.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-197-122-235.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-22-239-204.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maps.attuneiot.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242913; rev:1;) alert tcp $HOME_NET any -> [52.205.60.154] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242910; rev:1;) alert tcp $HOME_NET any -> [34.197.122.235] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242911; rev:1;) alert tcp $HOME_NET any -> [52.22.239.204] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242909; rev:1;) alert tcp $HOME_NET any -> [110.173.54.196] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242907; rev:1;) alert tcp $HOME_NET any -> [20.166.248.109] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242908; rev:1;) alert tcp $HOME_NET any -> [110.173.54.197] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242906; rev:1;) alert tcp $HOME_NET any -> [104.43.89.110] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242904; rev:1;) alert tcp $HOME_NET any -> [5.199.169.206] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242905; rev:1;) alert tcp $HOME_NET any -> [110.173.54.198] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242903; rev:1;) alert tcp $HOME_NET any -> [213.166.68.24] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242901; rev:1;) alert tcp $HOME_NET any -> [40.119.24.133] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242902; rev:1;) alert tcp $HOME_NET any -> [20.121.42.245] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242900; rev:1;) alert tcp $HOME_NET any -> [110.173.54.194] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242899; rev:1;) alert tcp $HOME_NET any -> [91.92.245.119] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242898; rev:1;) alert tcp $HOME_NET any -> [43.204.230.44] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242896; rev:1;) alert tcp $HOME_NET any -> [78.141.216.219] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.3-84-126-255.cprapid.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev2.stocktok.io"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gbdvs.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"accept.gbdvs.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gbdvs.shop"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"time.vmupdate.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smtracking.web_hassinezarrat.swp23.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242889; rev:1;) alert tcp $HOME_NET any -> [191.82.221.165] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242887; rev:1;) alert tcp $HOME_NET any -> [35.137.73.119] 22222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242888; rev:1;) alert tcp $HOME_NET any -> [181.161.4.80] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242886; rev:1;) alert tcp $HOME_NET any -> [91.134.187.25] 3336 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242885; rev:1;) alert tcp $HOME_NET any -> [191.82.215.55] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242884; rev:1;) alert tcp $HOME_NET any -> [103.253.17.111] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242883; rev:1;) alert tcp $HOME_NET any -> [94.250.252.66] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242882; rev:1;) alert tcp $HOME_NET any -> [20.199.42.249] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242881; rev:1;) alert tcp $HOME_NET any -> [86.110.194.106] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242880; rev:1;) alert tcp $HOME_NET any -> [209.38.188.72] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242879; rev:1;) alert tcp $HOME_NET any -> [136.243.151.21] 63 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242878; rev:1;) alert tcp $HOME_NET any -> [154.16.67.94] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242877; rev:1;) alert tcp $HOME_NET any -> [213.195.119.244] 4001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242875; rev:1;) alert tcp $HOME_NET any -> [154.16.67.94] 4242 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242876; rev:1;) alert tcp $HOME_NET any -> [51.77.68.50] 1231 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242874; rev:1;) alert tcp $HOME_NET any -> [45.134.83.162] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242873; rev:1;) alert tcp $HOME_NET any -> [51.161.107.68] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242872; rev:1;) alert tcp $HOME_NET any -> [193.32.162.198] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242870; rev:1;) alert tcp $HOME_NET any -> [23.26.201.73] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242871; rev:1;) alert tcp $HOME_NET any -> [66.94.120.244] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242869; rev:1;) alert tcp $HOME_NET any -> [45.240.136.144] 5055 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242868; rev:1;) alert tcp $HOME_NET any -> [45.138.16.228] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242866; rev:1;) alert tcp $HOME_NET any -> [142.113.120.107] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242867; rev:1;) alert tcp $HOME_NET any -> [185.117.250.169] 3393 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242865; rev:1;) alert tcp $HOME_NET any -> [203.30.9.90] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242863; rev:1;) alert tcp $HOME_NET any -> [184.147.209.221] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242864; rev:1;) alert tcp $HOME_NET any -> [187.24.4.94] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242862; rev:1;) alert tcp $HOME_NET any -> [23.251.37.231] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242861; rev:1;) alert tcp $HOME_NET any -> [137.220.197.236] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242860; rev:1;) alert tcp $HOME_NET any -> [69.46.36.211] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242859/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242859; rev:1;) alert tcp $HOME_NET any -> [69.46.36.220] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242857/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242857; rev:1;) alert tcp $HOME_NET any -> [69.46.36.211] 53 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242858/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242858; rev:1;) alert tcp $HOME_NET any -> [69.46.36.220] 53 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242856/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242856; rev:1;) alert tcp $HOME_NET any -> [69.46.36.215] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242854/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242854; rev:1;) alert tcp $HOME_NET any -> [69.46.36.215] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242855/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242855; rev:1;) alert tcp $HOME_NET any -> [69.46.36.208] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242853/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242853; rev:1;) alert tcp $HOME_NET any -> [69.46.36.219] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242852/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242852; rev:1;) alert tcp $HOME_NET any -> [69.46.36.217] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242850/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242850; rev:1;) alert tcp $HOME_NET any -> [91.92.243.149] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242851/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242851; rev:1;) alert tcp $HOME_NET any -> [69.46.36.209] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242849/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242849; rev:1;) alert tcp $HOME_NET any -> [199.248.230.106] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242847/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242847; rev:1;) alert tcp $HOME_NET any -> [69.46.36.218] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242848/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242848; rev:1;) alert tcp $HOME_NET any -> [151.106.125.157] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242846/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242846; rev:1;) alert tcp $HOME_NET any -> [130.193.34.93] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242845/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242845; rev:1;) alert tcp $HOME_NET any -> [44.221.44.220] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242844/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242844; rev:1;) alert tcp $HOME_NET any -> [198.13.57.34] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242843/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242843; rev:1;) alert tcp $HOME_NET any -> [109.107.161.51] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242842/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242842; rev:1;) alert tcp $HOME_NET any -> [8.130.11.62] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242841/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242841; rev:1;) alert tcp $HOME_NET any -> [154.211.15.205] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242840; rev:1;) alert tcp $HOME_NET any -> [209.141.46.45] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242838; rev:1;) alert tcp $HOME_NET any -> [185.196.10.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242839; rev:1;) alert tcp $HOME_NET any -> [38.55.197.151] 2077 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242836; rev:1;) alert tcp $HOME_NET any -> [47.236.86.239] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242837; rev:1;) alert tcp $HOME_NET any -> [120.24.38.217] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242835; rev:1;) alert tcp $HOME_NET any -> [8.130.79.120] 8787 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242834; rev:1;) alert tcp $HOME_NET any -> [121.41.75.23] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242833; rev:1;) alert tcp $HOME_NET any -> [91.92.241.199] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242831; rev:1;) alert tcp $HOME_NET any -> [116.62.130.96] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242832; rev:1;) alert tcp $HOME_NET any -> [58.87.94.238] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242830; rev:1;) alert tcp $HOME_NET any -> [101.133.164.210] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242829; rev:1;) alert tcp $HOME_NET any -> [8.217.132.202] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242827; rev:1;) alert tcp $HOME_NET any -> [124.70.180.22] 89 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242828; rev:1;) alert tcp $HOME_NET any -> [47.108.153.69] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242826; rev:1;) alert tcp $HOME_NET any -> [111.231.74.147] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kind-villani.104-168-102-175.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242824; rev:1;) alert tcp $HOME_NET any -> [165.227.172.31] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242823; rev:1;) alert tcp $HOME_NET any -> [182.149.199.245] 8123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242822; rev:1;) alert tcp $HOME_NET any -> [20.106.175.213] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242820; rev:1;) alert tcp $HOME_NET any -> [20.106.175.213] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242821; rev:1;) alert tcp $HOME_NET any -> [8.219.189.106] 5060 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242819; rev:1;) alert tcp $HOME_NET any -> [103.191.15.10] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242818; rev:1;) alert tcp $HOME_NET any -> [38.6.177.108] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242816; rev:1;) alert tcp $HOME_NET any -> [47.120.1.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242817; rev:1;) alert tcp $HOME_NET any -> [175.178.124.71] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242815; rev:1;) alert tcp $HOME_NET any -> [175.178.124.71] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242813; rev:1;) alert tcp $HOME_NET any -> [175.178.124.71] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242814; rev:1;) alert tcp $HOME_NET any -> [118.25.173.248] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"104-168-102-175.plesk.page"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242811; rev:1;) alert tcp $HOME_NET any -> [1.12.231.99] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242810; rev:1;) alert tcp $HOME_NET any -> [206.237.21.85] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242809; rev:1;) alert tcp $HOME_NET any -> [193.112.79.19] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242808; rev:1;) alert tcp $HOME_NET any -> [82.157.177.73] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242806; rev:1;) alert tcp $HOME_NET any -> [82.157.177.73] 2086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242807; rev:1;) alert tcp $HOME_NET any -> [82.157.177.73] 2095 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242805; rev:1;) alert tcp $HOME_NET any -> [101.42.35.218] 60020 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242804; rev:1;) alert tcp $HOME_NET any -> [134.122.20.117] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242803; rev:1;) alert tcp $HOME_NET any -> [118.194.233.185] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242802; rev:1;) alert tcp $HOME_NET any -> [43.142.90.7] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"visitor-service-eu-central-1.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242801; rev:1;) alert tcp $HOME_NET any -> [120.48.5.80] 6001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"region1.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242797; rev:1;) alert tcp $HOME_NET any -> [185.44.71.197] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242796/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242796; rev:1;) alert tcp $HOME_NET any -> [91.92.246.48] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242795/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242795; rev:1;) alert tcp $HOME_NET any -> [91.92.253.59] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242794/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242794; rev:1;) alert tcp $HOME_NET any -> [95.116.67.173] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242790/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242790; rev:1;) alert tcp $HOME_NET any -> [168.149.16.139] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242789/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242789; rev:1;) alert tcp $HOME_NET any -> [39.40.183.67] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242788/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242788; rev:1;) alert tcp $HOME_NET any -> [213.252.246.185] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242787/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242787; rev:1;) alert tcp $HOME_NET any -> [83.97.20.183] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242786/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242786; rev:1;) alert tcp $HOME_NET any -> [27.102.66.59] 35201 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242785/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242785; rev:1;) alert tcp $HOME_NET any -> [192.144.219.118] 44343 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242784/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242784; rev:1;) alert tcp $HOME_NET any -> [47.100.101.198] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242783/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242783; rev:1;) alert tcp $HOME_NET any -> [45.9.188.11] 47134 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242782/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242782; rev:1;) alert tcp $HOME_NET any -> [147.45.78.13] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242781/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242781; rev:1;) alert tcp $HOME_NET any -> [111.231.146.154] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242780/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242780; rev:1;) alert tcp $HOME_NET any -> [43.156.27.199] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242779/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242779; rev:1;) alert tcp $HOME_NET any -> [207.174.3.213] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242778/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242778; rev:1;) alert tcp $HOME_NET any -> [87.98.233.247] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242777/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242777; rev:1;) alert tcp $HOME_NET any -> [187.135.84.81] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242776/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242776; rev:1;) alert tcp $HOME_NET any -> [187.135.84.81] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242775/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242775; rev:1;) alert tcp $HOME_NET any -> [187.135.84.81] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242774/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242774; rev:1;) alert tcp $HOME_NET any -> [187.135.84.81] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242773/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242773; rev:1;) alert tcp $HOME_NET any -> [187.135.84.81] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242772/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242772; rev:1;) alert tcp $HOME_NET any -> [187.135.84.81] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242771/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242771; rev:1;) alert tcp $HOME_NET any -> [187.135.84.81] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242770/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242770; rev:1;) alert tcp $HOME_NET any -> [187.135.84.81] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242769/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242769; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 15443 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242768/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242768; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 15443 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242767/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242767; rev:1;) alert tcp $HOME_NET any -> [89.23.98.34] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242766/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242766; rev:1;) alert tcp $HOME_NET any -> [159.100.14.197] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242765/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242765; rev:1;) alert tcp $HOME_NET any -> [91.92.243.141] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242764/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242764; rev:1;) alert tcp $HOME_NET any -> [39.108.229.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242763/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242763; rev:1;) alert tcp $HOME_NET any -> [114.132.41.186] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242762/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242762; rev:1;) alert tcp $HOME_NET any -> [193.181.23.156] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242761/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242761; rev:1;) alert tcp $HOME_NET any -> [197.119.73.234] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242760/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242760; rev:1;) alert tcp $HOME_NET any -> [154.245.141.251] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242759/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242759; rev:1;) alert tcp $HOME_NET any -> [42.117.36.184] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242758/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242758; rev:1;) alert tcp $HOME_NET any -> [195.2.81.45] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242757/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242757; rev:1;) alert tcp $HOME_NET any -> [65.109.242.97] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242756/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242756; rev:1;) alert tcp $HOME_NET any -> [95.217.240.44] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242755/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242755; rev:1;) alert tcp $HOME_NET any -> [65.109.172.49] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242754/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242754; rev:1;) alert tcp $HOME_NET any -> [37.27.36.6] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242753/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242753; rev:1;) alert tcp $HOME_NET any -> [83.242.63.186] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242752/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242752; rev:1;) alert tcp $HOME_NET any -> [136.0.3.250] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242751/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242751; rev:1;) alert tcp $HOME_NET any -> [104.209.128.50] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242750/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"49.234.185.12"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242660; rev:1;) alert tcp $HOME_NET any -> [49.234.185.12] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"1.14.69.16"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"124.71.9.23"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"101.133.164.210"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242657; rev:1;) alert tcp $HOME_NET any -> [91.92.252.110] 7888 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"185.193.126.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.251.159.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"106.52.244.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"o.cirt.pro"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"o.cirt.pro"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242649; rev:1;) alert tcp $HOME_NET any -> [154.90.62.138] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/study/constants/7rmolfy0b"; depth:26; nocase; http.host; content:"154.90.62.138"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242646; rev:1;) alert tcp $HOME_NET any -> [5.42.66.14] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/244e7da752dca7a602d55ea79cb79681.html"; depth:38; nocase; http.host; content:"firmwarefusion.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"firmwarefusion.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242644; rev:1;) alert tcp $HOME_NET any -> [185.117.250.169] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242642; rev:1;) alert tcp $HOME_NET any -> [93.123.39.219] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"104.156.140.58"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242640; rev:1;) alert tcp $HOME_NET any -> [198.44.171.3] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242639; rev:1;) alert tcp $HOME_NET any -> [137.220.197.175] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242638; rev:1;) alert tcp $HOME_NET any -> [45.152.65.230] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242637; rev:1;) alert tcp $HOME_NET any -> [149.104.27.224] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242636; rev:1;) alert tcp $HOME_NET any -> [69.159.0.252] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242635; rev:1;) alert tcp $HOME_NET any -> [41.230.86.197] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242634; rev:1;) alert tcp $HOME_NET any -> [154.247.237.145] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242633; rev:1;) alert tcp $HOME_NET any -> [82.67.60.21] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242632; rev:1;) alert tcp $HOME_NET any -> [94.156.67.244] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242631; rev:1;) alert tcp $HOME_NET any -> [185.196.9.214] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8a45dff2.php"; depth:13; nocase; http.host; content:"a0914958.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0923400.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242628; rev:1;) alert tcp $HOME_NET any -> [159.223.220.165] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242627; rev:1;) alert tcp $HOME_NET any -> [88.214.25.235] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalpipetosecureasynctrackuploads.php"; depth:42; nocase; http.host; content:"80.85.246.217"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9/wdoblgwr0s"; depth:21; nocase; http.host; content:"88.214.25.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9/wdoblgwr0s"; depth:21; nocase; http.host; content:"igo0gle.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9/wdoblgwr0s"; depth:21; nocase; http.host; content:"microsoftsyst3m.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242622; rev:1;) alert tcp $HOME_NET any -> [79.137.202.68] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242616/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242616; rev:1;) alert tcp $HOME_NET any -> [41.96.125.98] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242615/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242615; rev:1;) alert tcp $HOME_NET any -> [105.108.32.227] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242614/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242614; rev:1;) alert tcp $HOME_NET any -> [79.107.151.150] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242613/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242613; rev:1;) alert tcp $HOME_NET any -> [154.247.237.145] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242612/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242612; rev:1;) alert tcp $HOME_NET any -> [2.91.177.204] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242611/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242611; rev:1;) alert tcp $HOME_NET any -> [20.80.88.247] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242610/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242610; rev:1;) alert tcp $HOME_NET any -> [136.0.3.71] 5671 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242609/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242609; rev:1;) alert tcp $HOME_NET any -> [47.98.126.140] 10000 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242608/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242608; rev:1;) alert tcp $HOME_NET any -> [185.250.151.246] 8443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242607/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242607; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 55430 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"121.43.58.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242602; rev:1;) alert tcp $HOME_NET any -> [87.88.94.223] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.172.49"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"142.132.224.223"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.215.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242597; rev:1;) alert tcp $HOME_NET any -> [5.75.215.159] 9001 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242593; rev:1;) alert tcp $HOME_NET any -> [95.217.240.44] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242594; rev:1;) alert tcp $HOME_NET any -> [65.109.172.49] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242595; rev:1;) alert tcp $HOME_NET any -> [34.86.252.187] 5050 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"106.54.228.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"45.134.225.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"121.43.58.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.baidu12366.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242584; rev:1;) alert tcp $HOME_NET any -> [106.54.228.198] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.baidu12366.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.sonystore.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242581; rev:1;) alert tcp $HOME_NET any -> [39.98.192.104] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.sonystore.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/methon/scan"; depth:16; nocase; http.host; content:"43.136.71.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"154.197.98.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242578; rev:1;) alert tcp $HOME_NET any -> [88.214.25.36] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a.pain.capetown"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/eternalrequestlowtestdle.php"; depth:31; nocase; http.host; content:"5.182.87.104"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242575; rev:1;) alert tcp $HOME_NET any -> [42.237.24.42] 7899 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worker-orange-unit-abfb.gwadarportt.workers.dev"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailpsab-modgovpk.hopto.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailsco-govpk.hopto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailsco-govpk.myvnc.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meter-ntdccompk.myvnc.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meter-ntdccompk.servehttp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mof-govnp.servehttp.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"navy-govbd.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newmail-armymilbd.servehttp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"news-ptvcompk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"news.ntc-telecomcorporation.workers.dev"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ntc-telecomcorporation.workers.dev"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offer-ptclnetpk.servehttp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveblog.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveftp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveirc.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pak-gov-pk.workers.dev"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pakistan-gov-pk.workers.dev"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pertest-ntdccompk.ddnsking.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piac-compk.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"portal-ptclnetpk.servehttp.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rewards-ptclnetpk.viewdns.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdmx-financegovpk.servehttp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sharepakistan-mofa.viewdns.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support-ntc.servehttp.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibe-ptclnetpk.servehttp.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibe-ptclnetpk.viewdns.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail-gda-gov-pk.gwadarportt.workers.dev"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worker-crimson-bread-052d.crypton0019.workers.dev"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-ecp-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-gwadarport-gov-pk.ntc-telecomcorporation.workers.dev"; depth:57; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-hit-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-hitgovpk.myvnc.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-hitgovpk.servegame.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-hitgovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-invest-gov-pk.gwadarportt.workers.dev"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mod-gov-pk.pakistan-gov-pk.workers.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-modgovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-modp-gov-pk.government-pak.workers.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-modp-gov-pk.ntc-telecomcorporation.workers.dev"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-modp-gov-pk.pak-gov-pk.workers.dev"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofagovpk.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofagovpk.gotdns.ch"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofagovpk.myddns.me"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofapk.servehttp.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-nespak-com-pk.gwadarportt.workers.dev"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-ntcgovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-paf-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-pc-gov-pk-login.ethanhunthero125.workers.dev"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-pofgovpk.3utilities.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-pofgovpk.sytes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-sco-gov-pk.crypton0019.workers.dev"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-sco-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-scogovpk.servehalflife.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-scogovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailhit-govpk.hopto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diagov.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"discounts-ptclnetpk.servehttp.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elccorp-net.ntc-telecomcorporation.workers.dev"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eservice-ptclnetpk.servehttp.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ethanhunthero125.workers.dev"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance-govnp.servehalflife.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance-govpk.serveblog.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance-govpk.serveftp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"govaruba.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"government-pak.workers.dev"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gwadarport-gov-pk.gwadarportt.workers.dev"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hrmis-financegovpk.serveftp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ideas2024-pakistan.myvnc.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ideaspakistan-govpk.myvnc.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iportal-ntdcgovpk.myvnc.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-armylk.myvnc.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-armylk.servehalflife.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-bafmilbd.myvnc.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-bafmilbd.servequake.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-depo-gov-pk.ntc-telecomcorporation.workers.dev"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-depogovpk.myvnc.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-depogovpk.servehttp.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-dgdp-gov-pk.ntc-telecomcorporation.workers.dev"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-dgdpgovpk.servehalflife.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"203-124351878443.hopto.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"advisory-cabinetgpk.servehttp.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awards-piacaero.servehalflife.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awards-piacaero.servehttp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cap-mofagovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cap-mofapk.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"circular-financegov.servehalflife.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crypton0019.workers.dev"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme89.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz78543.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz7963.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz8456.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz87636.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz8798.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz9856.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz986.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz9872.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayersistemleri15547.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayersistemleri23547.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme12.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme34.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme39.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme437.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme46.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme53.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme5427.xyz"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme547.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme82.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz543.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz54453.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz54748.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz5516.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz5646.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz5736.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz576.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz657.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz676.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz6766.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz677.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz685.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz7554.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz76342.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz766.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz7693.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz7786.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz3256.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz345.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz34616.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz3466.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz36357.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz3786.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz43.xyz"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz436.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz4367.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz4378.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz4432.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz453.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz4533.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz45436.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz4567.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz45676.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz45678.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz525.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz532.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz138.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2145vvv.xyz"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2245.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz23.xyz"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz234.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2346.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz235.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2355.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2356.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz241.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2452.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz25.xyz"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2612.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz3215.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz3245.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz325.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz325336.xyz"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri689.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri775.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri8358.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri89.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri893.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri94.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri965.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite14325.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite2432.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite345436.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite4352.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite5436.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite64378.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite6473.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite7865.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite8368.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizleme11.club"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizleme22.club"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizleme39.club"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizleme46.club"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz1235.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz124.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz1245.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz1323.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri247.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri258.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri26.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri27.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri342.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri393.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri427.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri4537.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri456.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri457.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri4579.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri458.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri554.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri609.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri632.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri67.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri675.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri6799.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi7635.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi771.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi8750.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi883.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizlemesistemi956735.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi124526.website"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi125.website"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi2334.website"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi235.website"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi2356.website"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi326471.website"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi345.website"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi345738.website"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi347583.website"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi43435546.website"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi456754.website"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi5236.website"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi6395456.website"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi6458.website"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi77458.website"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri009.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri123.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri15.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri234.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri2342.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi354.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi441.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi456.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi46.xyz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi467.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi541.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi5567.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi6076.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi6539.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi656.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi658.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi6583.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi675.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi679.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu4568.xyz"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu479.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu482.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu556.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu568.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu5698.xyz"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu571.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu69.xyz"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu78.xyz"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu783.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu8570.xyz"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi050.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi076.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi1245.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi156.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi235.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi243.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi2467.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi482.site"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi546754.site"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi5684.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi6263.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi66376.site"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi86598.site"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi882.site"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi9034.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu05.xyz"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu093.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu1214.xyz"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu124146.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu188.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu22.xyz"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu243667.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu335.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu34521.xyz"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu345235.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu3467.xyz"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu364.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu436.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle394.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle42853.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle4326.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle4567.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle56765.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle6789.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle789.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle8324.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle9344.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi01234.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi0513.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi11234.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi12143.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi2213.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi2324.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi23562.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi3215.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi4321.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi43464.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi6170.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi78123.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi993150.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi0474.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi124.site"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi2246.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi2548.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi289.site"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi34776.site"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi3969.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi437.site"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi445444.site"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi4583.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi46793.site"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle015919.site"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle12321.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle1252.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle2324.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle23453.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle2357.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle324.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle3456.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle348.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"101.43.12.111"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-2kd9w0iu-1302672236.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-2kd9w0iu-1302672236.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"129.226.83.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"185.193.126.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"3se9ewodke339f0e83.connectivitytests.com"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"43.139.177.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"cdn.dadadsadaccsoong.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.26.196.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cz13602.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microcoft-gettask.html"; depth:23; nocase; http.host; content:"20.106.175.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fewjfhwefhwegfgwey344.cfd"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fhfhreeruu334345432.cfd"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gftfttdrtdrrttgfderrt654.cfd"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"htyfdsdghfr65443.cfd"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iefijweijfiwefiue9877.cfd"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"woolyboolydoolykooly.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rebirthbot.icu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242230; rev:1;) alert tcp $HOME_NET any -> [15.235.131.20] 44647 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242227; rev:1;) alert tcp $HOME_NET any -> [93.123.85.142] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242229/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_25; classtype:trojan-activity; sid:91242229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.loadbalance.click"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"conference-cal.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242212/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_25; classtype:trojan-activity; sid:91242212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzzhmgjjztjkogi3/"; depth:18; nocase; http.host; content:"83.97.73.195"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242210; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 80 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242211/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_25; classtype:trojan-activity; sid:91242211; rev:1;) alert tcp $HOME_NET any -> [20.218.68.91] 23100 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242216; rev:1;) alert tcp $HOME_NET any -> [77.105.147.157] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242226/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242226; rev:1;) alert tcp $HOME_NET any -> [71.88.241.194] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242225/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242225; rev:1;) alert tcp $HOME_NET any -> [167.56.121.249] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242224/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242224; rev:1;) alert tcp $HOME_NET any -> [78.40.117.84] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242223/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242223; rev:1;) alert tcp $HOME_NET any -> [35.193.229.206] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242222/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242222; rev:1;) alert tcp $HOME_NET any -> [185.198.57.41] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242221/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externallinephpjavascriptsecureauthprotectlinuxuniversal.php"; depth:61; nocase; http.host; content:"82.115.223.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242220; rev:1;) alert tcp $HOME_NET any -> [156.236.72.163] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image_securecpugamelongpollmulticentral.php"; depth:44; nocase; http.host; content:"gp104995g2.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmcpuprocessgenerator.php"; depth:26; nocase; http.host; content:"785319cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242217; rev:1;) alert tcp $HOME_NET any -> [45.92.179.244] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242215; rev:1;) alert tcp $HOME_NET any -> [91.92.244.67] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242214/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242214; rev:1;) alert tcp $HOME_NET any -> [91.92.244.67] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"185.193.126.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242209; rev:1;) alert tcp $HOME_NET any -> [88.214.25.235] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9/wdoblgwr0s"; depth:21; nocase; http.host; content:"microsoftsyst3m.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9/wdoblgwr0s"; depth:21; nocase; http.host; content:"88.214.25.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9/wdoblgwr0s"; depth:21; nocase; http.host; content:"igo0gle.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242205; rev:1;) alert tcp $HOME_NET any -> [87.98.177.182] 3131 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242204; rev:1;) alert tcp $HOME_NET any -> [45.95.147.236] 43782 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242203/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srv.tamatri.co"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tamatri.co"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dw.c4kdeliver.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242200; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 43519 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242198/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"male-stephen.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242199/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fbi.su1001-2.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fbi.su1001-2.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dw.bpdeliver.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jira.letmaker.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"work.onlypirate.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a.oracleservice.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b.oracleservice.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pwn.oracleservice.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c4k-ircd.pwndns.pw"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"teplokub.com.ua"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242188/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"kamsmad.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242186/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"souzhensil.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242187/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242187; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 20543 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242185; rev:1;) alert tcp $HOME_NET any -> [84.212.127.234] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242184; rev:1;) alert tcp $HOME_NET any -> [105.108.32.227] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242183; rev:1;) alert tcp $HOME_NET any -> [188.40.19.86] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242182/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242182; rev:1;) alert tcp $HOME_NET any -> [64.227.179.34] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242181/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242181; rev:1;) alert tcp $HOME_NET any -> [216.146.26.94] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242180/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242180; rev:1;) alert tcp $HOME_NET any -> [216.146.26.94] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242179/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242179; rev:1;) alert tcp $HOME_NET any -> [172.104.53.129] 10002 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242178; rev:1;) alert tcp $HOME_NET any -> [42.2.112.129] 32002 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242177; rev:1;) alert tcp $HOME_NET any -> [173.44.141.149] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242176; rev:1;) alert tcp $HOME_NET any -> [185.222.58.83] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242175; rev:1;) alert tcp $HOME_NET any -> [93.123.85.197] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242174/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242174; rev:1;) alert tcp $HOME_NET any -> [95.86.227.200] 25565 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242172/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kisel228.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242173/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242173; rev:1;) alert tcp $HOME_NET any -> [192.236.162.239] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242171/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"o3c31x4fqdw2.lt"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242170/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"0n75w55jyk66.pw"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242161/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"oylg4z486xv4.info"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242162/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"13sf6uu6cvlm.la"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242163/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"papricasfla.bio"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242164/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"643y3mrh4m3d.in"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242165/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"xivadoivxa.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242166/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"6dtav5rvnh1q.in"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242167/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"decilaxcvz.life"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242168/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"9w28pp996g59.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242169/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242169; rev:1;) alert tcp $HOME_NET any -> [185.158.251.240] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stake.libertariancounterpoint.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/indigo"; depth:7; nocase; http.host; content:"moon.playstoreapi.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242154; rev:1;) alert tcp $HOME_NET any -> [77.246.158.53] 13551 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manta.brasilia.me"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cloudieapp.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/voilet"; depth:7; nocase; http.host; content:"sni1.androidmetricsasia.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"instantchatapp.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"funcallback.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"appserv.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242159/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242159; rev:1;) alert tcp $HOME_NET any -> [43.229.148.210] 5556 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242151; rev:1;) alert tcp $HOME_NET any -> [5.42.73.150] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242149/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"5.34.198.105"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"111.231.74.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sosorry.php"; depth:12; nocase; http.host; content:"185.196.8.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdncloud.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/resellers/2e4wlr6u3uv"; depth:26; nocase; http.host; content:"cdncloud.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/resellers/2e4wlr6u3uv"; depth:26; nocase; http.host; content:"ipadd.show"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipadd.show"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"185.196.10.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242138; rev:1;) alert tcp $HOME_NET any -> [148.72.132.181] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242137; rev:1;) alert tcp $HOME_NET any -> [142.132.224.223] 9001 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242136/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242136; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 17155 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241988/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91241988; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 17155 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241989/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91241989; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 17155 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241990/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91241990; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 18876 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242004/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242004; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 18876 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242012/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242012; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 18876 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242013/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242013; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 18876 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242014/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242014; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 18876 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242015/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"than-electoral.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242107/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242107; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 3639 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242108/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pcpanel.hackcrack.io"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242123/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242123; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 15217 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242126/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nature-dawn.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242109/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zwi0ywmyymflodbl/"; depth:18; nocase; http.host; content:"194.26.135.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242115; rev:1;) alert tcp $HOME_NET any -> [93.123.85.8] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242128/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242128; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 1177 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242135; rev:1;) alert tcp $HOME_NET any -> [45.138.74.228] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242134; rev:1;) alert tcp $HOME_NET any -> [13.231.247.174] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242133; rev:1;) alert tcp $HOME_NET any -> [95.179.200.130] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242132/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242132; rev:1;) alert tcp $HOME_NET any -> [77.49.56.209] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242131; rev:1;) alert tcp $HOME_NET any -> [143.198.112.191] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242130; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 10443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242129; rev:1;) alert tcp $HOME_NET any -> [92.246.136.169] 16668 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"ck07725.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242124; rev:1;) alert tcp $HOME_NET any -> [121.37.66.33] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242122/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242122; rev:1;) alert tcp $HOME_NET any -> [105.100.10.190] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242121; rev:1;) alert tcp $HOME_NET any -> [94.154.172.74] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242120; rev:1;) alert tcp $HOME_NET any -> [49.13.32.37] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242119; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 32544 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242118; rev:1;) alert tcp $HOME_NET any -> [37.120.237.196] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242117; rev:1;) alert tcp $HOME_NET any -> [45.80.158.25] 5055 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"39.104.73.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"39.104.73.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imageprotect.php"; depth:17; nocase; http.host; content:"176.123.169.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242112; rev:1;) alert tcp $HOME_NET any -> [85.159.228.138] 41572 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242111; rev:1;) alert tcp $HOME_NET any -> [213.152.162.89] 9702 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242110; rev:1;) alert tcp $HOME_NET any -> [65.0.50.125] 22158 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242106; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 36364 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242105; rev:1;) alert tcp $HOME_NET any -> [51.81.42.253] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242104; rev:1;) alert tcp $HOME_NET any -> [20.115.87.236] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242103; rev:1;) alert tcp $HOME_NET any -> [34.250.248.33] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242102; rev:1;) alert tcp $HOME_NET any -> [124.223.177.244] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242101; rev:1;) alert tcp $HOME_NET any -> [138.68.180.208] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242100; rev:1;) alert tcp $HOME_NET any -> [52.231.117.124] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242099; rev:1;) alert tcp $HOME_NET any -> [52.87.249.14] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242098; rev:1;) alert tcp $HOME_NET any -> [3.65.151.202] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242097; rev:1;) alert tcp $HOME_NET any -> [34.134.123.117] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242096; rev:1;) alert tcp $HOME_NET any -> [4.147.26.237] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242095; rev:1;) alert tcp $HOME_NET any -> [172.104.219.42] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242094; rev:1;) alert tcp $HOME_NET any -> [142.93.75.136] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242093; rev:1;) alert tcp $HOME_NET any -> [167.71.229.69] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242092; rev:1;) alert tcp $HOME_NET any -> [84.76.152.132] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242091; rev:1;) alert tcp $HOME_NET any -> [34.66.42.107] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242090; rev:1;) alert tcp $HOME_NET any -> [34.88.129.107] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242089; rev:1;) alert tcp $HOME_NET any -> [138.197.168.34] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242088; rev:1;) alert tcp $HOME_NET any -> [47.245.122.5] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242087; rev:1;) alert tcp $HOME_NET any -> [124.220.110.22] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242086; rev:1;) alert tcp $HOME_NET any -> [111.231.146.154] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242085; rev:1;) alert tcp $HOME_NET any -> [84.27.0.166] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242084; rev:1;) alert tcp $HOME_NET any -> [93.123.85.206] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epsilon7331.uk"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242082; rev:1;) alert tcp $HOME_NET any -> [5.42.67.10] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242079; rev:1;) alert tcp $HOME_NET any -> [5.42.67.89] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242077; rev:1;) alert tcp $HOME_NET any -> [110.173.54.195] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242078; rev:1;) alert tcp $HOME_NET any -> [37.140.242.93] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242076; rev:1;) alert tcp $HOME_NET any -> [46.246.86.12] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242075; rev:1;) alert tcp $HOME_NET any -> [154.244.6.141] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.edgarmcneil.autos"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbdfbd.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liceback.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242071; rev:1;) alert tcp $HOME_NET any -> [220.78.13.217] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242070; rev:1;) alert tcp $HOME_NET any -> [181.162.129.236] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242069; rev:1;) alert tcp $HOME_NET any -> [89.23.102.221] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242068; rev:1;) alert tcp $HOME_NET any -> [193.233.254.32] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242066; rev:1;) alert tcp $HOME_NET any -> [212.70.149.199] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242067; rev:1;) alert tcp $HOME_NET any -> [86.110.194.13] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-214-93-225.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242065; rev:1;) alert tcp $HOME_NET any -> [185.217.197.66] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ovh.rfc.pp.ua"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-152-184-1.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242061; rev:1;) alert tcp $HOME_NET any -> [186.170.114.55] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242060; rev:1;) alert tcp $HOME_NET any -> [46.4.37.212] 100 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242058; rev:1;) alert tcp $HOME_NET any -> [186.170.114.55] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242059; rev:1;) alert tcp $HOME_NET any -> [213.195.119.244] 5003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242057; rev:1;) alert tcp $HOME_NET any -> [213.195.119.244] 4003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242055; rev:1;) alert tcp $HOME_NET any -> [213.195.119.244] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242056; rev:1;) alert tcp $HOME_NET any -> [213.195.119.244] 4002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242054; rev:1;) alert tcp $HOME_NET any -> [82.165.208.218] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242053; rev:1;) alert tcp $HOME_NET any -> [34.86.252.187] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242052; rev:1;) alert tcp $HOME_NET any -> [185.87.150.199] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242051; rev:1;) alert tcp $HOME_NET any -> [82.97.244.235] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242050/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_23; classtype:trojan-activity; sid:91242050; rev:1;) alert tcp $HOME_NET any -> [35.93.24.71] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242049/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_23; classtype:trojan-activity; sid:91242049; rev:1;) alert tcp $HOME_NET any -> [114.115.129.32] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242048/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_23; classtype:trojan-activity; sid:91242048; rev:1;) alert tcp $HOME_NET any -> [101.201.46.105] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242047; rev:1;) alert tcp $HOME_NET any -> [65.20.80.197] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242045; rev:1;) alert tcp $HOME_NET any -> [101.201.46.105] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242046; rev:1;) alert tcp $HOME_NET any -> [65.20.80.197] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242044; rev:1;) alert tcp $HOME_NET any -> [39.104.73.42] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242043; rev:1;) alert tcp $HOME_NET any -> [34.168.39.155] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242041; rev:1;) alert tcp $HOME_NET any -> [39.104.73.42] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242042; rev:1;) alert tcp $HOME_NET any -> [176.32.38.186] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242040; rev:1;) alert tcp $HOME_NET any -> [182.92.207.142] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242039; rev:1;) alert tcp $HOME_NET any -> [91.92.241.199] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242038; rev:1;) alert tcp $HOME_NET any -> [45.159.209.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242036; rev:1;) alert tcp $HOME_NET any -> [117.72.42.129] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242037; rev:1;) alert tcp $HOME_NET any -> [8.222.150.46] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242034; rev:1;) alert tcp $HOME_NET any -> [8.222.150.46] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242035; rev:1;) alert tcp $HOME_NET any -> [45.131.132.55] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242033; rev:1;) alert tcp $HOME_NET any -> [91.149.237.252] 52299 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242032; rev:1;) alert tcp $HOME_NET any -> [101.200.164.66] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242030; rev:1;) alert tcp $HOME_NET any -> [107.172.196.196] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242031; rev:1;) alert tcp $HOME_NET any -> [154.221.17.44] 2991 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242029; rev:1;) alert tcp $HOME_NET any -> [111.231.146.154] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242027; rev:1;) alert tcp $HOME_NET any -> [167.71.186.178] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242028; rev:1;) alert tcp $HOME_NET any -> [139.180.146.240] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242026; rev:1;) alert tcp $HOME_NET any -> [43.136.71.208] 8085 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242024; rev:1;) alert tcp $HOME_NET any -> [154.197.98.85] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242025; rev:1;) alert tcp $HOME_NET any -> [175.24.133.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242023; rev:1;) alert tcp $HOME_NET any -> [152.42.164.112] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242022; rev:1;) alert tcp $HOME_NET any -> [221.234.36.116] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242020; rev:1;) alert tcp $HOME_NET any -> [1.94.110.130] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242021; rev:1;) alert tcp $HOME_NET any -> [47.254.149.115] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242019; rev:1;) alert tcp $HOME_NET any -> [20.108.32.205] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242018; rev:1;) alert tcp $HOME_NET any -> [52.190.15.163] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242017; rev:1;) alert tcp $HOME_NET any -> [58.137.140.249] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"controlopposedcallyo.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"technologyenterdo.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"lighterepisodeheighte.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"problemregardybuiwo.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"detectordiscusser.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"edurestunningcrackyow.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pooreveningfuseor.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242005; rev:1;) alert tcp $HOME_NET any -> [192.210.136.123] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242003/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91242003; rev:1;) alert tcp $HOME_NET any -> [86.98.212.14] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242002/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91242002; rev:1;) alert tcp $HOME_NET any -> [105.155.177.133] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242001/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91242001; rev:1;) alert tcp $HOME_NET any -> [176.233.252.31] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242000/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91242000; rev:1;) alert tcp $HOME_NET any -> [195.78.220.27] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241999/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241999; rev:1;) alert tcp $HOME_NET any -> [89.116.227.76] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241998; rev:1;) alert tcp $HOME_NET any -> [37.1.210.109] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241997/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241997; rev:1;) alert tcp $HOME_NET any -> [20.189.118.216] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241996; rev:1;) alert tcp $HOME_NET any -> [138.124.180.245] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241995/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241995; rev:1;) alert tcp $HOME_NET any -> [122.114.11.150] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241994/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241994; rev:1;) alert tcp $HOME_NET any -> [130.193.34.93] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241993/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241993; rev:1;) alert tcp $HOME_NET any -> [46.101.147.204] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"software.ftoffice.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241991; rev:1;) alert tcp $HOME_NET any -> [103.178.234.224] 19990 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241987/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241987; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 12044 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241982/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241982; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 12044 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241983/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241983; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 12044 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241984/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241984; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 12044 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241985/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241985; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 12044 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241986/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241986; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 12607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241977/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241977; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 38277 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241978/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241978; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 12607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241979/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cut-britney.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241980/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241980; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 12607 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241981/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241981; rev:1;) alert tcp $HOME_NET any -> [23.106.121.133] 1177 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241976/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jnchina.ydns.eu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eu.webmailservice.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241973; rev:1;) alert tcp $HOME_NET any -> [20.170.19.248] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241974; rev:1;) alert tcp $HOME_NET any -> [18.219.198.202] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.byresolved.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241971; rev:1;) alert tcp $HOME_NET any -> [46.101.147.204] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.ftoffice.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"178.20.43.58"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241968; rev:1;) alert tcp $HOME_NET any -> [45.76.123.14] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rd.0x3f34.dev"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rd.0x115c.click"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"machineryideas.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"machineryideas.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/c2hitq.php"; depth:46; nocase; http.host; content:"www.marioagozzino.it"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/dqyzqp.php"; depth:46; nocase; http.host; content:"www.erasnetwork.eu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/hyhnv3.php"; depth:47; nocase; http.host; content:"propertystats.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/ovqugo.php"; depth:47; nocase; http.host; content:"osakaimchk.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/nnzknr.php"; depth:45; nocase; http.host; content:"carritosdelacompra.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalsecuredlecentral.php"; depth:29; nocase; http.host; content:"113754cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"39.106.26.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.92.146.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241955; rev:1;) alert tcp $HOME_NET any -> [5.181.80.195] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241954/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241954; rev:1;) alert tcp $HOME_NET any -> [193.233.132.89] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sluitionsbad.tech"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"sluitionsbad.tech"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241951; rev:1;) alert tcp $HOME_NET any -> [185.209.162.106] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mezla.site"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241950; rev:1;) alert tcp $HOME_NET any -> [45.11.93.150] 8964 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241936; rev:1;) alert tcp $HOME_NET any -> [193.23.55.21] 56789 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241948; rev:1;) alert tcp $HOME_NET any -> [193.233.132.89] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241946; rev:1;) alert tcp $HOME_NET any -> [38.180.71.140] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"38.180.71.140"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"78.40.116.82"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241943; rev:1;) alert tcp $HOME_NET any -> [159.65.130.146] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"159.65.130.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241941; rev:1;) alert tcp $HOME_NET any -> [20.91.244.250] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyprusvillahomes.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/scripts/a0aba203-e3f4-4a26-81f8/get/jquery-ui-1.12.1"; depth:60; nocase; http.host; content:"cyprusvillahomes.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241938; rev:1;) alert tcp $HOME_NET any -> [49.13.32.37] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.32.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241934; rev:1;) alert tcp $HOME_NET any -> [192.227.231.5] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241931/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241931; rev:1;) alert tcp $HOME_NET any -> [203.25.119.136] 48748 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241932/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241932; rev:1;) alert tcp $HOME_NET any -> [178.79.150.75] 4444 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241929/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241929; rev:1;) alert tcp $HOME_NET any -> [185.209.160.19] 8872 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241930/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241930; rev:1;) alert tcp $HOME_NET any -> [141.98.7.15] 1915 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241926/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241926; rev:1;) alert tcp $HOME_NET any -> [146.59.12.246] 20002 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241927/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241927; rev:1;) alert tcp $HOME_NET any -> [146.190.53.148] 81 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241928; rev:1;) alert tcp $HOME_NET any -> [134.209.111.71] 9999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241924; rev:1;) alert tcp $HOME_NET any -> [141.95.81.119] 2300 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241925/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241925; rev:1;) alert tcp $HOME_NET any -> [114.67.217.170] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241923/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241923; rev:1;) alert tcp $HOME_NET any -> [87.121.58.103] 32015 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241921; rev:1;) alert tcp $HOME_NET any -> [93.123.85.181] 1337 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241922; rev:1;) alert tcp $HOME_NET any -> [78.31.67.78] 2300 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241919/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241919; rev:1;) alert tcp $HOME_NET any -> [84.54.51.103] 32015 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241920/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241920; rev:1;) alert tcp $HOME_NET any -> [47.105.86.47] 21997 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241917/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241917; rev:1;) alert tcp $HOME_NET any -> [62.173.140.174] 17900 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241918/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241918; rev:1;) alert tcp $HOME_NET any -> [45.154.1.68] 1420 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241915; rev:1;) alert tcp $HOME_NET any -> [46.19.140.242] 32465 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241916; rev:1;) alert tcp $HOME_NET any -> [31.222.202.156] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241914/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/nvycjtpinaaq4eamnkgwj2"; depth:27; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-hlaqy0v7-1303081427.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241912; rev:1;) alert tcp $HOME_NET any -> [106.54.228.198] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-hlaqy0v7-1303081427.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241911; rev:1;) alert tcp $HOME_NET any -> [185.196.10.134] 6117 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241910/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241910; rev:1;) alert tcp $HOME_NET any -> [154.222.236.61] 56999 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241909/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241909; rev:1;) alert tcp $HOME_NET any -> [94.103.188.173] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241908; rev:1;) alert tcp $HOME_NET any -> [142.171.33.169] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241907; rev:1;) alert tcp $HOME_NET any -> [89.190.156.176] 8872 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241882/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241882; rev:1;) alert tcp $HOME_NET any -> [185.226.106.107] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241894; rev:1;) alert tcp $HOME_NET any -> [194.147.140.242] 2202 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241906; rev:1;) alert tcp $HOME_NET any -> [154.247.12.253] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241905; rev:1;) alert tcp $HOME_NET any -> [209.151.153.136] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241904; rev:1;) alert tcp $HOME_NET any -> [103.27.132.105] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241903; rev:1;) alert tcp $HOME_NET any -> [37.1.210.109] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241902; rev:1;) alert tcp $HOME_NET any -> [34.116.205.0] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241901; rev:1;) alert tcp $HOME_NET any -> [165.227.122.136] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241900; rev:1;) alert tcp $HOME_NET any -> [58.65.172.132] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241899; rev:1;) alert tcp $HOME_NET any -> [23.227.193.214] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lastaflirtely.me"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241897; rev:1;) alert tcp $HOME_NET any -> [209.9.200.69] 32002 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241896; rev:1;) alert tcp $HOME_NET any -> [51.250.74.43] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cm65198.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241893; rev:1;) alert tcp $HOME_NET any -> [91.202.233.133] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241892/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241892; rev:1;) alert tcp $HOME_NET any -> [212.192.12.222] 5008 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241891/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241891; rev:1;) alert tcp $HOME_NET any -> [91.92.252.227] 1000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241890/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241890; rev:1;) alert tcp $HOME_NET any -> [83.217.9.199] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241889/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241889; rev:1;) alert tcp $HOME_NET any -> [106.53.186.12] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241888/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241888; rev:1;) alert tcp $HOME_NET any -> [166.88.61.138] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241887/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241887; rev:1;) alert tcp $HOME_NET any -> [18.153.179.54] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241886/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241886; rev:1;) alert tcp $HOME_NET any -> [35.178.199.73] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241885/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241885; rev:1;) alert tcp $HOME_NET any -> [3.253.247.39] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"mscs.v1.vscll.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/generatorexternal9windows/local74/3processor/js/updatebigloadprocess/httptest/uploads9universaltest/trackflower6/pipe0wp/trafficlinegameprovider/publiclocal80/6better9/processorphp/6defaultserver/0javascript/multi8external/5betterrequestlinux/uploadswindowslow/tobigloadmultiflowerasyncwptempdownloads.php"; depth:306; nocase; http.host; content:"79.137.207.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/nnzknr.php"; depth:45; nocase; http.host; content:"carritosdelacompra.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/hyhnv3.php"; depth:47; nocase; http.host; content:"propertystats.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/dqyzqp.php"; depth:46; nocase; http.host; content:"www.erasnetwork.eu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/c2hitq.php"; depth:46; nocase; http.host; content:"www.marioagozzino.it"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/ovqugo.php"; depth:47; nocase; http.host; content:"osakaimchk.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241848; rev:1;) alert tcp $HOME_NET any -> [45.95.169.14] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241849; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 37064 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241850/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"training-invasion.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241851/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241851; rev:1;) alert tcp $HOME_NET any -> [185.196.9.97] 48795 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241874; rev:1;) alert tcp $HOME_NET any -> [193.35.18.127] 51321 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241872; rev:1;) alert tcp $HOME_NET any -> [185.196.9.97] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241875/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"79-9-691.581-alps.qyhgroup.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241876/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241876; rev:1;) alert tcp $HOME_NET any -> [38.147.172.234] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"mscs.v1.vscll.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241879; rev:1;) alert tcp $HOME_NET any -> [159.223.220.165] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"39.104.73.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalhttp2db/longpollvoiddb2server/longpollsecure3bigload/196downloads/32proton/061/imagevmproton/1pipe/dlebigloadcentral/game/50uploadscentral/phpbigload9/externalimageapigeneratoruniversalwordpresslocalcdn.php"; depth:214; nocase; http.host; content:"77.91.124.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241873; rev:1;) alert tcp $HOME_NET any -> [79.131.125.79] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241871; rev:1;) alert tcp $HOME_NET any -> [154.246.82.173] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241870; rev:1;) alert tcp $HOME_NET any -> [75.90.82.104] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241869; rev:1;) alert tcp $HOME_NET any -> [154.247.12.253] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241868; rev:1;) alert tcp $HOME_NET any -> [24.90.18.97] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"190.182.251.4"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"102.33.76.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"124.71.108.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"45.131.132.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"39.106.74.90"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"1.94.67.222"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1130829539006750833/1210266320600301709/4_npp.8.6.3.portable.x64.zip"; depth:81; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/onmicrosoft"; depth:12; nocase; http.host; content:"workstatpasing.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nationwide_services"; depth:20; nocase; http.host; content:"workstatpasing.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/c2hitq.php"; depth:46; nocase; http.host; content:"www.marioagozzino.it"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/dqyzqp.php"; depth:46; nocase; http.host; content:"www.erasnetwork.eu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/hyhnv3.php"; depth:47; nocase; http.host; content:"propertystats.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/nnzknr.php"; depth:45; nocase; http.host; content:"carritosdelacompra.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/ovqugo.php"; depth:47; nocase; http.host; content:"osakaimchk.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w2p/panel/gate.php"; depth:19; nocase; http.host; content:"yourstudyway.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/get.php"; depth:15; nocase; http.host; content:"machineryideas.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zzrgqnaww.php"; depth:19; nocase; http.host; content:"machineryideas.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241760; rev:1;) alert tcp $HOME_NET any -> [103.35.189.93] 10443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241842; rev:1;) alert tcp $HOME_NET any -> [147.189.175.79] 443 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241841; rev:1;) alert tcp $HOME_NET any -> [34.72.103.8] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241839; rev:1;) alert tcp $HOME_NET any -> [34.118.85.166] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241840; rev:1;) alert tcp $HOME_NET any -> [54.206.231.185] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241838; rev:1;) alert tcp $HOME_NET any -> [3.110.14.54] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241837; rev:1;) alert tcp $HOME_NET any -> [172.187.145.182] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241836; rev:1;) alert tcp $HOME_NET any -> [138.197.13.114] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241835; rev:1;) alert tcp $HOME_NET any -> [34.16.51.172] 10443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241834; rev:1;) alert tcp $HOME_NET any -> [96.231.143.205] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241833; rev:1;) alert tcp $HOME_NET any -> [137.184.150.67] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241832; rev:1;) alert tcp $HOME_NET any -> [164.177.30.14] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hwsrv-1126965.hostwindsdns.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241830; rev:1;) alert tcp $HOME_NET any -> [39.107.109.9] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241829; rev:1;) alert tcp $HOME_NET any -> [38.54.119.156] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241828; rev:1;) alert tcp $HOME_NET any -> [45.207.58.56] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241827; rev:1;) alert tcp $HOME_NET any -> [219.147.89.12] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241826; rev:1;) alert tcp $HOME_NET any -> [51.11.25.174] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linkerfunyfile.store"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241824; rev:1;) alert tcp $HOME_NET any -> [95.216.253.55] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"striperouter.supelle.co"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241823; rev:1;) alert tcp $HOME_NET any -> [45.95.169.135] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241821; rev:1;) alert tcp $HOME_NET any -> [108.174.198.206] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241820; rev:1;) alert tcp $HOME_NET any -> [209.141.35.151] 888 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-88-105-125.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nice-margulis.45-138-16-132.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241817; rev:1;) alert tcp $HOME_NET any -> [34.118.33.152] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241816; rev:1;) alert tcp $HOME_NET any -> [91.151.88.209] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"recruitis.josefbenjac.cz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"digital20.agriprotechx.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.77.129.13.49.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241812; rev:1;) alert tcp $HOME_NET any -> [20.56.35.166] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241810; rev:1;) alert tcp $HOME_NET any -> [107.173.118.89] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241811; rev:1;) alert tcp $HOME_NET any -> [52.184.85.209] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"the.networkguru.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241807; rev:1;) alert tcp $HOME_NET any -> [166.88.132.139] 8443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241808; rev:1;) alert tcp $HOME_NET any -> [94.156.69.145] 7539 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241806; rev:1;) alert tcp $HOME_NET any -> [3.99.102.8] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241805; rev:1;) alert tcp $HOME_NET any -> [162.222.206.193] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241804; rev:1;) alert tcp $HOME_NET any -> [94.156.69.246] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241803; rev:1;) alert tcp $HOME_NET any -> [47.128.64.139] 443 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"49.183.246.35.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241801; rev:1;) alert tcp $HOME_NET any -> [185.146.157.85] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grinevitchnicolas4.fvds.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241799; rev:1;) alert tcp $HOME_NET any -> [91.92.250.168] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241798; rev:1;) alert tcp $HOME_NET any -> [172.188.29.138] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.iexcom.de"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241796; rev:1;) alert tcp $HOME_NET any -> [91.92.253.26] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241794; rev:1;) alert tcp $HOME_NET any -> [78.129.165.233] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241795; rev:1;) alert tcp $HOME_NET any -> [45.88.186.65] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241793; rev:1;) alert tcp $HOME_NET any -> [136.243.111.71] 5900 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241792; rev:1;) alert tcp $HOME_NET any -> [113.174.1.186] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241790; rev:1;) alert tcp $HOME_NET any -> [181.131.216.198] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241791; rev:1;) alert tcp $HOME_NET any -> [172.111.148.12] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241789; rev:1;) alert tcp $HOME_NET any -> [78.40.116.82] 5005 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241788/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_22; classtype:trojan-activity; sid:91241788; rev:1;) alert tcp $HOME_NET any -> [216.245.181.105] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241787/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_22; classtype:trojan-activity; sid:91241787; rev:1;) alert tcp $HOME_NET any -> [91.92.243.90] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241786/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_22; classtype:trojan-activity; sid:91241786; rev:1;) alert tcp $HOME_NET any -> [42.193.178.194] 55443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241785; rev:1;) alert tcp $HOME_NET any -> [39.104.73.42] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241784; rev:1;) alert tcp $HOME_NET any -> [5.34.198.105] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241783; rev:1;) alert tcp $HOME_NET any -> [23.26.137.225] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241781; rev:1;) alert tcp $HOME_NET any -> [23.26.137.225] 8181 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241782; rev:1;) alert tcp $HOME_NET any -> [104.168.54.228] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241780; rev:1;) alert tcp $HOME_NET any -> [47.113.195.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241778; rev:1;) alert tcp $HOME_NET any -> [101.42.47.72] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241779; rev:1;) alert tcp $HOME_NET any -> [38.60.253.150] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241777; rev:1;) alert tcp $HOME_NET any -> [118.31.75.32] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241776; rev:1;) alert tcp $HOME_NET any -> [74.235.199.105] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241774; rev:1;) alert tcp $HOME_NET any -> [124.223.97.173] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241775; rev:1;) alert tcp $HOME_NET any -> [74.235.199.105] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241773; rev:1;) alert tcp $HOME_NET any -> [103.191.15.189] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241772; rev:1;) alert tcp $HOME_NET any -> [111.92.243.96] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241770; rev:1;) alert tcp $HOME_NET any -> [94.156.69.227] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241771; rev:1;) alert tcp $HOME_NET any -> [175.178.48.91] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241769; rev:1;) alert tcp $HOME_NET any -> [47.98.214.54] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241768; rev:1;) alert tcp $HOME_NET any -> [47.101.160.122] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241767; rev:1;) alert tcp $HOME_NET any -> [124.222.114.227] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hr-helpdesk.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241765; rev:1;) alert tcp $HOME_NET any -> [59.110.142.91] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241764; rev:1;) alert tcp $HOME_NET any -> [39.105.194.11] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"software.ftoffice.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"139-162-155-161.ip.linodeusercontent.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grebiunti.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"grebiunti.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241757; rev:1;) alert tcp $HOME_NET any -> [31.10.67.116] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241755/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241755; rev:1;) alert tcp $HOME_NET any -> [95.216.104.115] 4328 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241756; rev:1;) alert tcp $HOME_NET any -> [37.221.65.78] 63645 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241754/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.221.65.78"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1241746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"chernobyl.fun"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1241747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"auth.tesla-alert.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1241748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"app.tesla-alert.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1241749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mafiakorea.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241750; rev:1;) alert tcp $HOME_NET any -> [185.158.248.141] 1344 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241753; rev:1;) alert tcp $HOME_NET any -> [129.153.86.0] 8778 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"356873cm.nyashtyan.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"45.134.225.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"45.131.132.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.71.108.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ecuaecua.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241741/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241741; rev:1;) alert tcp $HOME_NET any -> [46.246.12.6] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"199.195.252.200"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"94.156.69.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"221.150.72.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etc.clientlibs/base.min.acshash29ccd0207f7ce847c.js"; depth:52; nocase; http.host; content:"119.3.12.54"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"8.142.5.148"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"124.222.64.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"103.191.15.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241731; rev:1;) alert tcp $HOME_NET any -> [212.102.39.208] 58095 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241723/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241723; rev:1;) alert tcp $HOME_NET any -> [124.71.108.110] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"124.71.108.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241729; rev:1;) alert tcp $HOME_NET any -> [193.29.56.130] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"193.29.56.130"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241727; rev:1;) alert tcp $HOME_NET any -> [173.44.141.86] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"realusatruck.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/accounts/v1/basic-accounts/pinned"; depth:38; nocase; http.host; content:"realusatruck.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241724; rev:1;) alert tcp $HOME_NET any -> [45.142.107.117] 3549 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241717; rev:1;) alert tcp $HOME_NET any -> [185.196.10.139] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241721; rev:1;) alert tcp $HOME_NET any -> [91.92.240.13] 9511 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241718; rev:1;) alert tcp $HOME_NET any -> [185.196.10.164] 59312 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241719; rev:1;) alert tcp $HOME_NET any -> [185.196.10.60] 55655 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241720; rev:1;) alert tcp $HOME_NET any -> [185.196.9.223] 1302 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241722; rev:1;) alert tcp $HOME_NET any -> [94.156.8.116] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241716; rev:1;) alert tcp $HOME_NET any -> [185.91.127.233] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241712; rev:1;) alert tcp $HOME_NET any -> [37.221.94.43] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241713; rev:1;) alert tcp $HOME_NET any -> [146.19.191.200] 69 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241714; rev:1;) alert tcp $HOME_NET any -> [45.138.174.72] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241715; rev:1;) alert tcp $HOME_NET any -> [185.91.127.216] 55555 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241710; rev:1;) alert tcp $HOME_NET any -> [185.91.127.233] 56999 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241711; rev:1;) alert tcp $HOME_NET any -> [5.181.80.126] 35769 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241709; rev:1;) alert tcp $HOME_NET any -> [5.181.80.27] 3090 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241705; rev:1;) alert tcp $HOME_NET any -> [5.181.80.153] 3090 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241706; rev:1;) alert tcp $HOME_NET any -> [5.181.80.116] 3090 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241707; rev:1;) alert tcp $HOME_NET any -> [5.181.80.177] 3090 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241708; rev:1;) alert tcp $HOME_NET any -> [64.176.178.205] 2017 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241704; rev:1;) alert tcp $HOME_NET any -> [103.233.11.14] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241703; rev:1;) alert tcp $HOME_NET any -> [103.233.11.13] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241702/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241702; rev:1;) alert tcp $HOME_NET any -> [165.232.41.54] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241701/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241701; rev:1;) alert tcp $HOME_NET any -> [5.42.92.25] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241700; rev:1;) alert tcp $HOME_NET any -> [41.96.190.102] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241699; rev:1;) alert tcp $HOME_NET any -> [41.97.43.5] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241698; rev:1;) alert tcp $HOME_NET any -> [154.246.82.173] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241697; rev:1;) alert tcp $HOME_NET any -> [193.239.86.189] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241696; rev:1;) alert tcp $HOME_NET any -> [103.35.189.93] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241695/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241695; rev:1;) alert tcp $HOME_NET any -> [103.35.189.93] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241694/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241694; rev:1;) alert tcp $HOME_NET any -> [159.89.204.198] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241693/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241693; rev:1;) alert tcp $HOME_NET any -> [159.89.204.198] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241692/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241692; rev:1;) alert tcp $HOME_NET any -> [147.182.190.27] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241691/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"amma.myftp.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241658/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrmzmu3odrmy2q4/"; depth:18; nocase; http.host; content:"45.93.20.145"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241659; rev:1;) alert tcp $HOME_NET any -> [5.75.162.217] 43724 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241660; rev:1;) alert tcp $HOME_NET any -> [185.133.40.202] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241689; rev:1;) alert tcp $HOME_NET any -> [222.186.174.9] 43268 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241690; rev:1;) alert tcp $HOME_NET any -> [103.28.33.96] 2023 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241688/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241688; rev:1;) alert tcp $HOME_NET any -> [139.159.197.241] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241687/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241687; rev:1;) alert tcp $HOME_NET any -> [161.35.203.116] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241686/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241686; rev:1;) alert tcp $HOME_NET any -> [5.188.87.36] 36543 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241685/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241685; rev:1;) alert tcp $HOME_NET any -> [43.137.5.20] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241684/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241684; rev:1;) alert tcp $HOME_NET any -> [103.151.217.93] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241683/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241683; rev:1;) alert tcp $HOME_NET any -> [43.139.74.167] 50034 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241682/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241682; rev:1;) alert tcp $HOME_NET any -> [164.90.169.184] 31228 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241681/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241681; rev:1;) alert tcp $HOME_NET any -> [104.129.182.25] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241680/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241680; rev:1;) alert tcp $HOME_NET any -> [91.92.250.128] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241679/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241679; rev:1;) alert tcp $HOME_NET any -> [20.106.172.90] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241678/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241678; rev:1;) alert tcp $HOME_NET any -> [4.233.217.146] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241677/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241677; rev:1;) alert tcp $HOME_NET any -> [20.215.188.233] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241676; rev:1;) alert tcp $HOME_NET any -> [193.233.132.235] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241675; rev:1;) alert tcp $HOME_NET any -> [193.233.132.18] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241674; rev:1;) alert tcp $HOME_NET any -> [92.223.106.203] 12134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241673/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241673; rev:1;) alert tcp $HOME_NET any -> [193.233.132.75] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241672/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241672; rev:1;) alert tcp $HOME_NET any -> [193.233.132.21] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241671/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241671; rev:1;) alert tcp $HOME_NET any -> [116.203.3.120] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241670/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241670; rev:1;) alert tcp $HOME_NET any -> [95.217.29.171] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241669/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241669; rev:1;) alert tcp $HOME_NET any -> [49.13.32.193] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241668/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241668; rev:1;) alert tcp $HOME_NET any -> [95.217.31.198] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241667/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241667; rev:1;) alert tcp $HOME_NET any -> [65.109.242.25] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241666/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241666; rev:1;) alert tcp $HOME_NET any -> [65.109.242.25] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241665/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241665; rev:1;) alert tcp $HOME_NET any -> [159.69.103.8] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241664/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241664; rev:1;) alert tcp $HOME_NET any -> [159.69.103.8] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241663/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241663; rev:1;) alert tcp $HOME_NET any -> [45.148.4.19] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241662/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.138.212.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241657; rev:1;) alert tcp $HOME_NET any -> [121.43.55.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"218.94.206.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"121.17.123.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"116.211.153.240"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"223.68.136.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"61.159.80.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"112.28.231.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"120.39.197.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"139.162.155.161"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241648; rev:1;) alert tcp $HOME_NET any -> [193.168.173.45] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"193.168.173.45"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241645; rev:1;) alert tcp $HOME_NET any -> [102.47.184.255] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geogeneratorwp.php"; depth:19; nocase; http.host; content:"102822cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241643; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 19437 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241642/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241642; rev:1;) alert tcp $HOME_NET any -> [54.84.110.180] 443 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241641; rev:1;) alert tcp $HOME_NET any -> [95.219.218.28] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241640/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241640; rev:1;) alert tcp $HOME_NET any -> [5.15.83.50] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241639; rev:1;) alert tcp $HOME_NET any -> [142.154.28.33] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241638; rev:1;) alert tcp $HOME_NET any -> [41.227.173.126] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241637; rev:1;) alert tcp $HOME_NET any -> [141.164.48.82] 8443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241636; rev:1;) alert tcp $HOME_NET any -> [51.159.178.12] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241635; rev:1;) alert tcp $HOME_NET any -> [94.102.49.161] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241634; rev:1;) alert tcp $HOME_NET any -> [145.239.230.233] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241633; rev:1;) alert tcp $HOME_NET any -> [38.132.122.178] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"116.72.22.117"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241631; rev:1;) alert tcp $HOME_NET any -> [45.77.72.150] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.artstrailreviews.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.29.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.32.193"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.12.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.12.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.103.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241624; rev:1;) alert tcp $HOME_NET any -> [49.13.32.193] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241622; rev:1;) alert tcp $HOME_NET any -> [95.217.29.171] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241623; rev:1;) alert tcp $HOME_NET any -> [159.69.103.8] 9001 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241619; rev:1;) alert tcp $HOME_NET any -> [116.203.12.183] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241620; rev:1;) alert tcp $HOME_NET any -> [116.203.12.183] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241621; rev:1;) alert tcp $HOME_NET any -> [94.156.65.180] 34241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241618; rev:1;) alert tcp $HOME_NET any -> [195.201.121.240] 40819 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"ads-quantum.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ezrgqnaww.php"; depth:20; nocase; http.host; content:"ads-quantum.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"turkeyunlikelyofw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"resergvearyinitiani.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"associationokeo.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"185.196.10.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"104.234.240.6"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"152.136.100.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.42.228.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aitcaid.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eeatgoodx.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"81.94.150.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"8.142.5.148"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"182.23.67.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sm.css"; depth:7; nocase; http.host; content:"www.nbcnews.site"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nbcnews.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241599; rev:1;) alert tcp $HOME_NET any -> [46.246.14.2] 1998 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241596; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 19599 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241593/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241593; rev:1;) alert tcp $HOME_NET any -> [3.127.181.115] 13326 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241594/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241594; rev:1;) alert tcp $HOME_NET any -> [152.89.198.197] 443 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241592; rev:1;) alert tcp $HOME_NET any -> [172.160.250.195] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241591; rev:1;) alert tcp $HOME_NET any -> [178.73.210.202] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241590; rev:1;) alert tcp $HOME_NET any -> [104.238.214.185] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241589; rev:1;) alert tcp $HOME_NET any -> [34.170.222.164] 10443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241588; rev:1;) alert tcp $HOME_NET any -> [20.75.254.123] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241587; rev:1;) alert tcp $HOME_NET any -> [3.84.189.215] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241586; rev:1;) alert tcp $HOME_NET any -> [18.218.56.158] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241585; rev:1;) alert tcp $HOME_NET any -> [51.210.242.251] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241584; rev:1;) alert tcp $HOME_NET any -> [43.139.47.68] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241583; rev:1;) alert tcp $HOME_NET any -> [103.140.187.137] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241582; rev:1;) alert tcp $HOME_NET any -> [106.54.200.213] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241581; rev:1;) alert tcp $HOME_NET any -> [106.54.200.213] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-20-229-84.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241579; rev:1;) alert tcp $HOME_NET any -> [52.23.117.205] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftp.huboftest.ir"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"109.107.181.83.sslip.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241576; rev:1;) alert tcp $HOME_NET any -> [45.138.16.132] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241575; rev:1;) alert tcp $HOME_NET any -> [203.161.60.175] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241573; rev:1;) alert tcp $HOME_NET any -> [203.161.60.175] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241574; rev:1;) alert tcp $HOME_NET any -> [89.163.145.141] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241572; rev:1;) alert tcp $HOME_NET any -> [38.242.144.29] 7049 (msg:"ThreatFox Ares botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241571/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_21; classtype:trojan-activity; sid:91241571; rev:1;) alert tcp $HOME_NET any -> [35.177.215.200] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.maribelgould.autos"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241569; rev:1;) alert tcp $HOME_NET any -> [3.84.126.255] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kendraesparza.autos"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"irenecameron.autos"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241566; rev:1;) alert tcp $HOME_NET any -> [49.13.129.77] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241565; rev:1;) alert tcp $HOME_NET any -> [167.172.87.109] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241563; rev:1;) alert tcp $HOME_NET any -> [185.196.8.93] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241564; rev:1;) alert tcp $HOME_NET any -> [177.103.63.67] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241562; rev:1;) alert tcp $HOME_NET any -> [20.42.80.234] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241561; rev:1;) alert tcp $HOME_NET any -> [181.161.23.232] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241560; rev:1;) alert tcp $HOME_NET any -> [91.92.242.86] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241558; rev:1;) alert tcp $HOME_NET any -> [193.233.132.234] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hg88654.cc"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ok.system111.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bistoxcrypto.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"157.32.125.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241554; rev:1;) alert tcp $HOME_NET any -> [64.23.186.161] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241553; rev:1;) alert tcp $HOME_NET any -> [139.162.249.47] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241552; rev:1;) alert tcp $HOME_NET any -> [109.199.104.52] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241551; rev:1;) alert tcp $HOME_NET any -> [45.138.16.248] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241550; rev:1;) alert tcp $HOME_NET any -> [89.117.21.203] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241548; rev:1;) alert tcp $HOME_NET any -> [89.117.21.203] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241549; rev:1;) alert tcp $HOME_NET any -> [172.111.148.20] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241547; rev:1;) alert tcp $HOME_NET any -> [104.210.36.227] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241546; rev:1;) alert tcp $HOME_NET any -> [194.67.204.7] 88 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241545; rev:1;) alert tcp $HOME_NET any -> [147.189.172.103] 6969 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241544; rev:1;) alert tcp $HOME_NET any -> [106.54.207.116] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241543; rev:1;) alert tcp $HOME_NET any -> [15.206.179.62] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241542; rev:1;) alert tcp $HOME_NET any -> [167.71.51.239] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241541/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_21; classtype:trojan-activity; sid:91241541; rev:1;) alert tcp $HOME_NET any -> [187.135.83.6] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241540; rev:1;) alert tcp $HOME_NET any -> [206.188.196.107] 8080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241538; rev:1;) alert tcp $HOME_NET any -> [187.135.122.195] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241539; rev:1;) alert tcp $HOME_NET any -> [1.14.69.16] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241537; rev:1;) alert tcp $HOME_NET any -> [182.23.67.109] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241535; rev:1;) alert tcp $HOME_NET any -> [101.42.47.72] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241536; rev:1;) alert tcp $HOME_NET any -> [47.120.50.234] 57777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241534; rev:1;) alert tcp $HOME_NET any -> [139.162.155.161] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241533; rev:1;) alert tcp $HOME_NET any -> [139.9.52.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241531; rev:1;) alert tcp $HOME_NET any -> [120.55.183.201] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241532; rev:1;) alert tcp $HOME_NET any -> [146.70.44.156] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241530; rev:1;) alert tcp $HOME_NET any -> [38.55.197.151] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241529; rev:1;) alert tcp $HOME_NET any -> [82.157.164.51] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241528; rev:1;) alert tcp $HOME_NET any -> [123.57.181.89] 6000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241526; rev:1;) alert tcp $HOME_NET any -> [1.14.255.248] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241527; rev:1;) alert tcp $HOME_NET any -> [124.71.108.110] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241524; rev:1;) alert tcp $HOME_NET any -> [121.43.58.124] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241525; rev:1;) alert tcp $HOME_NET any -> [103.108.107.231] 1024 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241523; rev:1;) alert tcp $HOME_NET any -> [45.152.66.209] 7121 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"93-33-203-219.ip46.fastwebnet.it"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241520; rev:1;) alert tcp $HOME_NET any -> [95.215.108.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241521; rev:1;) alert tcp $HOME_NET any -> [43.136.40.231] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241519; rev:1;) alert tcp $HOME_NET any -> [149.88.78.241] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241517; rev:1;) alert tcp $HOME_NET any -> [116.204.37.20] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241518; rev:1;) alert tcp $HOME_NET any -> [185.222.58.252] 1992 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241516/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241516; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 19599 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241515; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 19599 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241514; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 19599 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241513; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 19599 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241512; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 19599 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c1/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241510/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241510; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 13326 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/static/plugins/jquery/jquery.cookie.js"; depth:41; nocase; http.host; content:"47.122.24.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241498; rev:1;) alert tcp $HOME_NET any -> [83.69.236.143] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241499; rev:1;) alert tcp $HOME_NET any -> [34.168.39.155] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"34.168.39.155"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"116.62.130.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"1.117.60.33"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241505; rev:1;) alert tcp $HOME_NET any -> [94.156.69.224] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"94.156.69.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.108.153.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"124.70.180.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"116.62.130.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241500; rev:1;) alert tcp $HOME_NET any -> [170.75.170.7] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"event.coachgreb.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241484; rev:1;) alert tcp $HOME_NET any -> [84.54.51.103] 6666 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241494; rev:1;) alert tcp $HOME_NET any -> [87.121.58.103] 6666 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241495; rev:1;) alert tcp $HOME_NET any -> [93.123.39.166] 671 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241496/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129edec4272dc2c8.php"; depth:21; nocase; http.host; content:"91.92.246.192"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241497; rev:1;) alert tcp $HOME_NET any -> [193.92.234.217] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hathat.azureedge.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"hathat.azureedge.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241491; rev:1;) alert tcp $HOME_NET any -> [94.156.71.76] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"104.21.80.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nkbiky.cn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"www.nkbiky.cn"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ynpuning.cn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"www.ynpuning.cn"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241485; rev:1;) alert tcp $HOME_NET any -> [93.123.85.113] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241470; rev:1;) alert tcp $HOME_NET any -> [93.123.85.127] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241471; rev:1;) alert tcp $HOME_NET any -> [93.123.85.109] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241472; rev:1;) alert tcp $HOME_NET any -> [93.123.85.136] 5555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241473; rev:1;) alert tcp $HOME_NET any -> [91.92.252.208] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241474; rev:1;) alert tcp $HOME_NET any -> [94.156.68.104] 55555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241475; rev:1;) alert tcp $HOME_NET any -> [45.95.146.89] 7788 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241476; rev:1;) alert tcp $HOME_NET any -> [45.95.146.38] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241477; rev:1;) alert tcp $HOME_NET any -> [93.123.85.49] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"germanclics.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241467; rev:1;) alert tcp $HOME_NET any -> [173.44.141.244] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241468; rev:1;) alert tcp $HOME_NET any -> [194.169.175.31] 38245 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241478; rev:1;) alert tcp $HOME_NET any -> [85.239.34.84] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241479; rev:1;) alert tcp $HOME_NET any -> [94.156.8.80] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stealit.onrender.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241481; rev:1;) alert tcp $HOME_NET any -> [20.127.165.86] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f8a8b9ed.php"; depth:13; nocase; http.host; content:"f0914549.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241465; rev:1;) alert tcp $HOME_NET any -> [157.230.180.251] 43624 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241462/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241462; rev:1;) alert tcp $HOME_NET any -> [157.230.180.251] 49838 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241463/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0918974.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241464; rev:1;) alert tcp $HOME_NET any -> [91.223.3.151] 4508 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241461/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ronreznick.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalservertrackwordpresspublicprivate.php"; depth:46; nocase; http.host; content:"969727cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241458; rev:1;) alert tcp $HOME_NET any -> [45.95.146.3] 8872 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241405/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"db2017417b23.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241406/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241406; rev:1;) alert tcp $HOME_NET any -> [185.91.127.233] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241441/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jmoha66808.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241457; rev:1;) alert tcp $HOME_NET any -> [185.29.10.51] 5211 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241456; rev:1;) alert tcp $HOME_NET any -> [45.67.34.69] 443 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241455/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rourtmanjsdadhfakja.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241454; rev:1;) alert tcp $HOME_NET any -> [178.33.57.148] 7634 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241453; rev:1;) alert tcp $HOME_NET any -> [185.16.38.147] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241452; rev:1;) alert tcp $HOME_NET any -> [154.7.14.19] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241451; rev:1;) alert tcp $HOME_NET any -> [5.163.163.158] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get_file"; depth:9; nocase; http.host; content:"posiit.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanocore73.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shared-services/j.js"; depth:21; nocase; http.host; content:"peeriosity.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cookies"; depth:8; nocase; http.host; content:"posiit.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/traffic"; depth:8; nocase; http.host; content:"soundsend.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/intl/en/chrome/next-steps.html"; depth:31; nocase; http.host; content:"chrome.freegeneratorai.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241422; rev:1;) alert tcp $HOME_NET any -> [41.96.168.36] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241449; rev:1;) alert tcp $HOME_NET any -> [77.72.85.124] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241402/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_21; classtype:trojan-activity; sid:91241402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzi4mgfhzji2mmm5/"; depth:18; nocase; http.host; content:"83.97.73.254"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241408; rev:1;) alert tcp $HOME_NET any -> [88.165.236.23] 64278 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241409; rev:1;) alert tcp $HOME_NET any -> [3.134.39.220] 18237 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241421; rev:1;) alert tcp $HOME_NET any -> [88.165.236.23] 54985 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241423; rev:1;) alert tcp $HOME_NET any -> [95.20.241.161] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get_file_drop"; depth:18; nocase; http.host; content:"phpsearch.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/set_v_2_new_uuid"; depth:21; nocase; http.host; content:"student-voice.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"soundsend.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mozila.freegeneratorai.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"opera.freegeneratorai.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/01u1w1.php"; depth:11; nocase; http.host; content:"nrf2station.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w8rcye.php"; depth:11; nocase; http.host; content:"fumicenter.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241432; rev:1;) alert tcp $HOME_NET any -> [189.253.236.111] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ui610y.php"; depth:11; nocase; http.host; content:"terravilla.fr"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jz0tno.php"; depth:11; nocase; http.host; content:"u3faktory.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o2pmcb.php"; depth:11; nocase; http.host; content:"traidinnovation.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sk5w8b.php"; depth:11; nocase; http.host; content:"401cssabatino.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wdswbw.php"; depth:11; nocase; http.host; content:"ourzanzibar-portal.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1btpl.php"; depth:11; nocase; http.host; content:"www.alroaaacademy.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241438; rev:1;) alert tcp $HOME_NET any -> [46.246.6.4] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241440/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241440; rev:1;) alert tcp $HOME_NET any -> [95.20.240.52] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241446; rev:1;) alert tcp $HOME_NET any -> [91.35.211.80] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241445; rev:1;) alert tcp $HOME_NET any -> [20.218.68.91] 13817 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elianisgalidon3020.duckdns.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241399; rev:1;) alert tcp $HOME_NET any -> [5.181.202.117] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241400/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_21; classtype:trojan-activity; sid:91241400; rev:1;) alert tcp $HOME_NET any -> [213.139.205.174] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241401/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_21; classtype:trojan-activity; sid:91241401; rev:1;) alert tcp $HOME_NET any -> [193.168.141.40] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241403/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_21; classtype:trojan-activity; sid:91241403; rev:1;) alert tcp $HOME_NET any -> [5.255.117.32] 4971 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241444; rev:1;) alert tcp $HOME_NET any -> [158.160.97.165] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241443; rev:1;) alert tcp $HOME_NET any -> [193.149.180.213] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241442; rev:1;) alert tcp $HOME_NET any -> [185.222.58.40] 1978 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241439; rev:1;) alert tcp $HOME_NET any -> [167.235.36.34] 8056 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241430; rev:1;) alert tcp $HOME_NET any -> [147.45.47.35] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bdjkb2xsd/index.php"; depth:20; nocase; http.host; content:"147.45.47.35"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241416; rev:1;) alert tcp $HOME_NET any -> [3.14.182.203] 18237 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241415; rev:1;) alert tcp $HOME_NET any -> [3.13.191.225] 18237 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241414; rev:1;) alert tcp $HOME_NET any -> [3.17.7.232] 18237 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241413; rev:1;) alert tcp $HOME_NET any -> [3.134.125.175] 18237 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241412; rev:1;) alert tcp $HOME_NET any -> [3.22.30.40] 18237 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/unsalted-condensed-soups/"; depth:37; nocase; http.host; content:"horseridinghotel.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241407/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"111.230.51.186"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.252.118.12"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.182.86.94"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.203.164.168"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.3.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241395; rev:1;) alert tcp $HOME_NET any -> [116.203.3.120] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241391; rev:1;) alert tcp $HOME_NET any -> [193.203.164.168] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241392; rev:1;) alert tcp $HOME_NET any -> [5.252.118.12] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241393; rev:1;) alert tcp $HOME_NET any -> [5.182.86.94] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241394; rev:1;) alert tcp $HOME_NET any -> [5.75.210.22] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chrome-online.site"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241388; rev:1;) alert tcp $HOME_NET any -> [40.127.104.147] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sudarshanadisk.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241386; rev:1;) alert tcp $HOME_NET any -> [45.77.55.133] 2078 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241385/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241385; rev:1;) alert tcp $HOME_NET any -> [45.32.204.175] 2222 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241384/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241384; rev:1;) alert tcp $HOME_NET any -> [72.27.83.111] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241383/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241383; rev:1;) alert tcp $HOME_NET any -> [41.250.184.191] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241382/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241382; rev:1;) alert tcp $HOME_NET any -> [39.40.162.179] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241381/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241381; rev:1;) alert tcp $HOME_NET any -> [41.227.100.131] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241380/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241380; rev:1;) alert tcp $HOME_NET any -> [2.6.198.137] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241379/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241379; rev:1;) alert tcp $HOME_NET any -> [103.92.113.14] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241378/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241378; rev:1;) alert tcp $HOME_NET any -> [104.248.1.234] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241377/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241377; rev:1;) alert tcp $HOME_NET any -> [159.223.178.234] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241376/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241376; rev:1;) alert tcp $HOME_NET any -> [159.100.6.118] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241375/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241375; rev:1;) alert tcp $HOME_NET any -> [147.182.158.99] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241374/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241374; rev:1;) alert tcp $HOME_NET any -> [38.132.122.178] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241373/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241373; rev:1;) alert tcp $HOME_NET any -> [89.248.225.196] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5dce321003e6a6b5.php"; depth:21; nocase; http.host; content:"94.156.8.100"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241370; rev:1;) alert tcp $HOME_NET any -> [193.233.132.81] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241369/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241369; rev:1;) alert tcp $HOME_NET any -> [94.198.50.195] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241368; rev:1;) alert tcp $HOME_NET any -> [51.159.183.32] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241367; rev:1;) alert tcp $HOME_NET any -> [34.122.164.64] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241366; rev:1;) alert tcp $HOME_NET any -> [212.81.188.105] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241365; rev:1;) alert tcp $HOME_NET any -> [34.163.246.120] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241364; rev:1;) alert tcp $HOME_NET any -> [185.119.57.49] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241363; rev:1;) alert tcp $HOME_NET any -> [116.202.176.116] 1403 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241362; rev:1;) alert tcp $HOME_NET any -> [54.173.139.125] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241361; rev:1;) alert tcp $HOME_NET any -> [139.59.80.33] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241360; rev:1;) alert tcp $HOME_NET any -> [107.151.244.111] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241359; rev:1;) alert tcp $HOME_NET any -> [165.154.55.190] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241357; rev:1;) alert tcp $HOME_NET any -> [103.139.93.20] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webpanel.space"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241356; rev:1;) alert tcp $HOME_NET any -> [38.6.167.222] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241355; rev:1;) alert tcp $HOME_NET any -> [38.6.167.222] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241354; rev:1;) alert tcp $HOME_NET any -> [49.13.170.9] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241352; rev:1;) alert tcp $HOME_NET any -> [77.105.132.58] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241351; rev:1;) alert tcp $HOME_NET any -> [77.105.132.58] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241350; rev:1;) alert tcp $HOME_NET any -> [164.90.183.39] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241349; rev:1;) alert tcp $HOME_NET any -> [82.115.223.46] 7777 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kendraesparza.autos"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241347; rev:1;) alert tcp $HOME_NET any -> [212.47.244.109] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241346; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 63696 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241345; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 9142 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241343; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 36945 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241344; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 2004 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241342; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 465 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241340; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 631 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241341; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 57609 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241339; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 48087 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241338; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 17393 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241336; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 27646 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241337; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 2404 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241335; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 41489 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241333; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 389 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241334; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 8082 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241332; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 51005 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241330; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 2053 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241331; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 2380 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241329; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 27049 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241328; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 9653 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241326; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 26238 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241327; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 2455 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241324; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 56832 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241325; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 53311 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241323; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241321; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 18084 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241322; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 21 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241320; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 50995 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241318; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 58603 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241319; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 25516 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241317; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 13946 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241316; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 4572 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241314; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 7077 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241315; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 36249 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241313; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 8418 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241311; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 29975 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241312; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 8088 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241310; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 4433 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241308; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 5060 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241309; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 1883 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241307; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 1024 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241306; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 40240 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241304; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 65245 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241305; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 26641 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241303; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 56597 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241301; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 18080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241302; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 40961 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241300; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 40022 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241298; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 39109 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241299; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 4125 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241297; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 13999 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241295; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 49502 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241296; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241294; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 636 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241292; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 4721 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241293; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 47800 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241291; rev:1;) alert tcp $HOME_NET any -> [193.181.41.109] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241289; rev:1;) alert tcp $HOME_NET any -> [102.117.113.205] 1492 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.liceback.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241288; rev:1;) alert tcp $HOME_NET any -> [94.156.66.50] 82 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241286; rev:1;) alert tcp $HOME_NET any -> [45.84.198.9] 30120 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241287; rev:1;) alert tcp $HOME_NET any -> [191.82.250.214] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241285; rev:1;) alert tcp $HOME_NET any -> [45.94.31.31] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ok.system-samsung.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241283; rev:1;) alert tcp $HOME_NET any -> [92.63.98.227] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evgenytchurakin1.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241281; rev:1;) alert tcp $HOME_NET any -> [38.242.236.116] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241279; rev:1;) alert tcp $HOME_NET any -> [85.239.237.148] 2006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241280; rev:1;) alert tcp $HOME_NET any -> [45.88.186.65] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241278; rev:1;) alert tcp $HOME_NET any -> [85.215.197.98] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241277; rev:1;) alert tcp $HOME_NET any -> [91.92.243.63] 5000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241276; rev:1;) alert tcp $HOME_NET any -> [103.146.179.82] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241275; rev:1;) alert tcp $HOME_NET any -> [69.172.74.108] 4443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241274/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_20; classtype:trojan-activity; sid:91241274; rev:1;) alert tcp $HOME_NET any -> [31.156.119.149] 88 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241273; rev:1;) alert tcp $HOME_NET any -> [1.14.69.16] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241272; rev:1;) alert tcp $HOME_NET any -> [123.57.235.196] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241271; rev:1;) alert tcp $HOME_NET any -> [112.74.72.133] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241270; rev:1;) alert tcp $HOME_NET any -> [154.9.255.31] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241269; rev:1;) alert tcp $HOME_NET any -> [40.113.7.196] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241268; rev:1;) alert tcp $HOME_NET any -> [43.142.183.159] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241267; rev:1;) alert tcp $HOME_NET any -> [1.94.110.130] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241265; rev:1;) alert tcp $HOME_NET any -> [101.201.100.74] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241266; rev:1;) alert tcp $HOME_NET any -> [8.210.229.211] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241264; rev:1;) alert tcp $HOME_NET any -> [149.104.23.176] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241263; rev:1;) alert tcp $HOME_NET any -> [128.199.252.34] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241261; rev:1;) alert tcp $HOME_NET any -> [1.14.255.248] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241262; rev:1;) alert tcp $HOME_NET any -> [39.100.90.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241260; rev:1;) alert tcp $HOME_NET any -> [13.72.106.240] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241259; rev:1;) alert tcp $HOME_NET any -> [154.92.18.140] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241258; rev:1;) alert tcp $HOME_NET any -> [78.40.116.82] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241257; rev:1;) alert tcp $HOME_NET any -> [154.3.8.55] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241255; rev:1;) alert tcp $HOME_NET any -> [42.192.37.195] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241256; rev:1;) alert tcp $HOME_NET any -> [114.132.41.186] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241254; rev:1;) alert tcp $HOME_NET any -> [217.23.9.168] 53 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241250; rev:1;) alert tcp $HOME_NET any -> [91.211.247.248] 53 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241251; rev:1;) alert tcp $HOME_NET any -> [152.89.198.214] 53 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241252; rev:1;) alert tcp $HOME_NET any -> [81.31.197.38] 53 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241253; rev:1;) alert tcp $HOME_NET any -> [77.83.242.244] 1664 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241249; rev:1;) alert tcp $HOME_NET any -> [193.233.132.81] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"182.23.67.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"199.195.252.200"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241241; rev:1;) alert tcp $HOME_NET any -> [80.66.89.64] 32557 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241240; rev:1;) alert tcp $HOME_NET any -> [46.246.12.11] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mangaforme.cloud"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241237/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5441a82c9941418d.php"; depth:21; nocase; http.host; content:"91.108.240.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/user"; depth:9; nocase; http.host; content:"service-qzxfb4ay-1318428097.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-qzxfb4ay-1318428097.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"42.193.178.194"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241234; rev:1;) alert tcp $HOME_NET any -> [109.248.151.96] 52048 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241233/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"106.54.202.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"8.222.165.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-mlanbdgq-1301500665.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-mlanbdgq-1301500665.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"104.234.240.6"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cs52010.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241223; rev:1;) alert tcp $HOME_NET any -> [83.137.157.54] 9231 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241222; rev:1;) alert tcp $HOME_NET any -> [81.19.138.57] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-3rca94g4-1319979259.hk.tencentapigw.cn"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241218; rev:1;) alert tcp $HOME_NET any -> [45.152.66.91] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-3rca94g4-1319979259.hk.tencentapigw.cn"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241217; rev:1;) alert tcp $HOME_NET any -> [81.19.138.57] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3cd2b41cbde8fc9c.php"; depth:21; nocase; http.host; content:"185.172.128.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241214; rev:1;) alert tcp $HOME_NET any -> [91.92.242.176] 51480 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241213/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241213; rev:1;) alert tcp $HOME_NET any -> [103.186.117.77] 1761 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"vfxfilmschool.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ezrgqnaww.php"; depth:20; nocase; http.host; content:"vfxfilmschool.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"vfxfilmschool.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241211; rev:1;) alert tcp $HOME_NET any -> [103.186.117.238] 1941 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241208; rev:1;) alert tcp $HOME_NET any -> [65.109.242.97] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.97"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.27.36.6"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241205; rev:1;) alert tcp $HOME_NET any -> [194.169.175.233] 3609 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241204; rev:1;) alert tcp $HOME_NET any -> [43.229.115.106] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241203/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241203; rev:1;) alert tcp $HOME_NET any -> [43.229.115.109] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241202/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241202; rev:1;) alert tcp $HOME_NET any -> [43.229.115.107] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241201/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241201; rev:1;) alert tcp $HOME_NET any -> [95.20.241.10] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241200/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241200; rev:1;) alert tcp $HOME_NET any -> [216.137.233.159] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241199/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241199; rev:1;) alert tcp $HOME_NET any -> [201.137.233.254] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241198/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241198; rev:1;) alert tcp $HOME_NET any -> [175.10.223.19] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241197/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241197; rev:1;) alert tcp $HOME_NET any -> [89.137.186.176] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241196/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241196; rev:1;) alert tcp $HOME_NET any -> [2.50.137.96] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241195/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241195; rev:1;) alert tcp $HOME_NET any -> [45.150.67.45] 8081 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241194/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241194; rev:1;) alert tcp $HOME_NET any -> [23.88.118.173] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241193/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241193; rev:1;) alert tcp $HOME_NET any -> [94.130.169.13] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241192/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241192; rev:1;) alert tcp $HOME_NET any -> [88.214.25.240] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241191/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241191; rev:1;) alert tcp $HOME_NET any -> [52.162.200.36] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241190/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241190; rev:1;) alert tcp $HOME_NET any -> [146.71.78.14] 151 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241189/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bonet.networkbn.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241188; rev:1;) alert tcp $HOME_NET any -> [103.172.79.74] 2807 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241187/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241187; rev:1;) alert tcp $HOME_NET any -> [41.216.183.27] 5034 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241186/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywiymjlizgqwy2fk/"; depth:18; nocase; http.host; content:"176.113.115.235"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241165; rev:1;) alert tcp $HOME_NET any -> [156.96.155.234] 56999 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241158/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241158; rev:1;) alert tcp $HOME_NET any -> [93.123.85.174] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241159/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241159; rev:1;) alert tcp $HOME_NET any -> [141.98.168.167] 9222 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241185; rev:1;) alert tcp $HOME_NET any -> [171.233.98.70] 18274 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241184/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241184; rev:1;) alert tcp $HOME_NET any -> [159.89.209.22] 2525 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241183/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241183; rev:1;) alert tcp $HOME_NET any -> [123.57.193.197] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241182/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241182; rev:1;) alert tcp $HOME_NET any -> [110.42.209.75] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241181/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241181; rev:1;) alert tcp $HOME_NET any -> [47.99.93.124] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241180/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241180; rev:1;) alert tcp $HOME_NET any -> [3.136.160.122] 20755 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241179/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241179; rev:1;) alert tcp $HOME_NET any -> [80.66.75.53] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241178/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241178; rev:1;) alert tcp $HOME_NET any -> [185.196.8.37] 10003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241177/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241177; rev:1;) alert tcp $HOME_NET any -> [187.135.83.6] 1895 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241176/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241176; rev:1;) alert tcp $HOME_NET any -> [187.135.83.6] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241175/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241175; rev:1;) alert tcp $HOME_NET any -> [74.248.32.95] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241174/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241174; rev:1;) alert tcp $HOME_NET any -> [193.233.132.216] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241173/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241173; rev:1;) alert tcp $HOME_NET any -> [37.27.36.6] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241172/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241172; rev:1;) alert tcp $HOME_NET any -> [37.27.36.6] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241171/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241171; rev:1;) alert tcp $HOME_NET any -> [185.147.34.93] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cdn-analytic.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241169/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bdjkb2xsd/index.php"; depth:20; nocase; http.host; content:"cdn-analytic.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129edec4272dc2c8.php"; depth:21; nocase; http.host; content:"94.156.65.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"miwekahb.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241166; rev:1;) alert tcp $HOME_NET any -> [172.86.69.21] 4042 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241164/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91241164; rev:1;) alert tcp $HOME_NET any -> [103.77.243.159] 4042 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"199.195.252.200"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v10.6/w2ge3sc8"; depth:24; nocase; http.host; content:"91.238.181.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241161; rev:1;) alert tcp $HOME_NET any -> [158.101.28.51] 8778 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"followcache.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241156; rev:1;) alert tcp $HOME_NET any -> [43.229.115.110] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241155/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91241155; rev:1;) alert tcp $HOME_NET any -> [94.49.14.17] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241154/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91241154; rev:1;) alert tcp $HOME_NET any -> [154.246.249.128] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241153/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91241153; rev:1;) alert tcp $HOME_NET any -> [78.101.24.11] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241152/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91241152; rev:1;) alert tcp $HOME_NET any -> [24.88.87.29] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241151/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91241151; rev:1;) alert tcp $HOME_NET any -> [5.226.137.157] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241150/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91241150; rev:1;) alert tcp $HOME_NET any -> [46.246.80.3] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"02maill.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syn.02maill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241148; rev:1;) alert tcp $HOME_NET any -> [198.98.56.144] 6001 (msg:"ThreatFox MrBlack botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241146/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91241146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syn.xsvi.cc"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241145; rev:1;) alert tcp $HOME_NET any -> [205.234.200.26] 44188 (msg:"ThreatFox ConnectBack botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241144/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91241144; rev:1;) alert tcp $HOME_NET any -> [3.142.167.54] 19346 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241141/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91241141; rev:1;) alert tcp $HOME_NET any -> [3.142.167.4] 19346 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241142/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91241142; rev:1;) alert tcp $HOME_NET any -> [3.19.130.43] 19346 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241143/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91241143; rev:1;) alert tcp $HOME_NET any -> [57.128.165.176] 13721 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241132; rev:1;) alert tcp $HOME_NET any -> [141.95.106.106] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241133; rev:1;) alert tcp $HOME_NET any -> [154.12.248.41] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241134; rev:1;) alert tcp $HOME_NET any -> [145.239.135.24] 5243 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241135; rev:1;) alert tcp $HOME_NET any -> [89.117.23.186] 5632 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241136; rev:1;) alert tcp $HOME_NET any -> [148.113.141.220] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241137; rev:1;) alert tcp $HOME_NET any -> [154.38.175.241] 13721 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241138; rev:1;) alert tcp $HOME_NET any -> [109.199.99.131] 13721 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241139; rev:1;) alert tcp $HOME_NET any -> [154.12.233.66] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241140; rev:1;) alert tcp $HOME_NET any -> [89.117.23.34] 5938 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241130; rev:1;) alert tcp $HOME_NET any -> [89.117.23.185] 2221 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241131; rev:1;) alert tcp $HOME_NET any -> [78.168.81.13] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241129; rev:1;) alert tcp $HOME_NET any -> [210.16.120.210] 53 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241128; rev:1;) alert tcp $HOME_NET any -> [185.161.248.231] 443 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241127; rev:1;) alert tcp $HOME_NET any -> [3.120.71.192] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241126; rev:1;) alert tcp $HOME_NET any -> [54.83.238.42] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241125; rev:1;) alert tcp $HOME_NET any -> [18.135.30.45] 4024 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241124; rev:1;) alert tcp $HOME_NET any -> [1.12.64.19] 53333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241123; rev:1;) alert tcp $HOME_NET any -> [24.212.223.72] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241122; rev:1;) alert tcp $HOME_NET any -> [139.59.57.167] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241121; rev:1;) alert tcp $HOME_NET any -> [176.98.250.99] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241119; rev:1;) alert tcp $HOME_NET any -> [35.157.195.58] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241120; rev:1;) alert tcp $HOME_NET any -> [52.18.172.73] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241118; rev:1;) alert tcp $HOME_NET any -> [52.29.64.25] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241117; rev:1;) alert tcp $HOME_NET any -> [52.29.64.25] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241116; rev:1;) alert tcp $HOME_NET any -> [172.174.252.134] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241115; rev:1;) alert tcp $HOME_NET any -> [43.139.192.157] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241113; rev:1;) alert tcp $HOME_NET any -> [3.110.143.241] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241114; rev:1;) alert tcp $HOME_NET any -> [51.81.237.25] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241112; rev:1;) alert tcp $HOME_NET any -> [172.234.228.130] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241111; rev:1;) alert tcp $HOME_NET any -> [34.247.215.92] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241110; rev:1;) alert tcp $HOME_NET any -> [167.99.92.251] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241109; rev:1;) alert tcp $HOME_NET any -> [35.91.153.140] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241108; rev:1;) alert tcp $HOME_NET any -> [172.166.231.240] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241107; rev:1;) alert tcp $HOME_NET any -> [193.106.196.165] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241106; rev:1;) alert tcp $HOME_NET any -> [212.44.236.195] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241105; rev:1;) alert tcp $HOME_NET any -> [44.217.121.181] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241104; rev:1;) alert tcp $HOME_NET any -> [143.110.153.37] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241103; rev:1;) alert tcp $HOME_NET any -> [115.159.198.207] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241102; rev:1;) alert tcp $HOME_NET any -> [13.245.182.184] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241101; rev:1;) alert tcp $HOME_NET any -> [34.206.107.177] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241100; rev:1;) alert tcp $HOME_NET any -> [18.208.197.178] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241099; rev:1;) alert tcp $HOME_NET any -> [101.52.133.2] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241098; rev:1;) alert tcp $HOME_NET any -> [137.184.239.148] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241097; rev:1;) alert tcp $HOME_NET any -> [82.67.20.246] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241096; rev:1;) alert tcp $HOME_NET any -> [20.47.112.27] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241094; rev:1;) alert tcp $HOME_NET any -> [139.199.168.248] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"analytics.deenpel.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft-fonts.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.deenpel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"159-223-204-229.ipv4.staticdns2.io"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"charming-wright.142-11-199-59.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241090; rev:1;) alert tcp $HOME_NET any -> [39.106.145.100] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241088; rev:1;) alert tcp $HOME_NET any -> [43.136.242.247] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241087; rev:1;) alert tcp $HOME_NET any -> [172.245.131.108] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241086; rev:1;) alert tcp $HOME_NET any -> [106.14.24.198] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241084; rev:1;) alert tcp $HOME_NET any -> [154.92.18.140] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241085; rev:1;) alert tcp $HOME_NET any -> [180.113.169.93] 8008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241083; rev:1;) alert tcp $HOME_NET any -> [58.59.222.234] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241081; rev:1;) alert tcp $HOME_NET any -> [82.97.251.102] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241082; rev:1;) alert tcp $HOME_NET any -> [91.92.241.253] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241079; rev:1;) alert tcp $HOME_NET any -> [91.92.241.253] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241080; rev:1;) alert tcp $HOME_NET any -> [92.246.137.230] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241078; rev:1;) alert tcp $HOME_NET any -> [94.156.8.46] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.sanctamsolutions.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241075; rev:1;) alert tcp $HOME_NET any -> [94.156.8.46] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241076; rev:1;) alert tcp $HOME_NET any -> [93.0.93.225] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241074; rev:1;) alert tcp $HOME_NET any -> [103.180.149.224] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241073; rev:1;) alert tcp $HOME_NET any -> [51.250.71.111] 443 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241072; rev:1;) alert tcp $HOME_NET any -> [39.134.69.79] 17080 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241071; rev:1;) alert tcp $HOME_NET any -> [54.234.189.192] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-206-73-190.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"147.45.42.25.sslip.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241068; rev:1;) alert tcp $HOME_NET any -> [109.107.161.51] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241067; rev:1;) alert tcp $HOME_NET any -> [34.118.125.155] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241066; rev:1;) alert tcp $HOME_NET any -> [45.136.6.149] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241065; rev:1;) alert tcp $HOME_NET any -> [34.16.134.132] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241063; rev:1;) alert tcp $HOME_NET any -> [77.105.132.32] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241064; rev:1;) alert tcp $HOME_NET any -> [197.82.164.175] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-43-204-230-44.ap-south-1.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241061; rev:1;) alert tcp $HOME_NET any -> [45.148.4.18] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241060; rev:1;) alert tcp $HOME_NET any -> [147.189.161.48] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241059; rev:1;) alert tcp $HOME_NET any -> [192.71.172.113] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241058; rev:1;) alert tcp $HOME_NET any -> [178.168.70.101] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linki.one"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.reneesellers.autos"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smtracking.suparamining.swp23.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"24-199-107-91.ipv4.staticdns3.io"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"109.179.76.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maribelgould.autos"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap859144-11.zap-srv.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reneesellers.autos"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241050; rev:1;) alert tcp $HOME_NET any -> [185.236.234.129] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241047; rev:1;) alert tcp $HOME_NET any -> [139.84.137.249] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap1030125-1.zap-srv.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ciscointernship.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-233-144-170.ap-south-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241045; rev:1;) alert tcp $HOME_NET any -> [45.63.120.163] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241043; rev:1;) alert tcp $HOME_NET any -> [146.70.79.64] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www2.laboratoriodiagnosticoescobar.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241041; rev:1;) alert tcp $HOME_NET any -> [141.94.221.216] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241040; rev:1;) alert tcp $HOME_NET any -> [213.176.29.29] 10000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241039; rev:1;) alert tcp $HOME_NET any -> [146.190.103.72] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1502970.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1528797.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241037; rev:1;) alert tcp $HOME_NET any -> [94.156.69.145] 7000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-99-102-8.ca-central-1.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241035; rev:1;) alert tcp $HOME_NET any -> [50.34.48.26] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241033; rev:1;) alert tcp $HOME_NET any -> [51.103.213.60] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241032; rev:1;) alert tcp $HOME_NET any -> [192.121.102.70] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241031; rev:1;) alert tcp $HOME_NET any -> [190.9.208.167] 8081 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241030; rev:1;) alert tcp $HOME_NET any -> [193.233.132.190] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241029; rev:1;) alert tcp $HOME_NET any -> [193.233.132.223] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nv567.net"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241027; rev:1;) alert tcp $HOME_NET any -> [94.156.67.40] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evgenytchurakin3.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kozak.timur.fvds.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241024; rev:1;) alert tcp $HOME_NET any -> [46.149.77.191] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241022; rev:1;) alert tcp $HOME_NET any -> [37.46.132.116] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241021; rev:1;) alert tcp $HOME_NET any -> [91.92.240.49] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241020; rev:1;) alert tcp $HOME_NET any -> [178.62.237.92] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trainlog.de"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241018; rev:1;) alert tcp $HOME_NET any -> [38.60.216.65] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kitrknis.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241016; rev:1;) alert tcp $HOME_NET any -> [38.60.249.75] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241015; rev:1;) alert tcp $HOME_NET any -> [46.246.4.7] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241014; rev:1;) alert tcp $HOME_NET any -> [213.195.118.64] 4001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241013; rev:1;) alert tcp $HOME_NET any -> [91.92.242.57] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241012; rev:1;) alert tcp $HOME_NET any -> [206.123.135.63] 2020 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241010; rev:1;) alert tcp $HOME_NET any -> [192.250.225.3] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241011; rev:1;) alert tcp $HOME_NET any -> [147.135.97.94] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241009; rev:1;) alert tcp $HOME_NET any -> [147.135.97.94] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241008; rev:1;) alert tcp $HOME_NET any -> [147.124.213.188] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241007; rev:1;) alert tcp $HOME_NET any -> [147.124.213.188] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241006; rev:1;) alert tcp $HOME_NET any -> [207.231.111.88] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241004; rev:1;) alert tcp $HOME_NET any -> [147.124.213.188] 6006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241005; rev:1;) alert tcp $HOME_NET any -> [207.231.111.88] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241003; rev:1;) alert tcp $HOME_NET any -> [193.26.115.42] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241002; rev:1;) alert tcp $HOME_NET any -> [193.26.115.42] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241001; rev:1;) alert tcp $HOME_NET any -> [186.170.98.239] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240999; rev:1;) alert tcp $HOME_NET any -> [186.170.98.239] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241000; rev:1;) alert tcp $HOME_NET any -> [89.117.21.203] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240998; rev:1;) alert tcp $HOME_NET any -> [38.242.236.116] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240996; rev:1;) alert tcp $HOME_NET any -> [34.176.21.185] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240997; rev:1;) alert tcp $HOME_NET any -> [186.112.207.226] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240995; rev:1;) alert tcp $HOME_NET any -> [186.112.207.226] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240994; rev:1;) alert tcp $HOME_NET any -> [207.32.217.170] 2004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240993; rev:1;) alert tcp $HOME_NET any -> [172.94.111.213] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240992; rev:1;) alert tcp $HOME_NET any -> [136.243.179.5] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240990; rev:1;) alert tcp $HOME_NET any -> [88.214.59.174] 9090 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240991; rev:1;) alert tcp $HOME_NET any -> [204.12.229.169] 5600 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240989; rev:1;) alert tcp $HOME_NET any -> [123.249.35.1] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240988; rev:1;) alert tcp $HOME_NET any -> [43.229.115.108] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240987; rev:1;) alert tcp $HOME_NET any -> [50.78.185.152] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240986/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_19; classtype:trojan-activity; sid:91240986; rev:1;) alert tcp $HOME_NET any -> [143.198.214.96] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240985/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_19; classtype:trojan-activity; sid:91240985; rev:1;) alert tcp $HOME_NET any -> [34.162.114.31] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240984/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_19; classtype:trojan-activity; sid:91240984; rev:1;) alert tcp $HOME_NET any -> [20.115.68.15] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240983/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_19; classtype:trojan-activity; sid:91240983; rev:1;) alert tcp $HOME_NET any -> [98.71.17.145] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240982/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_19; classtype:trojan-activity; sid:91240982; rev:1;) alert tcp $HOME_NET any -> [175.178.103.238] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240981; rev:1;) alert tcp $HOME_NET any -> [8.219.54.123] 5060 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240980; rev:1;) alert tcp $HOME_NET any -> [8.219.54.123] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240979; rev:1;) alert tcp $HOME_NET any -> [47.101.181.195] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240978; rev:1;) alert tcp $HOME_NET any -> [101.201.81.175] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240977; rev:1;) alert tcp $HOME_NET any -> [43.143.169.86] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240976; rev:1;) alert tcp $HOME_NET any -> [47.115.206.4] 53080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240975; rev:1;) alert tcp $HOME_NET any -> [150.107.201.170] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240974; rev:1;) alert tcp $HOME_NET any -> [150.107.201.170] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240973; rev:1;) alert tcp $HOME_NET any -> [152.136.55.237] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240972; rev:1;) alert tcp $HOME_NET any -> [154.12.29.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240971; rev:1;) alert tcp $HOME_NET any -> [206.237.7.51] 6000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240970; rev:1;) alert tcp $HOME_NET any -> [47.108.145.250] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240969; rev:1;) alert tcp $HOME_NET any -> [47.92.80.115] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240968; rev:1;) alert tcp $HOME_NET any -> [34.168.39.155] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240967; rev:1;) alert tcp $HOME_NET any -> [45.95.174.47] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240966; rev:1;) alert tcp $HOME_NET any -> [123.60.60.29] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240965; rev:1;) alert tcp $HOME_NET any -> [42.193.16.213] 9981 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240964; rev:1;) alert tcp $HOME_NET any -> [5.78.103.127] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240963; rev:1;) alert tcp $HOME_NET any -> [103.146.179.104] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240962; rev:1;) alert tcp $HOME_NET any -> [93.177.75.125] 12121 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240960; rev:1;) alert tcp $HOME_NET any -> [8.130.130.59] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240961; rev:1;) alert tcp $HOME_NET any -> [124.221.133.199] 33891 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240959; rev:1;) alert tcp $HOME_NET any -> [109.205.61.95] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240958; rev:1;) alert tcp $HOME_NET any -> [115.159.195.80] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240956; rev:1;) alert tcp $HOME_NET any -> [152.42.134.17] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240957; rev:1;) alert tcp $HOME_NET any -> [43.135.34.148] 17843 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blissful-jackson.216-238-76-219.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"155.39.168.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.86.70.78.5.clients.your-server.de"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-123-60-57-13.compute.hwclouds-dns.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ninhobaby.com.br"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240950; rev:1;) alert tcp $HOME_NET any -> [95.179.137.233] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.31.198"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.209.12"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199642171824"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hypergog"; depth:9; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240945; rev:1;) alert tcp $HOME_NET any -> [5.75.209.12] 9001 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240943; rev:1;) alert tcp $HOME_NET any -> [95.217.31.198] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240944; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 16904 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240935/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"jimissupercool.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ezrgqnaww.php"; depth:20; nocase; http.host; content:"jimissupercool.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"myclubpicks.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"104.234.240.6"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"vamknigi.mcdir.me"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240936; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 16904 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240934; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 16904 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240933; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 16904 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240932; rev:1;) alert tcp $HOME_NET any -> [185.196.8.191] 1290 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240931/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lkasjdfhsdag.servebeer.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"61.170.88.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"45.93.20.242"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240927; rev:1;) alert tcp $HOME_NET any -> [106.54.202.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"106.54.202.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240925; rev:1;) alert tcp $HOME_NET any -> [185.222.58.40] 1990 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240924; rev:1;) alert tcp $HOME_NET any -> [93.123.85.73] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240922; rev:1;) alert tcp $HOME_NET any -> [93.123.85.141] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240923/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240923; rev:1;) alert tcp $HOME_NET any -> [45.128.96.16] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"cn.bing.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"abillioncoin.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240917; rev:1;) alert tcp $HOME_NET any -> [159.223.196.192] 56999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.layer4.bf"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.243.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.31.190"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.31.190"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.237.91"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"23.88.117.132"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240908; rev:1;) alert tcp $HOME_NET any -> [95.217.31.190] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240905; rev:1;) alert tcp $HOME_NET any -> [95.217.31.190] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240906; rev:1;) alert tcp $HOME_NET any -> [95.217.243.152] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240907; rev:1;) alert tcp $HOME_NET any -> [23.88.117.132] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240901; rev:1;) alert tcp $HOME_NET any -> [95.217.237.91] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240902; rev:1;) alert tcp $HOME_NET any -> [65.109.241.164] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240903; rev:1;) alert tcp $HOME_NET any -> [65.109.241.164] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240904; rev:1;) alert tcp $HOME_NET any -> [109.107.181.83] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240900; rev:1;) alert tcp $HOME_NET any -> [104.233.187.165] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240899; rev:1;) alert tcp $HOME_NET any -> [104.233.187.164] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240898; rev:1;) alert tcp $HOME_NET any -> [104.233.244.97] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240897; rev:1;) alert tcp $HOME_NET any -> [20.26.126.28] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240896; rev:1;) alert tcp $HOME_NET any -> [20.117.169.244] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240895; rev:1;) alert tcp $HOME_NET any -> [167.56.71.240] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240894/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240894; rev:1;) alert tcp $HOME_NET any -> [79.131.125.30] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240893/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240893; rev:1;) alert tcp $HOME_NET any -> [189.177.0.136] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240892/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240892; rev:1;) alert tcp $HOME_NET any -> [72.27.101.0] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240891/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elccorp-net.ntc-telecomcorporation.workers.dev"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240879; rev:1;) alert tcp $HOME_NET any -> [147.45.47.100] 24854 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gwadarportt.workers.dev"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gwadarport-gov-pk.gwadarportt.workers.dev"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-ecp-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-gwadarport-gov-pk.ntc-telecomcorporation.workers.dev"; depth:57; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-sco-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240882; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 13627 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240847/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240847; rev:1;) alert tcp $HOME_NET any -> [207.246.120.23] 8140 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240861; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 13406 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240868/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240868; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 13406 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240869/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240869; rev:1;) alert tcp $HOME_NET any -> [185.172.128.33] 8970 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240848; rev:1;) alert tcp $HOME_NET any -> [87.3.215.35] 65199 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ihateciroparisi.serveminecraft.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"foodmattkent.live"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"day.50adayplan.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"winvipbonus.life"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240860/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"news.ntc-telecomcorporation.workers.dev"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240883; rev:1;) alert tcp $HOME_NET any -> [94.103.87.88] 3306 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240890/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240890; rev:1;) alert tcp $HOME_NET any -> [94.103.87.88] 465 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240889/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240889; rev:1;) alert tcp $HOME_NET any -> [43.198.89.50] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240888/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240888; rev:1;) alert tcp $HOME_NET any -> [74.48.56.81] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240887/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240887; rev:1;) alert tcp $HOME_NET any -> [13.113.86.16] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240886/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240886; rev:1;) alert tcp $HOME_NET any -> [194.147.140.132] 9231 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mc341/index.php"; depth:16; nocase; http.host; content:"mhlc.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240884; rev:1;) alert tcp $HOME_NET any -> [172.94.111.9] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240876; rev:1;) alert tcp $HOME_NET any -> [144.76.184.11] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240875; rev:1;) alert tcp $HOME_NET any -> [144.76.184.11] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240874; rev:1;) alert tcp $HOME_NET any -> [196.112.147.229] 5577 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240873; rev:1;) alert tcp $HOME_NET any -> [196.112.147.229] 5588 (msg:"ThreatFox Loda botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240872; rev:1;) alert tcp $HOME_NET any -> [196.112.147.229] 5566 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0916796.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240867; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 13406 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240866; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 13406 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9bc7b45d.php"; depth:13; nocase; http.host; content:"a0919334.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240864; rev:1;) alert tcp $HOME_NET any -> [116.203.63.87] 9216 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240863; rev:1;) alert tcp $HOME_NET any -> [46.183.220.203] 35966 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0916462.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"111.231.22.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"43.251.159.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"110.41.134.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0913701.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240846; rev:1;) alert tcp $HOME_NET any -> [65.21.212.74] 7800 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"88.214.27.74"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"88.214.27.74"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240843; rev:1;) alert tcp $HOME_NET any -> [91.92.251.16] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aquabotnet.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bulldognet.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240841; rev:1;) alert tcp $HOME_NET any -> [104.233.244.98] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240838; rev:1;) alert tcp $HOME_NET any -> [102.113.143.173] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240837; rev:1;) alert tcp $HOME_NET any -> [77.49.51.87] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240836; rev:1;) alert tcp $HOME_NET any -> [142.247.95.55] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240835/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240835; rev:1;) alert tcp $HOME_NET any -> [45.245.101.32] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240834/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240834; rev:1;) alert tcp $HOME_NET any -> [66.187.7.174] 3074 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240833/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240833; rev:1;) alert tcp $HOME_NET any -> [20.212.217.245] 10002 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"discounts-ptclnetpk.servehttp.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveftp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rewards-ptclnetpk.viewdns.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240829; rev:1;) alert tcp $HOME_NET any -> [51.159.167.215] 34241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240830/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"visualstudiomacupdate.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nanoudu30-31620.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240826/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240826; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 31620 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240825/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240825; rev:1;) alert tcp $HOME_NET any -> [129.159.55.240] 56636 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240816; rev:1;) alert tcp $HOME_NET any -> [149.50.209.216] 43957 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240818; rev:1;) alert tcp $HOME_NET any -> [185.196.9.72] 56537 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"plus-subcommittee.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240824/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240824; rev:1;) alert tcp $HOME_NET any -> [141.98.11.208] 16837 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240817; rev:1;) alert tcp $HOME_NET any -> [1.162.151.116] 39167 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240813; rev:1;) alert tcp $HOME_NET any -> [103.106.228.99] 11259 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240814; rev:1;) alert tcp $HOME_NET any -> [111.243.109.76] 41465 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weilaibot.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zunbot.awuam.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirailovers.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nw.awuam.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwerty.awuam.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bots.awuam.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feckoffbr0.sbs"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddns.awuam.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.sdxpay.cn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ackcm.awuam.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awuam.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.awuam.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240803; rev:1;) alert tcp $HOME_NET any -> [185.196.9.72] 62452 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240820; rev:1;) alert tcp $HOME_NET any -> [199.195.249.78] 13145 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240821; rev:1;) alert tcp $HOME_NET any -> [46.3.113.170] 8778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240822; rev:1;) alert tcp $HOME_NET any -> [93.123.85.174] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"714745cm.nyashland.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"finance-govnp.servehalflife.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240796/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mail-ntcgovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240797/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mail-scogovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240798/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mof-govnp.servehttp.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240799/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240799; rev:1;) alert tcp $HOME_NET any -> [18.134.234.207] 3306 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.serveblog.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mostnet.servegame.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"net-killer.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240790/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"152.136.55.237"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"213.109.202.222"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"139.155.127.233"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/azure/api/v2/userinfo/get"; depth:26; nocase; http.host; content:"106.12.124.212"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"154.9.255.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240785; rev:1;) alert tcp $HOME_NET any -> [45.86.86.60] 3912 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240784/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240784; rev:1;) alert tcp $HOME_NET any -> [91.92.240.138] 2023 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240779; rev:1;) alert tcp $HOME_NET any -> [154.82.81.136] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gv"; depth:3; nocase; http.host; content:"154.82.81.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240782; rev:1;) alert tcp $HOME_NET any -> [5.78.70.86] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"5.78.103.127"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240780; rev:1;) alert tcp $HOME_NET any -> [91.92.240.138] 56999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240778/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.networkbotbet.top"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"networkbotbet.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"antyparkov.site"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"saicetyapy.space"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saicetyapy.space"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antyparkov.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240773; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 35017 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240730/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"content-royal.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240731/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240731; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 10540 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240732/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240732; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 10540 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240733/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mary-cottage.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240747/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240747; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 18563 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240748/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"gemcreedarticulateod.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"secretionsuitcasenioise.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"claimconcessionrebe.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"liabilityarrangemenyit.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gemcreedarticulateod.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"claimconcessionrebe.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liabilityarrangemenyit.shop"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"129.211.211.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240771; rev:1;) alert tcp $HOME_NET any -> [14.202.148.249] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240770/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240770; rev:1;) alert tcp $HOME_NET any -> [41.98.29.102] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240769/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240769; rev:1;) alert tcp $HOME_NET any -> [175.10.222.136] 4432 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240768/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240768; rev:1;) alert tcp $HOME_NET any -> [94.237.54.16] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240767/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240767; rev:1;) alert tcp $HOME_NET any -> [24.199.107.91] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240766/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240766; rev:1;) alert tcp $HOME_NET any -> [191.96.53.132] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240765/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240765; rev:1;) alert tcp $HOME_NET any -> [185.83.113.126] 32004 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240764/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240764; rev:1;) alert tcp $HOME_NET any -> [37.120.239.146] 8085 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240763/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240763; rev:1;) alert tcp $HOME_NET any -> [43.198.108.245] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240762/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240762; rev:1;) alert tcp $HOME_NET any -> [2.34.147.152] 9002 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240761/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240761; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 29182 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240760; rev:1;) alert tcp $HOME_NET any -> [49.13.194.252] 10919 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240759; rev:1;) alert tcp $HOME_NET any -> [193.233.21.140] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/requesthttpupdategamebigloadasyncuploads.php"; depth:45; nocase; http.host; content:"chromestartup.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"parals.ac.ug"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f95721327cee196f.php"; depth:21; nocase; http.host; content:"193.163.7.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240746; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 10652 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240745; rev:1;) alert tcp $HOME_NET any -> [3.6.98.232] 17383 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240744; rev:1;) alert tcp $HOME_NET any -> [3.6.122.107] 17383 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240743; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 18563 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240742; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 18563 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240741; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 18563 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240740; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 18563 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240739; rev:1;) alert tcp $HOME_NET any -> [113.141.94.195] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240738; rev:1;) alert tcp $HOME_NET any -> [79.130.49.211] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240737; rev:1;) alert tcp $HOME_NET any -> [51.210.244.254] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240736/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.252.165.6"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240735/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240735; rev:1;) alert tcp $HOME_NET any -> [193.178.172.180] 16346 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240734; rev:1;) alert tcp $HOME_NET any -> [147.45.40.62] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240727/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_17; classtype:trojan-activity; sid:91240727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"software.dth.wtf"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240728; rev:1;) alert tcp $HOME_NET any -> [82.117.230.122] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240729; rev:1;) alert tcp $HOME_NET any -> [91.92.244.21] 40096 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cholin777.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elgigante.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elgrande.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gomelo.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hebreo.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jerusalen.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lesbiano.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ruby.con-ip.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240719; rev:1;) alert tcp $HOME_NET any -> [194.110.247.222] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240725/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_17; classtype:trojan-activity; sid:91240725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fucktheccp.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240720; rev:1;) alert tcp $HOME_NET any -> [43.139.177.244] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240709; rev:1;) alert tcp $HOME_NET any -> [1.94.110.130] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abundancia777.con-ip.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"caramelo.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mazaltov.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"krater1.con-ip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"graciasdiosito.con-ip.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deusdsfduhfdjisjdfasaxc.con-ip.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sssssssdhhdiodhuhdisdisgi.con-ip.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gamin.con-ip.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redentor.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"salud77.con-ip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yahweh.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anguila.con-ip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jireh.con-ip.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"farsante9.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"matusalen77.con-ip.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anhelo.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bendecidos.con-ip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dsfkdsvnlsnvklvdsnvodv.con-ip.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"edden.con-ip.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enticonfio.con-ip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ergdsbsicshdfsijfsiudhf.con-ip.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"galaxia.con-ip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"memorias.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nuevocomienzo777.con-ip.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ostentar.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"persistencia.con-ip.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"salomon77.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sion.con-ip.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.usaglobalnews.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"waltontechnical.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.waltontechnical.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myinternationalsolutions.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.myinternationalsolutions.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.topglobaltv.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.southernlandmortgage.cloud"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/processtestpublic.php"; depth:22; nocase; http.host; content:"514885cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzrlzgfmyzq5nzc0/"; depth:18; nocase; http.host; content:"2.57.149.104"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"abc.anti-ddos.io.vn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240575/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_17; classtype:trojan-activity; sid:91240575; rev:1;) alert tcp $HOME_NET any -> [81.94.150.21] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240572; rev:1;) alert tcp $HOME_NET any -> [103.47.195.200] 42597 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240574/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_17; classtype:trojan-activity; sid:91240574; rev:1;) alert tcp $HOME_NET any -> [172.232.190.57] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240672/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240672; rev:1;) alert tcp $HOME_NET any -> [88.153.94.39] 4444 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240671; rev:1;) alert tcp $HOME_NET any -> [160.176.70.45] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240670; rev:1;) alert tcp $HOME_NET any -> [72.27.104.149] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240669/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240669; rev:1;) alert tcp $HOME_NET any -> [141.164.161.19] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240668/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240668; rev:1;) alert tcp $HOME_NET any -> [146.190.165.243] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240667; rev:1;) alert tcp $HOME_NET any -> [185.83.113.126] 32023 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240665; rev:1;) alert tcp $HOME_NET any -> [185.11.61.124] 20000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240666; rev:1;) alert tcp $HOME_NET any -> [185.83.113.126] 32012 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240664; rev:1;) alert tcp $HOME_NET any -> [185.83.113.126] 32005 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240663; rev:1;) alert tcp $HOME_NET any -> [185.83.113.126] 32031 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240662; rev:1;) alert tcp $HOME_NET any -> [45.61.138.43] 20000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240661/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/17303af8450cc290.php"; depth:21; nocase; http.host; content:"37.28.157.3"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"8.222.165.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240659; rev:1;) alert tcp $HOME_NET any -> [162.244.80.14] 17124 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240658/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240658; rev:1;) alert tcp $HOME_NET any -> [43.156.108.42] 32323 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240657/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240657; rev:1;) alert tcp $HOME_NET any -> [157.245.78.225] 42718 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240656/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240656; rev:1;) alert tcp $HOME_NET any -> [154.92.14.41] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240655/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240655; rev:1;) alert tcp $HOME_NET any -> [36.111.166.231] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240654/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240654; rev:1;) alert tcp $HOME_NET any -> [114.115.159.80] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240653/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240653; rev:1;) alert tcp $HOME_NET any -> [124.121.18.177] 8080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240652/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240652; rev:1;) alert tcp $HOME_NET any -> [34.125.32.157] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240651/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240651; rev:1;) alert tcp $HOME_NET any -> [40.113.117.114] 1337 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240650/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240650; rev:1;) alert tcp $HOME_NET any -> [46.151.31.26] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240649/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240649; rev:1;) alert tcp $HOME_NET any -> [116.203.165.197] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240648/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240648; rev:1;) alert tcp $HOME_NET any -> [45.148.4.76] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240647/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240647; rev:1;) alert tcp $HOME_NET any -> [5.252.176.25] 3306 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240645; rev:1;) alert tcp $HOME_NET any -> [109.200.24.62] 443 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240644/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_16; classtype:trojan-activity; sid:91240644; rev:1;) alert tcp $HOME_NET any -> [171.41.251.198] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240643/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_16; classtype:trojan-activity; sid:91240643; rev:1;) alert tcp $HOME_NET any -> [171.41.197.221] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240642/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_16; classtype:trojan-activity; sid:91240642; rev:1;) alert tcp $HOME_NET any -> [45.78.32.214] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240641/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_16; classtype:trojan-activity; sid:91240641; rev:1;) alert tcp $HOME_NET any -> [45.59.118.25] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240640/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_16; classtype:trojan-activity; sid:91240640; rev:1;) alert tcp $HOME_NET any -> [35.178.199.78] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240639/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_16; classtype:trojan-activity; sid:91240639; rev:1;) alert tcp $HOME_NET any -> [104.243.46.129] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240638; rev:1;) alert tcp $HOME_NET any -> [60.50.255.168] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240637; rev:1;) alert tcp $HOME_NET any -> [197.83.246.32] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240636; rev:1;) alert tcp $HOME_NET any -> [168.119.96.5] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240635; rev:1;) alert tcp $HOME_NET any -> [174.138.6.9] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providervmto.php"; depth:17; nocase; http.host; content:"gafisezs.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240633; rev:1;) alert tcp $HOME_NET any -> [185.83.113.126] 32017 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240632; rev:1;) alert tcp $HOME_NET any -> [167.71.231.122] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240631; rev:1;) alert tcp $HOME_NET any -> [35.157.195.58] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240629; rev:1;) alert tcp $HOME_NET any -> [3.85.194.45] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240630; rev:1;) alert tcp $HOME_NET any -> [20.117.112.154] 52525 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240628; rev:1;) alert tcp $HOME_NET any -> [18.202.134.235] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240626; rev:1;) alert tcp $HOME_NET any -> [35.208.245.146] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240627; rev:1;) alert tcp $HOME_NET any -> [3.120.71.192] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240625; rev:1;) alert tcp $HOME_NET any -> [34.101.86.127] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240624; rev:1;) alert tcp $HOME_NET any -> [34.123.222.44] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240623; rev:1;) alert tcp $HOME_NET any -> [13.127.226.130] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240622; rev:1;) alert tcp $HOME_NET any -> [135.181.20.182] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240621; rev:1;) alert tcp $HOME_NET any -> [146.190.9.102] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240620; rev:1;) alert tcp $HOME_NET any -> [3.250.162.249] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240619; rev:1;) alert tcp $HOME_NET any -> [44.218.45.27] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240618; rev:1;) alert tcp $HOME_NET any -> [18.118.138.192] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240617; rev:1;) alert tcp $HOME_NET any -> [14.225.19.116] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240616; rev:1;) alert tcp $HOME_NET any -> [47.242.21.119] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240615; rev:1;) alert tcp $HOME_NET any -> [103.47.195.200] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip136.ip-51-195-83.eu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epsilon1337.fr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240612; rev:1;) alert tcp $HOME_NET any -> [185.249.227.27] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240611; rev:1;) alert tcp $HOME_NET any -> [94.156.66.77] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240610; rev:1;) alert tcp $HOME_NET any -> [159.223.52.78] 9782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240609; rev:1;) alert tcp $HOME_NET any -> [5.189.175.70] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240608; rev:1;) alert tcp $HOME_NET any -> [181.162.178.142] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240606; rev:1;) alert tcp $HOME_NET any -> [107.148.237.29] 8088 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240607; rev:1;) alert tcp $HOME_NET any -> [209.126.7.24] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240605; rev:1;) alert tcp $HOME_NET any -> [185.146.156.85] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240604; rev:1;) alert tcp $HOME_NET any -> [45.83.31.204] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240603; rev:1;) alert tcp $HOME_NET any -> [51.81.90.181] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240602; rev:1;) alert tcp $HOME_NET any -> [23.101.226.140] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240601; rev:1;) alert tcp $HOME_NET any -> [13.237.100.49] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240600; rev:1;) alert tcp $HOME_NET any -> [193.26.115.221] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240599; rev:1;) alert tcp $HOME_NET any -> [186.112.206.181] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240598; rev:1;) alert tcp $HOME_NET any -> [147.135.97.94] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240597; rev:1;) alert tcp $HOME_NET any -> [45.134.83.162] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240596; rev:1;) alert tcp $HOME_NET any -> [216.245.181.92] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240595/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_16; classtype:trojan-activity; sid:91240595; rev:1;) alert tcp $HOME_NET any -> [5.250.189.135] 40750 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240594/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_16; classtype:trojan-activity; sid:91240594; rev:1;) alert tcp $HOME_NET any -> [4.145.90.29] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240593/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_16; classtype:trojan-activity; sid:91240593; rev:1;) alert tcp $HOME_NET any -> [187.135.86.23] 2271 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240592; rev:1;) alert tcp $HOME_NET any -> [187.135.86.23] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240590; rev:1;) alert tcp $HOME_NET any -> [187.135.86.23] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240591; rev:1;) alert tcp $HOME_NET any -> [187.135.86.23] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240589; rev:1;) alert tcp $HOME_NET any -> [187.135.86.23] 1899 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240588; rev:1;) alert tcp $HOME_NET any -> [187.135.86.23] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240587; rev:1;) alert tcp $HOME_NET any -> [187.135.86.23] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240585; rev:1;) alert tcp $HOME_NET any -> [187.135.86.23] 1656 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240586; rev:1;) alert tcp $HOME_NET any -> [45.131.132.55] 5520 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240584; rev:1;) alert tcp $HOME_NET any -> [45.131.132.55] 9995 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240583; rev:1;) alert tcp $HOME_NET any -> [118.193.62.169] 3026 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240582; rev:1;) alert tcp $HOME_NET any -> [167.99.112.140] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240581; rev:1;) alert tcp $HOME_NET any -> [120.27.132.223] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240580; rev:1;) alert tcp $HOME_NET any -> [120.78.83.129] 52120 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240579; rev:1;) alert tcp $HOME_NET any -> [60.204.249.34] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240578; rev:1;) alert tcp $HOME_NET any -> [185.193.126.187] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240577; rev:1;) alert tcp $HOME_NET any -> [8.222.184.154] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vre"; depth:4; nocase; http.host; content:"newyear7250.duckdns.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gka/index.php"; depth:14; nocase; http.host; content:"185.79.156.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/austino/index.php"; depth:18; nocase; http.host; content:"45.95.147.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"i42325.hostru2.fornex.org"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"bruxara.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"sm.jrworcester.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"absolutecache.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240565; rev:1;) alert tcp $HOME_NET any -> [179.43.175.207] 809 (msg:"ThreatFox Cobalt Strike payload delivery (ip:port - confidence level: 25%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240394/; target:src_ip; metadata: confidence_level 25, first_seen 2024_02_16; classtype:trojan-activity; sid:91240394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"poseidon99.duckdns.org"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1240562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"trabajovalle2019.duckdns.org"; depth:28; nocase; reference:url, threatfox.abuse.ch/ioc/1240563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"harold.jetos.com"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1240564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fokuti41.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haiwpj11.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rasbrq34.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xokecn54.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewamcd41.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nekyil22.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saas01.pro"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewabpl55.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rasrzh25.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knudqw18.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewafal62.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewawtm26.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dyxlx33.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moraku02.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morhas01.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haijwd23.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaunl38.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaosm65.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morfiw05.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rasctx32.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewadgz11.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raspdh35.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hairdx22.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"befrgv71.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chuawt52.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"befixc63.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moryei03.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knurxh28.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewavmp35.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beflku61.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haiezf32.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morcgu03.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewafxq25.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pacter42.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewauhc58.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mortiq04.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaumk24.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fokacv34.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaymo21.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mortbo03.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"befuwa51.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewayky18.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morcyr03.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rasqdc22.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaisb31.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lyswug41.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smajug75.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smainz71.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"befuak48.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"befkap57.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewadmw53.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fokfgl36.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morsyr05.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smadyi56.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morsuq02.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morwiv04.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewasic56.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morekt05.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaqfe45.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morqoi02.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morhaq06.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tuytee11.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lysayu42.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marjkc03.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haiolr12.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"befzco47.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morbyn04.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morups07.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haizul15.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cdn-uk.widgetsfordeploy.com"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1240492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lovuterry.best"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jazzcity.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"merknegrok.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"warrioruno.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loadkanoe.casa"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"puppybloder.pw"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bloadypupper.best"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"warriordos.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240490; rev:1;) alert tcp $HOME_NET any -> [91.241.19.100] 80 (msg:"ThreatFox Ficker Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adverting-cdn.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"441autoparts.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xiaoyuwudi.e3.luyouxia.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.996m2m2.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"54412.e3.luyouxia.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ad2916985983.e2.luyouxia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"free.idcfengye.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gx121.e1.luyouxia.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xc091221.e2.luyouxia.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zxyhwww.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cn-he-plc-2.openfrp.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"66ddjkr.e3.luyouxia.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kx5555.e3.luyouxia.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p.f2pool.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hfs666.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"latiao.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asjidoaiosdjo.e3.luyouxia.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdsfhkjf.e3.luyouxia.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bubbebottle.xyz"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1240463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.66.36"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1240464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.244.48.135"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"176.124.198.17"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.17.40.133"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ffud666.com"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1240460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.242.229.100"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.7.111"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"80.89.239.178"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"95.216.72.17"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1240456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.105.132.229"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.64.41"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1240453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.91.123.99"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1240454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"92.246.138.149"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"104.245.33.157"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"194.120.116.120"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1240449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"138.201.196.248"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1240447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"florianhabeler.icu"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1240448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.75.177.20"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1240444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"phoenixexec.icu"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1240445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.66.57"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1240446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.87.153.135"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.91.76.36"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1240443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"109.107.181.33"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"82.115.223.88"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"80.66.85.128"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1240438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.66.58"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1240439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"janmorath.icu"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"82.115.223.87"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"149.255.35.132"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"dskflherlkhopihsf.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1240435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"116.203.180.34"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.65.54"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1240432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ettoregiardina.icu"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1240433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"109.107.182.60"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.105.132.216"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"finnmanninger.icu"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1240428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"raphaelbischoff.icu"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1240429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.24"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"giveapp.pro"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1240426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.79"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/check/safe"; depth:11; nocase; http.host; content:"app.alie3ksgaa.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"carvewomanflavourwop.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"negliganceassumeruew.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crisisestimatehealtwh.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sayleafletcamerakwov.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brickabsorptiondullyi.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assaultseekwoodywod.pw"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"retainfactorypunishjkw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"communicationinchoicer.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"braidfadefriendklypk.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fleetconsciousnessjuiw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oluaskaz.pw"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"contextsuffreintymore.fun"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joystickempiricalhirpw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"makeexpectentrypon.pw"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"attachmentartikidw.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"willpoweragreebokkskiew.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"racerecessionrestrai.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vesselspeedcrosswakew.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goddirtybrilliancece.fun"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"consciouosoepewmausj.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beaturifuelministyuowwas.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conferenctdressingshrw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cooperatecliqueobstac.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tvoikcloud.pw"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gearboomchocolateowfs.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"radicalleafletmissfoxw.pw"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evokenumberpottruckere.fun"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doonwload.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"communicationinchoicer.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"retainfactorypunishjkw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"assaultseekwoodywod.pw"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"brickabsorptiondullyi.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sayleafletcamerakwov.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"crisisestimatehealtwh.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"carvewomanflavourwop.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"doonwload.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"radicalleafletmissfoxw.pw"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"gearboomchocolateowfs.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tvoikcloud.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cooperatecliqueobstac.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"beaturifuelministyuowwas.site"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"consciouosoepewmausj.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"vesselspeedcrosswakew.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pavementpreferencewjiao.site"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"racerecessionrestrai.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"willpoweragreebokkskiew.site"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"joystickempiricalhirpw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"contextsuffreintymore.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fleetconsciousnessjuiw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"152.136.100.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"141.98.81.98"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"52.91.67.138"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240370; rev:1;) alert tcp $HOME_NET any -> [185.179.217.216] 9785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240368/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240368; rev:1;) alert tcp $HOME_NET any -> [172.232.174.6] 5242 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240369/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"152.136.55.237"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240366; rev:1;) alert tcp $HOME_NET any -> [103.178.235.32] 19990 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240365/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qiefuwuqi.20242525.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240364; rev:1;) alert tcp $HOME_NET any -> [175.24.197.196] 888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240363/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240363; rev:1;) alert tcp $HOME_NET any -> [52.91.67.138] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"52.91.67.138"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240361; rev:1;) alert tcp $HOME_NET any -> [130.185.249.90] 6667 (msg:"ThreatFox Tsunami botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240360/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.182.244"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.46.234.146"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.24.13"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240357; rev:1;) alert tcp $HOME_NET any -> [95.217.24.13] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240354; rev:1;) alert tcp $HOME_NET any -> [78.46.234.146] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240355; rev:1;) alert tcp $HOME_NET any -> [95.216.182.244] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240356; rev:1;) alert tcp $HOME_NET any -> [1.14.206.144] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240353/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240353; rev:1;) alert tcp $HOME_NET any -> [193.233.255.127] 36579 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240352; rev:1;) alert tcp $HOME_NET any -> [143.198.95.76] 42061 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240351/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240351; rev:1;) alert tcp $HOME_NET any -> [147.45.42.25] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240350/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240350; rev:1;) alert tcp $HOME_NET any -> [122.10.49.62] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240349/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240349; rev:1;) alert tcp $HOME_NET any -> [122.10.27.225] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240348/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240348; rev:1;) alert tcp $HOME_NET any -> [122.10.110.233] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240347/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240347; rev:1;) alert tcp $HOME_NET any -> [86.121.139.203] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240346/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240346; rev:1;) alert tcp $HOME_NET any -> [189.140.70.226] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240345/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240345; rev:1;) alert tcp $HOME_NET any -> [75.173.26.183] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240344/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240344; rev:1;) alert tcp $HOME_NET any -> [72.27.169.43] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240343/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240343; rev:1;) alert tcp $HOME_NET any -> [50.35.143.32] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240342/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240342; rev:1;) alert tcp $HOME_NET any -> [189.253.230.198] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240341/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240341; rev:1;) alert tcp $HOME_NET any -> [41.147.196.189] 80 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240340/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240340; rev:1;) alert tcp $HOME_NET any -> [107.189.31.164] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240339/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240339; rev:1;) alert tcp $HOME_NET any -> [173.237.206.178] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240338/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240338; rev:1;) alert tcp $HOME_NET any -> [47.232.161.146] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240337/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240337; rev:1;) alert tcp $HOME_NET any -> [89.147.111.163] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240336/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240336; rev:1;) alert tcp $HOME_NET any -> [34.141.124.126] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240335; rev:1;) alert tcp $HOME_NET any -> [95.217.6.101] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240334/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240334; rev:1;) alert tcp $HOME_NET any -> [20.41.216.145] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240333/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240333; rev:1;) alert tcp $HOME_NET any -> [69.46.36.217] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240332/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240332; rev:1;) alert tcp $HOME_NET any -> [137.184.96.202] 22 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240331/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"basenetgear.world"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eeatgoodx.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"frenchpies.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tnoodlezy.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgq4mde1zdk3nzc1/"; depth:18; nocase; http.host; content:"31.41.244.178"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"194.26.135.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240320; rev:1;) alert tcp $HOME_NET any -> [103.195.236.98] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240321/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"persikmonkiey7drone.com"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1240322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"persikmonkiey7drone.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240323; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 15020 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240324/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240324; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 15020 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240325/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240325; rev:1;) alert tcp $HOME_NET any -> [172.67.167.246] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240328/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240328; rev:1;) alert tcp $HOME_NET any -> [91.92.242.133] 2025 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cy58784.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0919167.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmdlecentral.php"; depth:17; nocase; http.host; content:"386958cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/polltrack2/traffic3/6datalife9/line0api/privatevmapi/wpwindows6/server3image/flowerwindowswindows/wordpresspublictest/mariadbasyncwordpress/1sql/phptracktesttemporary/http/8eternal0/httpapidefaultcdn.php"; depth:204; nocase; http.host; content:"159.89.17.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240318; rev:1;) alert tcp $HOME_NET any -> [91.92.250.122] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"41.216.183.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240316; rev:1;) alert tcp $HOME_NET any -> [93.177.75.98] 56816 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240315; rev:1;) alert tcp $HOME_NET any -> [179.60.149.220] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/produce/editorial/ydpobkjg"; depth:27; nocase; http.host; content:"saturnexa.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot/regex"; depth:10; nocase; http.host; content:"ww25.searchseedphase.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot/regex"; depth:10; nocase; http.host; content:"ww25.searchseedphase.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot/regex"; depth:10; nocase; http.host; content:"ww25.searchseedphase.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot/regex"; depth:10; nocase; http.host; content:"ww25.searchseedphase.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot/regex"; depth:10; nocase; http.host; content:"ww25.searchseedphase.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240308; rev:1;) alert tcp $HOME_NET any -> [35.157.111.131] 15119 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240302/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240302; rev:1;) alert tcp $HOME_NET any -> [3.124.67.191] 15119 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240303/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0918108.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240301; rev:1;) alert tcp $HOME_NET any -> [86.98.19.74] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240300/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240300; rev:1;) alert tcp $HOME_NET any -> [197.204.24.19] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240299/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240299; rev:1;) alert tcp $HOME_NET any -> [31.117.25.91] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240298/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240298; rev:1;) alert tcp $HOME_NET any -> [124.149.139.54] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240297/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240297; rev:1;) alert tcp $HOME_NET any -> [95.7.52.25] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240296/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240296; rev:1;) alert tcp $HOME_NET any -> [70.31.125.111] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240295/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240295; rev:1;) alert tcp $HOME_NET any -> [145.82.207.217] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240294/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240294; rev:1;) alert tcp $HOME_NET any -> [128.199.116.190] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240293/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yuya0415.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240282/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/tb9ayt.php"; depth:45; nocase; http.host; content:"www.itechatglance.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/sfodyf.php"; depth:45; nocase; http.host; content:"wiseloose.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/dyyxgt.php"; depth:45; nocase; http.host; content:"www.bianca-maria-roth.de"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elperiodico/wp-content/themes/twentytwentyfour/ahkmwa.php"; depth:58; nocase; http.host; content:"elperiodicopanama.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/hub/bbpress/ny9jlw.php"; depth:41; nocase; http.host; content:"aquatest.it"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"88888cl.nyashtyan.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240292; rev:1;) alert tcp $HOME_NET any -> [95.217.244.208] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240285; rev:1;) alert tcp $HOME_NET any -> [95.217.244.208] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.244.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.244.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240283; rev:1;) alert tcp $HOME_NET any -> [46.246.86.20] 415 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wnx/fgb"; depth:8; nocase; http.host; content:"globalpanelinc.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wfe/sdq"; depth:8; nocase; http.host; content:"realponti.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1063900897270304770/1207265114458161172/4_npp.8.6.portable.x64.zip"; depth:79; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/additional_details"; depth:19; nocase; http.host; content:"miosecurezza.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/financial_access"; depth:17; nocase; http.host; content:"miosecurezza.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwenty/u7arje.php"; depth:42; nocase; http.host; content:"www.joannamalecka.pl"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentythirteen/hcslmt.php"; depth:44; nocase; http.host; content:"mediterraneaclean.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/nhdxtk.php"; depth:45; nocase; http.host; content:"mesabierta.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/wp-content/themes/twentytwenty/ayboiw.php"; depth:46; nocase; http.host; content:"miguelkhoury.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"watermjx.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240271; rev:1;) alert tcp $HOME_NET any -> [46.183.223.29] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240270; rev:1;) alert tcp $HOME_NET any -> [172.96.14.33] 6789 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"mine-495834.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240267/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"feeeleen.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240268/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"mine-495834.info"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240265/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"mine-495834.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240266/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"mine-495834.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240264/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240264; rev:1;) alert tcp $HOME_NET any -> [193.233.255.60] 15666 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"mine-495834.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240263/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240263; rev:1;) alert tcp $HOME_NET any -> [20.218.68.91] 9552 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240212; rev:1;) alert tcp $HOME_NET any -> [46.246.12.14] 1995 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240211; rev:1;) alert tcp $HOME_NET any -> [207.246.74.189] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.freshstartupusa.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240261; rev:1;) alert tcp $HOME_NET any -> [3.224.37.105] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240259; rev:1;) alert tcp $HOME_NET any -> [20.235.118.171] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240258; rev:1;) alert tcp $HOME_NET any -> [175.24.133.171] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240257; rev:1;) alert tcp $HOME_NET any -> [54.92.160.242] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240256; rev:1;) alert tcp $HOME_NET any -> [165.227.95.225] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240254; rev:1;) alert tcp $HOME_NET any -> [51.81.237.25] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240255; rev:1;) alert tcp $HOME_NET any -> [16.170.251.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240253; rev:1;) alert tcp $HOME_NET any -> [13.50.203.223] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240252; rev:1;) alert tcp $HOME_NET any -> [170.64.157.219] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240251; rev:1;) alert tcp $HOME_NET any -> [139.59.19.90] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240250; rev:1;) alert tcp $HOME_NET any -> [18.210.152.248] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240249; rev:1;) alert tcp $HOME_NET any -> [165.227.68.176] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"play.deenpel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240247; rev:1;) alert tcp $HOME_NET any -> [49.12.123.28] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240245; rev:1;) alert tcp $HOME_NET any -> [106.15.234.107] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240246; rev:1;) alert tcp $HOME_NET any -> [43.131.253.190] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240244; rev:1;) alert tcp $HOME_NET any -> [39.109.86.101] 34013 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240243; rev:1;) alert tcp $HOME_NET any -> [128.199.116.190] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240242; rev:1;) alert tcp $HOME_NET any -> [74.234.3.141] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240241; rev:1;) alert tcp $HOME_NET any -> [154.82.85.78] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l3mon.emilemilchen.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240239; rev:1;) alert tcp $HOME_NET any -> [115.74.30.127] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240238; rev:1;) alert tcp $HOME_NET any -> [178.62.57.69] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.181.200.107.91.clients.your-server.de"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240236; rev:1;) alert tcp $HOME_NET any -> [188.166.194.125] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240235; rev:1;) alert tcp $HOME_NET any -> [82.146.52.203] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240234; rev:1;) alert tcp $HOME_NET any -> [91.92.249.161] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.qq00.cc"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240232; rev:1;) alert tcp $HOME_NET any -> [45.14.247.89] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240231; rev:1;) alert tcp $HOME_NET any -> [164.92.238.134] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240230; rev:1;) alert tcp $HOME_NET any -> [192.250.225.3] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240229; rev:1;) alert tcp $HOME_NET any -> [46.246.82.18] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240228; rev:1;) alert tcp $HOME_NET any -> [193.26.115.221] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240227; rev:1;) alert tcp $HOME_NET any -> [45.40.96.97] 9441 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240226; rev:1;) alert tcp $HOME_NET any -> [45.134.83.165] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240224; rev:1;) alert tcp $HOME_NET any -> [147.189.172.2] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240225; rev:1;) alert tcp $HOME_NET any -> [132.145.209.99] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240223/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_15; classtype:trojan-activity; sid:91240223; rev:1;) alert tcp $HOME_NET any -> [4.157.160.27] 8444 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240222/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_15; classtype:trojan-activity; sid:91240222; rev:1;) alert tcp $HOME_NET any -> [35.208.198.77] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240221; rev:1;) alert tcp $HOME_NET any -> [35.208.198.77] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240220; rev:1;) alert tcp $HOME_NET any -> [172.233.67.44] 1433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240219; rev:1;) alert tcp $HOME_NET any -> [104.168.173.70] 20000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240218; rev:1;) alert tcp $HOME_NET any -> [106.54.227.54] 6655 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240217; rev:1;) alert tcp $HOME_NET any -> [8.148.10.39] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240216; rev:1;) alert tcp $HOME_NET any -> [210.114.11.173] 806 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240215; rev:1;) alert tcp $HOME_NET any -> [47.92.27.147] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-124-71-158-221.compute.hwclouds-dns.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot5358754228:aae42hagw1bzipxu7ivrc_96iduhcwsjjvo/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240209; rev:1;) alert tcp $HOME_NET any -> [154.197.124.161] 1111 (msg:"ThreatFox DBatLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abotihy.exe"; depth:12; nocase; http.host; content:"llllllllllllllllllllllllllll.site"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/client.exe"; depth:11; nocase; http.host; content:"llllllllllllllllllllllllllll.site"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/build.exe"; depth:10; nocase; http.host; content:"llllllllllllllllllllllllllll.site"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240208; rev:1;) alert tcp $HOME_NET any -> [192.177.98.104] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240205/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240205; rev:1;) alert tcp $HOME_NET any -> [154.197.124.161] 2222 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240203/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"llllllllllllllllllllllllllll.site"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240204/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"42.193.16.213"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240202; rev:1;) alert tcp $HOME_NET any -> [5.181.80.192] 38241 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240198; rev:1;) alert tcp $HOME_NET any -> [5.181.80.173] 38241 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240199; rev:1;) alert tcp $HOME_NET any -> [5.181.80.175] 38241 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240200; rev:1;) alert tcp $HOME_NET any -> [45.156.21.39] 3443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240201/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240201; rev:1;) alert tcp $HOME_NET any -> [194.169.175.233] 3608 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240197; rev:1;) alert tcp $HOME_NET any -> [5.252.176.25] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geolongpollbaselinuxtraffictrackdatalifetemporary.php"; depth:54; nocase; http.host; content:"372451cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaaad/httppacketcpubigloadgeneratorwordpressprivatetemporary.php"; depth:65; nocase; http.host; content:"109.107.182.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"164.155.206.126"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"8.134.166.14"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"180.76.179.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"134.122.132.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"134.122.132.23"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"82.157.154.37"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"116.204.110.99"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"94.228.162.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.182.87.145"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"147.45.75.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"2.56.109.134"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.73.251"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"147.45.40.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"147.45.40.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.182.86.194"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"212.113.116.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"103.241.72.56"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"139.180.191.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240179; rev:1;) alert tcp $HOME_NET any -> [45.93.9.119] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240180; rev:1;) alert tcp $HOME_NET any -> [45.93.9.98] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240181; rev:1;) alert tcp $HOME_NET any -> [45.93.9.108] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240182; rev:1;) alert tcp $HOME_NET any -> [87.121.112.29] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240162; rev:1;) alert tcp $HOME_NET any -> [87.121.112.41] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240163; rev:1;) alert tcp $HOME_NET any -> [94.131.13.80] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240164; rev:1;) alert tcp $HOME_NET any -> [20.187.91.63] 59413 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240165; rev:1;) alert tcp $HOME_NET any -> [85.204.116.230] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240166; rev:1;) alert tcp $HOME_NET any -> [85.204.116.231] 1288 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240167; rev:1;) alert tcp $HOME_NET any -> [85.204.116.128] 1287 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"120.24.179.84"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"42.3.121.142"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240191; rev:1;) alert tcp $HOME_NET any -> [212.193.11.40] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240190; rev:1;) alert tcp $HOME_NET any -> [195.133.88.98] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 99%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240155/; target:src_ip; metadata: confidence_level 99, first_seen 2024_02_15; classtype:trojan-activity; sid:91240155; rev:1;) alert tcp $HOME_NET any -> [91.201.67.85] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 99%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240156/; target:src_ip; metadata: confidence_level 99, first_seen 2024_02_15; classtype:trojan-activity; sid:91240156; rev:1;) alert tcp $HOME_NET any -> [161.35.88.106] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240157; rev:1;) alert tcp $HOME_NET any -> [161.35.89.255] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240158; rev:1;) alert tcp $HOME_NET any -> [161.35.90.184] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240159; rev:1;) alert tcp $HOME_NET any -> [165.22.201.172] 1288 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240160; rev:1;) alert tcp $HOME_NET any -> [24.144.81.7] 1302 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240161; rev:1;) alert tcp $HOME_NET any -> [91.92.252.34] 6667 (msg:"ThreatFox Tsunami botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240154/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240154; rev:1;) alert tcp $HOME_NET any -> [172.232.186.100] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240153/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240153; rev:1;) alert tcp $HOME_NET any -> [41.96.151.65] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240152/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240152; rev:1;) alert tcp $HOME_NET any -> [79.107.137.189] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240151/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240151; rev:1;) alert tcp $HOME_NET any -> [197.204.251.116] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240150/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240150; rev:1;) alert tcp $HOME_NET any -> [68.56.172.196] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240149/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240149; rev:1;) alert tcp $HOME_NET any -> [78.101.28.103] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240148/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240148; rev:1;) alert tcp $HOME_NET any -> [70.31.125.111] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240147/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240147; rev:1;) alert tcp $HOME_NET any -> [2.49.60.224] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240146/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240146; rev:1;) alert tcp $HOME_NET any -> [118.38.132.38] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240145/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240145; rev:1;) alert tcp $HOME_NET any -> [209.94.58.96] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240144/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240144; rev:1;) alert tcp $HOME_NET any -> [34.76.179.109] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240143/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240143; rev:1;) alert tcp $HOME_NET any -> [13.233.144.170] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240142/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240142; rev:1;) alert tcp $HOME_NET any -> [88.214.25.240] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240141/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240141; rev:1;) alert tcp $HOME_NET any -> [45.55.200.153] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240140/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240140; rev:1;) alert tcp $HOME_NET any -> [34.138.61.159] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240139/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240139; rev:1;) alert tcp $HOME_NET any -> [157.90.120.132] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240138/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240138; rev:1;) alert tcp $HOME_NET any -> [34.82.156.114] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240137/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240137; rev:1;) alert tcp $HOME_NET any -> [185.196.9.214] 445 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240136/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/poll8trafficcpu/gameflowerlocal/update/cpugeneratortotrack/testpipe/secure/datalifecpu/uploads5/93image0/downloadsproton6/providercpusqlflowerasynclocaluploads.php"; depth:164; nocase; http.host; content:"80.66.89.102"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrmzmu3odrmy2q4/"; depth:18; nocase; http.host; content:"185.11.61.219"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgq4mde1zdk3nzc1/"; depth:18; nocase; http.host; content:"usdtzshlavkovavolvo.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"grantallardserver.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"casinovipclubs.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ezrgqnaww.php"; depth:20; nocase; http.host; content:"casinovipclubs.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saturnexa.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gdl7ghmq"; depth:9; nocase; http.host; content:"snackfunp.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"snackfunp.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hh3w6zc6"; depth:9; nocase; http.host; content:"gspiceyl.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gspiceyl.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usaglobalnews.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"topglobaltv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"startupmartec.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"domnicaa.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240085/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240085; rev:1;) alert tcp $HOME_NET any -> [49.13.89.187] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240134; rev:1;) alert tcp $HOME_NET any -> [103.114.104.158] 1663 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240133; rev:1;) alert tcp $HOME_NET any -> [101.200.172.125] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240132/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240132; rev:1;) alert tcp $HOME_NET any -> [115.159.102.112] 8778 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240131/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240131; rev:1;) alert tcp $HOME_NET any -> [192.3.189.182] 51938 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240130/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240130; rev:1;) alert tcp $HOME_NET any -> [114.115.210.125] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240129/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240129; rev:1;) alert tcp $HOME_NET any -> [124.223.62.233] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240128/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240128; rev:1;) alert tcp $HOME_NET any -> [198.244.144.231] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240127/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240127; rev:1;) alert tcp $HOME_NET any -> [193.17.92.248] 45451 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240126/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240126; rev:1;) alert tcp $HOME_NET any -> [43.129.239.195] 61111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240125/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240125; rev:1;) alert tcp $HOME_NET any -> [47.94.120.34] 65521 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240124/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240124; rev:1;) alert tcp $HOME_NET any -> [47.93.254.171] 5470 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240123/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240123; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240122/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240122; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240121; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240120; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240119; rev:1;) alert tcp $HOME_NET any -> [154.91.83.163] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240118; rev:1;) alert tcp $HOME_NET any -> [193.233.132.193] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240117/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240117; rev:1;) alert tcp $HOME_NET any -> [194.116.173.154] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240116/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240116; rev:1;) alert tcp $HOME_NET any -> [45.14.244.72] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240115/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240115; rev:1;) alert tcp $HOME_NET any -> [95.216.177.94] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240114/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240114; rev:1;) alert tcp $HOME_NET any -> [88.198.108.242] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240113/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240113; rev:1;) alert tcp $HOME_NET any -> [20.226.21.146] 53092 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240107; rev:1;) alert tcp $HOME_NET any -> [159.112.177.137] 53092 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"teamsupd.azurewebsites.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teamsupd.azurewebsites.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"23.101.122.219"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"13.82.186.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.itaberabanoticias.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"40.86.174.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"www.itaberabanoticias.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"www2.itaberabanoticias.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www2.itaberabanoticias.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"msupdate.brazilsouth.cloudapp.azure.com"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240096; rev:1;) alert tcp $HOME_NET any -> [138.68.40.6] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/accounts/v1/basic-accounts/pinned"; depth:38; nocase; http.host; content:"cb.1ancast3r.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cb.1ancast3r.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240093; rev:1;) alert tcp $HOME_NET any -> [49.13.89.187] 3306 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xwork/panel/five/fre.php"; depth:25; nocase; http.host; content:"www.makeyourbrandz.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240090; rev:1;) alert tcp $HOME_NET any -> [91.92.246.233] 2897 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240081; rev:1;) alert tcp $HOME_NET any -> [175.110.115.65] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240080/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91240080; rev:1;) alert tcp $HOME_NET any -> [139.198.160.133] 59900 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240079/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91240079; rev:1;) alert tcp $HOME_NET any -> [31.117.122.184] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240078/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91240078; rev:1;) alert tcp $HOME_NET any -> [45.59.118.25] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240077/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91240077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"qltuh.thunderdepthsforger.top"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"new-bestfortunes.life"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"canopusacrux.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"thunderdepthsforger.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cdnstatic.thunderdepthsforger.top"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tnoodlezy.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y562rjrt"; depth:9; nocase; http.host; content:"tnoodlezy.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240075; rev:1;) alert tcp $HOME_NET any -> [172.212.163.113] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240076/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91240076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alert/welcome/qj81aiz9qhk"; depth:26; nocase; http.host; content:"saturnreviews.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240068; rev:1;) alert tcp $HOME_NET any -> [179.60.149.231] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alert/welcome/qj81aiz9qhk"; depth:26; nocase; http.host; content:"saturnreviews.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saturnreviews.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240063; rev:1;) alert tcp $HOME_NET any -> [65.109.242.48] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240062; rev:1;) alert tcp $HOME_NET any -> [65.109.242.48] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240061; rev:1;) alert tcp $HOME_NET any -> [185.99.133.77] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240058/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_14; classtype:trojan-activity; sid:91240058; rev:1;) alert tcp $HOME_NET any -> [5.255.116.158] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240059/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_14; classtype:trojan-activity; sid:91240059; rev:1;) alert tcp $HOME_NET any -> [85.239.34.138] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240060/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_14; classtype:trojan-activity; sid:91240060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ebnsina.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240057/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91240057; rev:1;) alert tcp $HOME_NET any -> [95.179.189.177] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.artstrailman.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unitylibrarymanager.exe"; depth:24; nocase; http.host; content:"3psilonapi.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kelvin/five/fre.php"; depth:20; nocase; http.host; content:"ebnsina.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240053; rev:1;) alert tcp $HOME_NET any -> [188.116.23.142] 23033 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240052; rev:1;) alert tcp $HOME_NET any -> [5.39.43.50] 1050 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240051/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91240051; rev:1;) alert tcp $HOME_NET any -> [86.38.225.109] 13724 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240045; rev:1;) alert tcp $HOME_NET any -> [172.232.189.219] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240046; rev:1;) alert tcp $HOME_NET any -> [198.44.187.12] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240047; rev:1;) alert tcp $HOME_NET any -> [45.32.21.184] 5242 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240048; rev:1;) alert tcp $HOME_NET any -> [172.232.189.10] 1194 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240049; rev:1;) alert tcp $HOME_NET any -> [172.232.162.97] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240050; rev:1;) alert tcp $HOME_NET any -> [131.153.231.178] 2221 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240042; rev:1;) alert tcp $HOME_NET any -> [95.179.135.3] 2225 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240043; rev:1;) alert tcp $HOME_NET any -> [155.138.147.62] 2223 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/"; depth:4; nocase; http.host; content:"grpt.ca"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239949; rev:1;) alert tcp $HOME_NET any -> [190.135.174.163] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240041; rev:1;) alert tcp $HOME_NET any -> [185.83.113.126] 32009 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240040; rev:1;) alert tcp $HOME_NET any -> [51.15.220.70] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240039; rev:1;) alert tcp $HOME_NET any -> [139.59.3.90] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240038; rev:1;) alert tcp $HOME_NET any -> [185.88.196.130] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240037; rev:1;) alert tcp $HOME_NET any -> [202.83.25.9] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240036; rev:1;) alert tcp $HOME_NET any -> [1.12.221.30] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240035; rev:1;) alert tcp $HOME_NET any -> [198.199.121.71] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240034; rev:1;) alert tcp $HOME_NET any -> [5.9.185.124] 2083 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240033; rev:1;) alert tcp $HOME_NET any -> [20.211.122.42] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240032; rev:1;) alert tcp $HOME_NET any -> [138.91.109.82] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240031; rev:1;) alert tcp $HOME_NET any -> [110.42.163.130] 36699 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240030; rev:1;) alert tcp $HOME_NET any -> [20.105.186.218] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240029; rev:1;) alert tcp $HOME_NET any -> [35.233.72.158] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240028; rev:1;) alert tcp $HOME_NET any -> [99.81.225.111] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240027; rev:1;) alert tcp $HOME_NET any -> [4.175.95.128] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240026; rev:1;) alert tcp $HOME_NET any -> [172.234.228.130] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240025; rev:1;) alert tcp $HOME_NET any -> [45.61.158.17] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240023; rev:1;) alert tcp $HOME_NET any -> [20.54.117.62] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"142-11-199-59.plesk.page"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240022; rev:1;) alert tcp $HOME_NET any -> [104.225.235.101] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240021; rev:1;) alert tcp $HOME_NET any -> [123.206.227.241] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240020; rev:1;) alert tcp $HOME_NET any -> [79.137.207.38] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240019; rev:1;) alert tcp $HOME_NET any -> [109.107.181.93] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240018; rev:1;) alert tcp $HOME_NET any -> [52.20.229.84] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240017; rev:1;) alert tcp $HOME_NET any -> [129.152.4.113] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240016; rev:1;) alert tcp $HOME_NET any -> [51.107.41.155] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240015; rev:1;) alert tcp $HOME_NET any -> [95.214.177.31] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240014; rev:1;) alert tcp $HOME_NET any -> [195.206.235.241] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240012; rev:1;) alert tcp $HOME_NET any -> [74.234.3.141] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240013; rev:1;) alert tcp $HOME_NET any -> [115.74.30.127] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wapt.dgcs.cloud"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imperiummalczyc.pl"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240010; rev:1;) alert tcp $HOME_NET any -> [193.233.132.214] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240008; rev:1;) alert tcp $HOME_NET any -> [167.235.136.41] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240007; rev:1;) alert tcp $HOME_NET any -> [185.209.30.141] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240006; rev:1;) alert tcp $HOME_NET any -> [64.226.76.253] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240005; rev:1;) alert tcp $HOME_NET any -> [45.138.16.161] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evgenytchurakin6.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jovial-wescoff.45-138-16-161.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240003; rev:1;) alert tcp $HOME_NET any -> [69.46.36.209] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240000; rev:1;) alert tcp $HOME_NET any -> [69.46.36.219] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"238.200.202.35.bc.googleusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239999; rev:1;) alert tcp $HOME_NET any -> [69.46.36.210] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239998; rev:1;) alert tcp $HOME_NET any -> [185.81.157.103] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239997; rev:1;) alert tcp $HOME_NET any -> [192.250.225.3] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239996; rev:1;) alert tcp $HOME_NET any -> [154.212.146.81] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239994; rev:1;) alert tcp $HOME_NET any -> [154.212.146.81] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239995; rev:1;) alert tcp $HOME_NET any -> [186.170.96.237] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239993; rev:1;) alert tcp $HOME_NET any -> [185.81.157.106] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239991; rev:1;) alert tcp $HOME_NET any -> [45.88.186.16] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239992; rev:1;) alert tcp $HOME_NET any -> [178.33.203.39] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239990; rev:1;) alert tcp $HOME_NET any -> [5.252.74.133] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239988; rev:1;) alert tcp $HOME_NET any -> [178.33.203.39] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239989; rev:1;) alert tcp $HOME_NET any -> [5.252.74.133] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239987; rev:1;) alert tcp $HOME_NET any -> [193.26.115.221] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239986; rev:1;) alert tcp $HOME_NET any -> [185.81.157.21] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239984; rev:1;) alert tcp $HOME_NET any -> [186.112.206.181] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239985; rev:1;) alert tcp $HOME_NET any -> [185.81.157.21] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239983; rev:1;) alert tcp $HOME_NET any -> [46.246.6.5] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239982; rev:1;) alert tcp $HOME_NET any -> [209.141.54.92] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239981/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_14; classtype:trojan-activity; sid:91239981; rev:1;) alert tcp $HOME_NET any -> [78.129.165.233] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239980/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_14; classtype:trojan-activity; sid:91239980; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239978; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239979; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239977; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239976; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239974; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239975; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 1672 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239973; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 1666 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239972; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239970; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239971; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239969; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239968; rev:1;) alert tcp $HOME_NET any -> [187.135.85.245] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239967; rev:1;) alert tcp $HOME_NET any -> [86.107.199.30] 10101 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239966; rev:1;) alert tcp $HOME_NET any -> [45.134.225.245] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239965; rev:1;) alert tcp $HOME_NET any -> [146.70.149.184] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239964; rev:1;) alert tcp $HOME_NET any -> [106.75.240.189] 4090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239963; rev:1;) alert tcp $HOME_NET any -> [117.50.178.197] 33221 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239962; rev:1;) alert tcp $HOME_NET any -> [5.161.85.189] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239961; rev:1;) alert tcp $HOME_NET any -> [185.158.248.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eganet.linkpc.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239959; rev:1;) alert tcp $HOME_NET any -> [154.44.10.51] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239957; rev:1;) alert tcp $HOME_NET any -> [103.146.179.72] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239958; rev:1;) alert tcp $HOME_NET any -> [23.160.193.182] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239956; rev:1;) alert tcp $HOME_NET any -> [42.186.17.183] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"77.198.208.35.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cdn.dadadsadaccsoong.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/index.php"; depth:13; nocase; http.host; content:"grpt.ca"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/documents/build-x64.zip/build-x64.msi"; depth:38; nocase; http.host; content:"95.164.63.54"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/documents/build-x64.zip"; depth:24; nocase; http.host; content:"95.164.63.54"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239946; rev:1;) alert tcp $HOME_NET any -> [95.164.63.54] 80 (msg:"ThreatFox DarkGate payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239943; rev:1;) alert tcp $HOME_NET any -> [68.183.111.170] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"45.134.225.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.139.177.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.dadadsadaccsoong.top"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239937; rev:1;) alert tcp $HOME_NET any -> [43.139.177.77] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cdn.dadadsadaccsoong.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"20.163.176.140"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js"; depth:41; nocase; http.host; content:"47.123.4.117"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239934; rev:1;) alert tcp $HOME_NET any -> [77.105.132.92] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239932/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239932; rev:1;) alert tcp $HOME_NET any -> [77.105.132.92] 81 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239933/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239933; rev:1;) alert tcp $HOME_NET any -> [77.105.132.92] 60989 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239931/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239931; rev:1;) alert tcp $HOME_NET any -> [77.105.132.92] 465 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239929/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239929; rev:1;) alert tcp $HOME_NET any -> [77.105.132.92] 4899 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239930/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239930; rev:1;) alert tcp $HOME_NET any -> [77.105.132.92] 463 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239928; rev:1;) alert tcp $HOME_NET any -> [77.105.132.92] 21 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239926/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239926; rev:1;) alert tcp $HOME_NET any -> [77.105.132.92] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239927/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qrchq.vrhoeas.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239925; rev:1;) alert tcp $HOME_NET any -> [8.222.251.253] 43001 (msg:"ThreatFox Triada botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"qrchq.vrhoeas.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239923; rev:1;) alert tcp $HOME_NET any -> [43.229.78.74] 2226 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239919; rev:1;) alert tcp $HOME_NET any -> [154.201.81.8] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239920; rev:1;) alert tcp $HOME_NET any -> [108.61.78.17] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239921; rev:1;) alert tcp $HOME_NET any -> [104.156.233.235] 2226 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0919021.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239918; rev:1;) alert tcp $HOME_NET any -> [141.98.10.72] 1024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"116.198.46.64"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"139.9.41.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dadadsadaccsoong.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"dadadsadaccsoong.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"92.118.36.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogyyzmmyzmvlmgi0/"; depth:18; nocase; http.host; content:"4232fdnsjds.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239908/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_14; classtype:trojan-activity; sid:91239908; rev:1;) alert tcp $HOME_NET any -> [95.216.177.94] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239906; rev:1;) alert tcp $HOME_NET any -> [78.47.117.126] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.177.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.117.126"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239904; rev:1;) alert tcp $HOME_NET any -> [103.155.81.228] 1234 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239903/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.nguyennghi.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239902; rev:1;) alert tcp $HOME_NET any -> [93.123.85.140] 9932 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239901/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239901; rev:1;) alert tcp $HOME_NET any -> [91.92.251.202] 2024 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239900; rev:1;) alert tcp $HOME_NET any -> [101.34.243.60] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239899; rev:1;) alert tcp $HOME_NET any -> [47.236.115.26] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239898; rev:1;) alert tcp $HOME_NET any -> [41.96.83.214] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239897; rev:1;) alert tcp $HOME_NET any -> [72.27.170.157] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239896; rev:1;) alert tcp $HOME_NET any -> [38.142.20.186] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239895; rev:1;) alert tcp $HOME_NET any -> [158.101.163.23] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239894/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239894; rev:1;) alert tcp $HOME_NET any -> [45.45.219.118] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239893/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239893; rev:1;) alert tcp $HOME_NET any -> [218.28.172.11] 80 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239892/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239892; rev:1;) alert tcp $HOME_NET any -> [69.46.36.210] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239891/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239891; rev:1;) alert tcp $HOME_NET any -> [69.46.36.216] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239890/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239890; rev:1;) alert tcp $HOME_NET any -> [69.46.36.220] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239889/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239889; rev:1;) alert tcp $HOME_NET any -> [5.39.43.50] 3456 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239869; rev:1;) alert tcp $HOME_NET any -> [188.116.21.141] 20213 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"frightyserver.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bgkc244p"; depth:9; nocase; http.host; content:"frightyserver.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"winvipbonus.life"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"weapkd4.jarteaused.live"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239887; rev:1;) alert tcp $HOME_NET any -> [191.248.177.208] 15833 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.14.244.72"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linewindowstrack.php"; depth:21; nocase; http.host; content:"81.200.146.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proton/cdndump/0pipe4/processtemp0/generator304/requestcdn/2baseasyncauth/flower/8mariadbbetter/2wp/eternalcpubigloadtemporary.php"; depth:131; nocase; http.host; content:"45.9.73.82"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239881; rev:1;) alert tcp $HOME_NET any -> [68.183.111.170] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/videovmsecureupdateauthserverbasepublic.php"; depth:44; nocase; http.host; content:"209374cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239878; rev:1;) alert tcp $HOME_NET any -> [104.129.55.106] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239873; rev:1;) alert tcp $HOME_NET any -> [45.32.248.100] 2226 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239874; rev:1;) alert tcp $HOME_NET any -> [45.76.251.190] 5631 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239875; rev:1;) alert tcp $HOME_NET any -> [103.82.243.5] 13785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239876; rev:1;) alert tcp $HOME_NET any -> [104.129.55.105] 2223 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239877; rev:1;) alert tcp $HOME_NET any -> [94.103.94.25] 13581 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure/gametemporaryvoiddb7/3protonpythongame/publicprotonsecure0/updateto/7vm/update5processor3/dlewindowsrequest/low6proton/servereternal/geo/vm_updategeneratordatalife.php"; depth:175; nocase; http.host; content:"195.43.142.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239870; rev:1;) alert tcp $HOME_NET any -> [149.248.3.194] 443 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239868; rev:1;) alert tcp $HOME_NET any -> [111.67.195.90] 6000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prodomainnameeforappru.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"prodomainnameeforappru.com"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1239855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"plwskoret.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"miistoria.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239857; rev:1;) alert tcp $HOME_NET any -> [87.11.7.161] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239866; rev:1;) alert tcp $HOME_NET any -> [31.117.164.92] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239865; rev:1;) alert tcp $HOME_NET any -> [77.0.149.167] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239864; rev:1;) alert tcp $HOME_NET any -> [71.250.202.197] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239863; rev:1;) alert tcp $HOME_NET any -> [188.54.71.27] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239862/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239862; rev:1;) alert tcp $HOME_NET any -> [154.13.28.16] 46321 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239861/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239861; rev:1;) alert tcp $HOME_NET any -> [185.209.30.112] 9202 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rf/imagevideo_securesqlasynctrackuploads.php"; depth:45; nocase; http.host; content:"109.107.182.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/chunky/"; depth:19; nocase; http.host; content:"horseridinghotel.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239858/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239858; rev:1;) alert tcp $HOME_NET any -> [95.20.241.72] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239853; rev:1;) alert tcp $HOME_NET any -> [172.205.219.119] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239852; rev:1;) alert tcp $HOME_NET any -> [5.249.160.250] 80 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239851; rev:1;) alert tcp $HOME_NET any -> [119.91.248.126] 8421 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239850; rev:1;) alert tcp $HOME_NET any -> [44.213.214.182] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239849; rev:1;) alert tcp $HOME_NET any -> [64.176.169.200] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239848; rev:1;) alert tcp $HOME_NET any -> [52.188.58.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239847; rev:1;) alert tcp $HOME_NET any -> [176.53.182.97] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239846; rev:1;) alert tcp $HOME_NET any -> [34.121.174.173] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239845; rev:1;) alert tcp $HOME_NET any -> [185.199.52.140] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239844; rev:1;) alert tcp $HOME_NET any -> [3.12.9.12] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239843; rev:1;) alert tcp $HOME_NET any -> [87.106.121.244] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239842; rev:1;) alert tcp $HOME_NET any -> [147.45.106.5] 1234 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239841; rev:1;) alert tcp $HOME_NET any -> [64.225.28.1] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cranky-easley.142-11-199-59.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239839; rev:1;) alert tcp $HOME_NET any -> [137.184.234.102] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239838; rev:1;) alert tcp $HOME_NET any -> [24.199.69.112] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"static.156.235.21.65.clients.your-server.de"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239836/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.miner.bitron-mining.online"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miner.bitron-mining.online"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239835; rev:1;) alert tcp $HOME_NET any -> [188.116.24.193] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239833; rev:1;) alert tcp $HOME_NET any -> [188.116.24.193] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239832; rev:1;) alert tcp $HOME_NET any -> [147.45.45.0] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239831; rev:1;) alert tcp $HOME_NET any -> [34.116.204.231] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239830; rev:1;) alert tcp $HOME_NET any -> [77.105.132.7] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239829; rev:1;) alert tcp $HOME_NET any -> [85.202.160.45] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239828; rev:1;) alert tcp $HOME_NET any -> [3.68.135.109] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.glptestasets.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap477067-1.zap-srv.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"161-35-239-147.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glptestasets.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239824; rev:1;) alert tcp $HOME_NET any -> [94.156.65.16] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239822; rev:1;) alert tcp $HOME_NET any -> [51.159.175.8] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239820; rev:1;) alert tcp $HOME_NET any -> [185.236.234.129] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239821; rev:1;) alert tcp $HOME_NET any -> [27.124.46.142] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239819; rev:1;) alert tcp $HOME_NET any -> [88.184.9.216] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239818; rev:1;) alert tcp $HOME_NET any -> [27.124.46.236] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239816; rev:1;) alert tcp $HOME_NET any -> [27.124.46.227] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239817; rev:1;) alert tcp $HOME_NET any -> [181.161.13.84] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239815; rev:1;) alert tcp $HOME_NET any -> [172.207.72.220] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239814; rev:1;) alert tcp $HOME_NET any -> [46.246.12.14] 1994 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239751/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239751; rev:1;) alert tcp $HOME_NET any -> [194.147.140.176] 2222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"funny-kirch.62-210-130-233.plesk.page"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239812; rev:1;) alert tcp $HOME_NET any -> [146.190.36.87] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239811; rev:1;) alert tcp $HOME_NET any -> [185.216.70.107] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"great-burnell.62-210-130-233.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239810; rev:1;) alert tcp $HOME_NET any -> [185.216.70.198] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239808; rev:1;) alert tcp $HOME_NET any -> [176.123.168.157] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239807; rev:1;) alert tcp $HOME_NET any -> [69.46.36.218] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"townsfolkhiwoeko.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239804; rev:1;) alert tcp $HOME_NET any -> [69.46.36.218] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239805; rev:1;) alert tcp $HOME_NET any -> [69.46.36.211] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"hunterstrawmersp.homes"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mercyaloofprincipleo.pics"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239802; rev:1;) alert tcp $HOME_NET any -> [69.46.36.211] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gymlog.de"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"lawwormroleveinn.mom"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"developmentalveiop.homes"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239795; rev:1;) alert tcp $HOME_NET any -> [69.46.36.208] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"baketransparentadw.pics"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"brakesummitfiightre.pics"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239791; rev:1;) alert tcp $HOME_NET any -> [69.46.36.219] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"legislationdictater.mom"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239793; rev:1;) alert tcp $HOME_NET any -> [134.255.233.199] 63443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239794; rev:1;) alert tcp $HOME_NET any -> [69.46.36.217] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bleednumberrottern.homes"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239790; rev:1;) alert tcp $HOME_NET any -> [69.46.36.216] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239788; rev:1;) alert tcp $HOME_NET any -> [69.46.36.220] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239787; rev:1;) alert tcp $HOME_NET any -> [69.46.36.209] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239786; rev:1;) alert tcp $HOME_NET any -> [69.46.36.215] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239785; rev:1;) alert tcp $HOME_NET any -> [37.1.214.209] 1111 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239784; rev:1;) alert tcp $HOME_NET any -> [138.201.176.60] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239783; rev:1;) alert tcp $HOME_NET any -> [138.201.176.60] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239782; rev:1;) alert tcp $HOME_NET any -> [178.73.218.5] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239781; rev:1;) alert tcp $HOME_NET any -> [192.250.225.3] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239779; rev:1;) alert tcp $HOME_NET any -> [186.170.96.237] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239780; rev:1;) alert tcp $HOME_NET any -> [51.89.199.122] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239778; rev:1;) alert tcp $HOME_NET any -> [103.66.59.20] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239777; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239776; rev:1;) alert tcp $HOME_NET any -> [119.91.200.209] 24443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239775; rev:1;) alert tcp $HOME_NET any -> [68.183.111.170] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239773; rev:1;) alert tcp $HOME_NET any -> [139.9.62.69] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239774; rev:1;) alert tcp $HOME_NET any -> [43.251.159.58] 8637 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239772; rev:1;) alert tcp $HOME_NET any -> [110.40.168.108] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239771; rev:1;) alert tcp $HOME_NET any -> [139.9.41.156] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239770; rev:1;) alert tcp $HOME_NET any -> [39.104.230.184] 6667 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239768; rev:1;) alert tcp $HOME_NET any -> [167.235.58.45] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239769; rev:1;) alert tcp $HOME_NET any -> [108.165.106.7] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239767; rev:1;) alert tcp $HOME_NET any -> [43.139.177.77] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239766; rev:1;) alert tcp $HOME_NET any -> [185.233.203.43] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239765; rev:1;) alert tcp $HOME_NET any -> [185.165.169.113] 34443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239763; rev:1;) alert tcp $HOME_NET any -> [84.46.79.30] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239764; rev:1;) alert tcp $HOME_NET any -> [42.193.10.78] 48086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239762; rev:1;) alert tcp $HOME_NET any -> [45.148.244.206] 18443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-214-29-253.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/refqdk/"; depth:8; nocase; http.host; content:"qxjjj.j7ute.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rdsrmpgsqf/"; depth:12; nocase; http.host; content:"is5jg.3zweuj.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"is5jg.3zweuj.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qxjjj.j7ute.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239757; rev:1;) alert tcp $HOME_NET any -> [8.222.251.253] 32091 (msg:"ThreatFox Triada botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239754/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239754; rev:1;) alert tcp $HOME_NET any -> [8.219.196.124] 18038 (msg:"ThreatFox Triada botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239755/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239755; rev:1;) alert tcp $HOME_NET any -> [45.140.147.91] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239753; rev:1;) alert tcp $HOME_NET any -> [181.71.216.30] 4040 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239752; rev:1;) alert tcp $HOME_NET any -> [77.105.132.94] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239750/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239750; rev:1;) alert tcp $HOME_NET any -> [77.105.132.94] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239749/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239749; rev:1;) alert tcp $HOME_NET any -> [77.105.132.94] 465 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239748/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239748; rev:1;) alert tcp $HOME_NET any -> [77.105.132.94] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239747/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.qichen.fun"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239745; rev:1;) alert tcp $HOME_NET any -> [125.70.238.9] 8123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"www.qichen.fun"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239744; rev:1;) alert tcp $HOME_NET any -> [42.3.121.142] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.207.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239738; rev:1;) alert tcp $HOME_NET any -> [79.137.207.35] 15666 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"39.104.230.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adcac1e6.php"; depth:13; nocase; http.host; content:"vilon.000webhostapp.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239740; rev:1;) alert tcp $HOME_NET any -> [154.12.84.6] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigballz.bounceme.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239732; rev:1;) alert tcp $HOME_NET any -> [204.76.203.129] 7645 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239731/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"138.201.119.252"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.27.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239729; rev:1;) alert tcp $HOME_NET any -> [95.217.27.143] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239727; rev:1;) alert tcp $HOME_NET any -> [138.201.119.252] 3000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"hk-49847.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239673/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"hk-49847.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"hk-49847.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditionksla.net"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditionalsk.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239677/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditionpskl.net"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239678/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditionctfm.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239679/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditiontsma.net"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239680/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditiontols.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239681/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditionkdna.net"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239682/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239682; rev:1;) alert tcp $HOME_NET any -> [103.28.32.56] 2023 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239685/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"net-killer.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239686/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"hk-49847.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239672/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239655; rev:1;) alert tcp $HOME_NET any -> [213.248.43.58] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cheatlab.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft/vcpkg/files/14125503/cheat.lab.2.7.2.zip"; depth:51; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239668; rev:1;) alert tcp $HOME_NET any -> [216.118.230.115] 33452 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239726/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239726; rev:1;) alert tcp $HOME_NET any -> [181.141.40.47] 4433 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239725/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239725; rev:1;) alert tcp $HOME_NET any -> [41.99.82.76] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239724/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239724; rev:1;) alert tcp $HOME_NET any -> [95.20.17.129] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239723/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239723; rev:1;) alert tcp $HOME_NET any -> [105.102.99.5] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239722/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239722; rev:1;) alert tcp $HOME_NET any -> [70.31.125.60] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239721/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239721; rev:1;) alert tcp $HOME_NET any -> [92.97.115.164] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239720/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239720; rev:1;) alert tcp $HOME_NET any -> [138.197.56.161] 9001 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239719; rev:1;) alert tcp $HOME_NET any -> [203.41.157.230] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239718; rev:1;) alert tcp $HOME_NET any -> [159.253.120.2] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239717; rev:1;) alert tcp $HOME_NET any -> [192.109.241.139] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239716; rev:1;) alert tcp $HOME_NET any -> [23.229.31.21] 39561 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239715; rev:1;) alert tcp $HOME_NET any -> [37.128.207.56] 53 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239714; rev:1;) alert tcp $HOME_NET any -> [157.230.175.190] 6534 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmmultiwordpress.php"; depth:21; nocase; http.host; content:"91.107.121.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/021322b478b21e87.php"; depth:21; nocase; http.host; content:"77.105.132.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239711; rev:1;) alert tcp $HOME_NET any -> [45.227.255.164] 58888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239710/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239710; rev:1;) alert tcp $HOME_NET any -> [101.132.192.106] 60010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239709/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239709; rev:1;) alert tcp $HOME_NET any -> [43.138.128.109] 12345 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239708/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239708; rev:1;) alert tcp $HOME_NET any -> [42.194.210.177] 50040 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239707/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239707; rev:1;) alert tcp $HOME_NET any -> [47.113.147.154] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239706/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239706; rev:1;) alert tcp $HOME_NET any -> [139.224.194.38] 50005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239705/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239705; rev:1;) alert tcp $HOME_NET any -> [140.143.142.107] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239704/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239704; rev:1;) alert tcp $HOME_NET any -> [121.37.11.148] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239703/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239703; rev:1;) alert tcp $HOME_NET any -> [122.51.243.31] 50266 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239702/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239702; rev:1;) alert tcp $HOME_NET any -> [110.41.4.168] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239701/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239701; rev:1;) alert tcp $HOME_NET any -> [62.234.46.238] 6543 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239700/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239700; rev:1;) alert tcp $HOME_NET any -> [91.103.253.227] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239699/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239699; rev:1;) alert tcp $HOME_NET any -> [107.189.14.144] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239698/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239698; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 1981 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239697/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239697; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2045 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239696/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239696; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239695/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239695; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239694/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239694; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239693; rev:1;) alert tcp $HOME_NET any -> [20.7.67.78] 443 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239692/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239692; rev:1;) alert tcp $HOME_NET any -> [185.216.70.11] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239691/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239691; rev:1;) alert tcp $HOME_NET any -> [194.116.173.129] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239690/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239690; rev:1;) alert tcp $HOME_NET any -> [116.202.0.229] 2271 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239689/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239689; rev:1;) alert tcp $HOME_NET any -> [116.202.0.229] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239688/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239688; rev:1;) alert tcp $HOME_NET any -> [147.45.75.185] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239687/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"134.122.52.228"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"121.41.50.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"janxworm9090.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239671; rev:1;) alert tcp $HOME_NET any -> [194.147.140.138] 9090 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239670; rev:1;) alert tcp $HOME_NET any -> [46.246.82.7] 6000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239666; rev:1;) alert tcp $HOME_NET any -> [187.170.239.221] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239665; rev:1;) alert tcp $HOME_NET any -> [41.96.177.159] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239664; rev:1;) alert tcp $HOME_NET any -> [121.121.101.183] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239663; rev:1;) alert tcp $HOME_NET any -> [41.136.51.241] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239662; rev:1;) alert tcp $HOME_NET any -> [197.14.148.208] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239661/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239661; rev:1;) alert tcp $HOME_NET any -> [70.31.125.60] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239660/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239660; rev:1;) alert tcp $HOME_NET any -> [170.187.207.78] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239659/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239659; rev:1;) alert tcp $HOME_NET any -> [170.187.207.78] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239658/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239658; rev:1;) alert tcp $HOME_NET any -> [5.75.211.197] 3306 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239657; rev:1;) alert tcp $HOME_NET any -> [5.39.43.50] 1610 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239652/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239652; rev:1;) alert tcp $HOME_NET any -> [94.156.68.226] 3787 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239653; rev:1;) alert tcp $HOME_NET any -> [45.155.91.135] 21425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239651/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.6.77"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.165.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/karl3on"; depth:8; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.101.193"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199637071579"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239645; rev:1;) alert tcp $HOME_NET any -> [65.109.242.25] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239641; rev:1;) alert tcp $HOME_NET any -> [159.69.101.193] 5432 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239642; rev:1;) alert tcp $HOME_NET any -> [116.203.6.77] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239643; rev:1;) alert tcp $HOME_NET any -> [116.203.165.197] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239644; rev:1;) alert tcp $HOME_NET any -> [46.246.80.9] 1995 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239640/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239640; rev:1;) alert tcp $HOME_NET any -> [5.39.43.50] 1609 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239639/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239639; rev:1;) alert tcp $HOME_NET any -> [194.38.20.230] 6666 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"file.fmwhat.download"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fmwhatsapp_v9.98.apk"; depth:21; nocase; http.host; content:"file.fmwhat.download"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239636; rev:1;) alert tcp $HOME_NET any -> [95.20.241.182] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239634; rev:1;) alert tcp $HOME_NET any -> [46.232.249.112] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239633; rev:1;) alert tcp $HOME_NET any -> [135.148.115.76] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239632; rev:1;) alert tcp $HOME_NET any -> [128.199.65.13] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239631; rev:1;) alert tcp $HOME_NET any -> [116.118.49.164] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239630; rev:1;) alert tcp $HOME_NET any -> [45.153.229.71] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239629; rev:1;) alert tcp $HOME_NET any -> [34.116.253.50] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239628; rev:1;) alert tcp $HOME_NET any -> [5.206.224.7] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"23-26-55-9.cprapid.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239626; rev:1;) alert tcp $HOME_NET any -> [185.16.39.253] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239625; rev:1;) alert tcp $HOME_NET any -> [177.138.248.251] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239624; rev:1;) alert tcp $HOME_NET any -> [204.44.124.8] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239623; rev:1;) alert tcp $HOME_NET any -> [62.210.130.233] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239622; rev:1;) alert tcp $HOME_NET any -> [69.46.36.208] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239621; rev:1;) alert tcp $HOME_NET any -> [154.212.146.81] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239620; rev:1;) alert tcp $HOME_NET any -> [45.88.186.16] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239619; rev:1;) alert tcp $HOME_NET any -> [185.196.9.6] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239618; rev:1;) alert tcp $HOME_NET any -> [139.9.62.69] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239617; rev:1;) alert tcp $HOME_NET any -> [37.32.13.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239616; rev:1;) alert tcp $HOME_NET any -> [148.72.132.181] 43255 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239615; rev:1;) alert tcp $HOME_NET any -> [185.229.225.190] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239614; rev:1;) alert tcp $HOME_NET any -> [54.169.210.113] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239613; rev:1;) alert tcp $HOME_NET any -> [143.110.176.113] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.127.103.78.5.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"199.60.149.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/500ae1b3.php"; depth:13; nocase; http.host; content:"lilbabyfan.000webhostapp.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmd/0.015044926305028627.dat"; depth:29; nocase; http.host; content:"musicclubcompany.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cvv/0.7619553765651503.dat"; depth:27; nocase; http.host; content:"finderunion.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0bvkz/0.16410464051883017.dat"; depth:30; nocase; http.host; content:"berringtonnews.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239606; rev:1;) alert tcp $HOME_NET any -> [86.38.225.108] 2226 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239603; rev:1;) alert tcp $HOME_NET any -> [86.38.225.106] 2221 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239604; rev:1;) alert tcp $HOME_NET any -> [86.38.225.105] 13721 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"108.165.106.7"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"13.36.225.33"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"117.50.185.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"185.216.70.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239599; rev:1;) alert tcp $HOME_NET any -> [13.36.225.33] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"13.36.225.33"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"175.24.130.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239596; rev:1;) alert tcp $HOME_NET any -> [3.127.181.115] 19920 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239595; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 19920 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239594; rev:1;) alert tcp $HOME_NET any -> [3.67.62.142] 19920 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239592; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 19920 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haha.skyljne.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239590; rev:1;) alert tcp $HOME_NET any -> [103.174.73.85] 19990 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239589/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239589; rev:1;) alert tcp $HOME_NET any -> [146.190.244.20] 9932 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239588/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239588; rev:1;) alert tcp $HOME_NET any -> [108.165.106.7] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"108.165.106.7"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239586; rev:1;) alert tcp $HOME_NET any -> [159.100.30.156] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/css"; depth:4; nocase; http.host; content:"sbdatabase.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239584; rev:1;) alert tcp $HOME_NET any -> [95.217.209.180] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239582; rev:1;) alert tcp $HOME_NET any -> [95.217.243.137] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.118.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239578; rev:1;) alert tcp $HOME_NET any -> [78.47.174.101] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239579; rev:1;) alert tcp $HOME_NET any -> [78.47.191.114] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239580; rev:1;) alert tcp $HOME_NET any -> [49.12.101.249] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.174.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.191.114"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.243.137"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.209.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.101.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pipetopythonjsrequesthttpwordpress.php"; depth:39; nocase; http.host; content:"bobrcurw.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0914338.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mb-testing.azureedge.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239565; rev:1;) alert tcp $HOME_NET any -> [216.118.230.114] 33452 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239570/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239570; rev:1;) alert tcp $HOME_NET any -> [216.118.230.116] 33452 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239569/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239569; rev:1;) alert tcp $HOME_NET any -> [79.107.157.38] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239568/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239568; rev:1;) alert tcp $HOME_NET any -> [5.194.147.107] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239567/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239567; rev:1;) alert tcp $HOME_NET any -> [72.27.164.56] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239566/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239566; rev:1;) alert tcp $HOME_NET any -> [45.95.169.103] 2545 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239564/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239564; rev:1;) alert tcp $HOME_NET any -> [188.127.235.191] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239563/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239563; rev:1;) alert tcp $HOME_NET any -> [46.246.84.5] 7771 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239473/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"berlyndnero.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239474/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239474; rev:1;) alert tcp $HOME_NET any -> [46.246.6.12] 1995 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239560/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsprocessflowertrafficdownloads.php"; depth:36; nocase; http.host; content:"685938cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/privateto_/universaldownloads/better/publichttpwindows9/request2/serverdownloads6sql/936/httphttplocalsql/31/cpu0temppublic/requestwordpressgametest/linux5dlegame/wordpress2privatedump/imagegame_protect/vmprotect.php"; depth:217; nocase; http.host; content:"62.109.13.250"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239561; rev:1;) alert tcp $HOME_NET any -> [142.154.95.21] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239559; rev:1;) alert tcp $HOME_NET any -> [13.246.66.162] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239558; rev:1;) alert tcp $HOME_NET any -> [43.139.43.200] 31220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239557; rev:1;) alert tcp $HOME_NET any -> [194.163.154.118] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239556; rev:1;) alert tcp $HOME_NET any -> [137.184.108.32] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239555; rev:1;) alert tcp $HOME_NET any -> [185.7.52.219] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239554; rev:1;) alert tcp $HOME_NET any -> [49.13.48.92] 53721 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239553; rev:1;) alert tcp $HOME_NET any -> [54.155.137.99] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239552; rev:1;) alert tcp $HOME_NET any -> [31.223.68.157] 2223 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239551; rev:1;) alert tcp $HOME_NET any -> [159.146.122.238] 2223 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239550; rev:1;) alert tcp $HOME_NET any -> [34.230.194.184] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239549; rev:1;) alert tcp $HOME_NET any -> [195.35.52.127] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239548; rev:1;) alert tcp $HOME_NET any -> [185.247.224.35] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239547; rev:1;) alert tcp $HOME_NET any -> [35.200.164.35] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239546; rev:1;) alert tcp $HOME_NET any -> [51.68.175.177] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239545; rev:1;) alert tcp $HOME_NET any -> [34.130.87.37] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linkerjeki.fun"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239543; rev:1;) alert tcp $HOME_NET any -> [212.64.217.73] 8686 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239542; rev:1;) alert tcp $HOME_NET any -> [204.216.223.114] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239541; rev:1;) alert tcp $HOME_NET any -> [42.96.2.220] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239539; rev:1;) alert tcp $HOME_NET any -> [42.119.113.85] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-86-17-63.compute-1.amazonaws.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239538; rev:1;) alert tcp $HOME_NET any -> [54.88.105.125] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239537; rev:1;) alert tcp $HOME_NET any -> [94.156.65.246] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239536; rev:1;) alert tcp $HOME_NET any -> [83.97.73.229] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239535; rev:1;) alert tcp $HOME_NET any -> [77.232.130.4] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239534; rev:1;) alert tcp $HOME_NET any -> [194.48.251.184] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239533; rev:1;) alert tcp $HOME_NET any -> [197.119.85.192] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239532; rev:1;) alert tcp $HOME_NET any -> [123.206.29.183] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239531; rev:1;) alert tcp $HOME_NET any -> [86.126.4.236] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239530; rev:1;) alert tcp $HOME_NET any -> [154.245.89.99] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reporttest.rubecon.co.za"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239528; rev:1;) alert tcp $HOME_NET any -> [45.79.196.203] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"45-79-196-203.ip.linodeusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239526; rev:1;) alert tcp $HOME_NET any -> [51.120.7.94] 1337 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239525; rev:1;) alert tcp $HOME_NET any -> [185.81.157.203] 9090 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239523; rev:1;) alert tcp $HOME_NET any -> [82.102.23.170] 8081 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239524; rev:1;) alert tcp $HOME_NET any -> [185.81.157.211] 9191 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.197.203.76.144.clients.your-server.de"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"883217.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dgaf.catboy.me"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grinevitchnicolas.fvds.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239519; rev:1;) alert tcp $HOME_NET any -> [89.23.103.187] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239516; rev:1;) alert tcp $HOME_NET any -> [93.123.39.152] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239517; rev:1;) alert tcp $HOME_NET any -> [95.216.123.85] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239515; rev:1;) alert tcp $HOME_NET any -> [185.172.128.148] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ansible-tower-pocket-node1.validatorsheaven.network"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"64-225-100-2.cprapid.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239512; rev:1;) alert tcp $HOME_NET any -> [185.196.9.10] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239510; rev:1;) alert tcp $HOME_NET any -> [46.101.195.151] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239511; rev:1;) alert tcp $HOME_NET any -> [35.202.200.238] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239509; rev:1;) alert tcp $HOME_NET any -> [91.92.255.64] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239507; rev:1;) alert tcp $HOME_NET any -> [91.92.255.64] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239508; rev:1;) alert tcp $HOME_NET any -> [91.92.255.64] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239506; rev:1;) alert tcp $HOME_NET any -> [78.161.49.74] 3003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239504; rev:1;) alert tcp $HOME_NET any -> [78.161.49.74] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239505; rev:1;) alert tcp $HOME_NET any -> [20.81.43.192] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srxy123.is-a-geek.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239502; rev:1;) alert tcp $HOME_NET any -> [185.81.157.106] 777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239500; rev:1;) alert tcp $HOME_NET any -> [185.81.157.183] 9696 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239501; rev:1;) alert tcp $HOME_NET any -> [216.118.230.117] 33452 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239499; rev:1;) alert tcp $HOME_NET any -> [20.52.118.210] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239498/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_12; classtype:trojan-activity; sid:91239498; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239497; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239496; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239495; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 1628 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239493; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239494; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2280 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239492; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239490; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239491; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239489; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239488; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239486; rev:1;) alert tcp $HOME_NET any -> [187.135.95.35] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239487; rev:1;) alert tcp $HOME_NET any -> [177.222.224.56] 8080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239485; rev:1;) alert tcp $HOME_NET any -> [31.43.159.234] 1605 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239484; rev:1;) alert tcp $HOME_NET any -> [42.192.45.240] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239482; rev:1;) alert tcp $HOME_NET any -> [51.38.226.86] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239483; rev:1;) alert tcp $HOME_NET any -> [83.97.20.183] 48080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239481; rev:1;) alert tcp $HOME_NET any -> [86.107.199.30] 11011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239480; rev:1;) alert tcp $HOME_NET any -> [8.137.50.92] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239479; rev:1;) alert tcp $HOME_NET any -> [108.165.106.7] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239478; rev:1;) alert tcp $HOME_NET any -> [111.90.150.185] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smtp.pioneerprinters.co.uk"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn/9/9/windowspublic/5voiddb/6process3/8/serverdbdatalifedle.php"; depth:66; nocase; http.host; content:"91.107.121.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239475; rev:1;) alert tcp $HOME_NET any -> [173.212.224.123] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hom.cabul.bbtecno.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev.cabul.bbtecno.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239470; rev:1;) alert tcp $HOME_NET any -> [64.225.111.119] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.mb-testing.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239468; rev:1;) alert tcp $HOME_NET any -> [103.186.215.56] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239462; rev:1;) alert tcp $HOME_NET any -> [5.182.87.145] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239461/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239461; rev:1;) alert tcp $HOME_NET any -> [78.19.61.12] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239460/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239460; rev:1;) alert tcp $HOME_NET any -> [157.254.20.34] 6607 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239459/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"61.163.138.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239458/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239458; rev:1;) alert tcp $HOME_NET any -> [193.242.211.154] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239457; rev:1;) alert tcp $HOME_NET any -> [91.211.247.89] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239456; rev:1;) alert tcp $HOME_NET any -> [185.237.206.77] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239455; rev:1;) alert tcp $HOME_NET any -> [117.50.162.183] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ccuk.edenexit.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239449; rev:1;) alert tcp $HOME_NET any -> [94.156.69.147] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winkimedia.it"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239450; rev:1;) alert tcp $HOME_NET any -> [94.156.71.221] 1291 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239452; rev:1;) alert tcp $HOME_NET any -> [5.39.43.50] 7777 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239448/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239448; rev:1;) alert tcp $HOME_NET any -> [45.153.230.56] 7777 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239446/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239446; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 14114 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239447/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"53d5-66-154-102-195.ngrok-free.app"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.251.159.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"81.68.248.191"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"139.196.191.50"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0linuxcdnpipe/windowsto/providerproton/347/auth5dumpjs/84geotemporary/vmto_processauthlongpolltraffictrackcdn.php"; depth:114; nocase; http.host; content:"217.25.94.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239441; rev:1;) alert tcp $HOME_NET any -> [85.192.32.83] 1194 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239440/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cr13705.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sbdatabase.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239438; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 17032 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239073/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239073; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 17032 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239074/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"teaigame.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/game/teai_demo.exe"; depth:19; nocase; http.host; content:"teaigame.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"78.85.17.88"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239072; rev:1;) alert tcp $HOME_NET any -> [104.236.71.61] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/926-87643065-0301867/field-keywords=time"; depth:60; nocase; http.host; content:"104.236.71.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239068; rev:1;) alert tcp $HOME_NET any -> [193.233.132.167] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239067/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239067; rev:1;) alert tcp $HOME_NET any -> [185.215.113.32] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239066/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support-ntc.servehttp.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdmx-financegovpk.servehttp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sharepakistan-mofa.viewdns.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogdcl.servehttp.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"portal-ptclnetpk.servehttp.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piac-compk.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveirc.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveblog.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveftp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"news-ptvcompk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offer-ptclnetpk.servehttp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newmail-armymilbd.servehttp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"navy-govbd.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailhitgovpk.servehalflife.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanfung.servehttp.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-scogovpk.servehalflife.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofagovpk.myddns.me"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofapk.servehttp.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofagovpk.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofagovpk.gotdns.ch"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-modgovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-depogovpk.servehttp.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-dgdpgovpk.servehalflife.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hrmis-financegovpk.serveftp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-bafmilbd.servequake.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance-govpk.serveblog.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance-govpk.serveftp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"financegovpk.servehttp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"circular-financegov.servehalflife.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eservice-ptclnetpk.servehttp.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cap-mofapk.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awards-piacaero.servehalflife.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awards-piacaero.servehttp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cap-mofagovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"advisory-cabinetgpk.servehttp.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"peces.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238884/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91238884; rev:1;) alert tcp $HOME_NET any -> [46.246.84.15] 1995 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238802/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91238802; rev:1;) alert tcp $HOME_NET any -> [171.228.211.109] 56999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238805/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91238805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kami.shopkami.site"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238806/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91238806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibe-ptclnetpk.servehttp.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238935; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 13977 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239002/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239002; rev:1;) alert tcp $HOME_NET any -> [45.95.146.13] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239003/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"win32avemaria.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serenys.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enigma/index.php"; depth:17; nocase; http.host; content:"193.233.132.167"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yandex/index.php"; depth:17; nocase; http.host; content:"185.215.113.32"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"junio2023.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239017/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239017; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 16992 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239046/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239046; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 16992 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239047/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibe-ptclnetpk.viewdns.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239065; rev:1;) alert tcp $HOME_NET any -> [216.118.230.118] 33452 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239064; rev:1;) alert tcp $HOME_NET any -> [154.9.249.116] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239063; rev:1;) alert tcp $HOME_NET any -> [185.193.126.155] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239062; rev:1;) alert tcp $HOME_NET any -> [124.220.0.201] 4849 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239061; rev:1;) alert tcp $HOME_NET any -> [41.98.245.251] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239060; rev:1;) alert tcp $HOME_NET any -> [160.176.66.130] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239059; rev:1;) alert tcp $HOME_NET any -> [151.30.51.255] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239058; rev:1;) alert tcp $HOME_NET any -> [84.155.10.84] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239057; rev:1;) alert tcp $HOME_NET any -> [117.200.61.202] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239056; rev:1;) alert tcp $HOME_NET any -> [5.182.36.131] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239055/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239055; rev:1;) alert tcp $HOME_NET any -> [121.127.33.246] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239054/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239054; rev:1;) alert tcp $HOME_NET any -> [43.132.212.200] 22694 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239053; rev:1;) alert tcp $HOME_NET any -> [45.61.159.30] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239052; rev:1;) alert tcp $HOME_NET any -> [159.69.207.158] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239051; rev:1;) alert tcp $HOME_NET any -> [193.178.147.164] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239050; rev:1;) alert tcp $HOME_NET any -> [91.238.181.248] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239049; rev:1;) alert tcp $HOME_NET any -> [45.76.46.64] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239048; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 16992 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239045; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 16992 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239044; rev:1;) alert tcp $HOME_NET any -> [132.226.123.210] 1337 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239043; rev:1;) alert tcp $HOME_NET any -> [47.120.50.234] 35550 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239042/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239042; rev:1;) alert tcp $HOME_NET any -> [43.154.39.87] 28080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239041/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239041; rev:1;) alert tcp $HOME_NET any -> [149.50.211.216] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239040/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239040; rev:1;) alert tcp $HOME_NET any -> [106.52.244.189] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239039/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239039; rev:1;) alert tcp $HOME_NET any -> [8.218.137.213] 50017 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239038/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239038; rev:1;) alert tcp $HOME_NET any -> [31.192.235.73] 48126 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239037/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239037; rev:1;) alert tcp $HOME_NET any -> [101.43.2.243] 26356 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239036/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239036; rev:1;) alert tcp $HOME_NET any -> [175.178.83.204] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239035/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239035; rev:1;) alert tcp $HOME_NET any -> [208.68.36.130] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239034/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239034; rev:1;) alert tcp $HOME_NET any -> [120.79.154.38] 55667 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239033/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239033; rev:1;) alert tcp $HOME_NET any -> [1.117.117.147] 2020 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239032/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239032; rev:1;) alert tcp $HOME_NET any -> [74.48.158.197] 30080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239031/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239031; rev:1;) alert tcp $HOME_NET any -> [1.15.248.225] 38248 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239030/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239030; rev:1;) alert tcp $HOME_NET any -> [124.222.234.106] 12345 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239029/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239029; rev:1;) alert tcp $HOME_NET any -> [20.231.208.182] 7788 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239028/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239028; rev:1;) alert tcp $HOME_NET any -> [101.201.224.75] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239027/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239027; rev:1;) alert tcp $HOME_NET any -> [159.223.77.150] 58393 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239026/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239026; rev:1;) alert tcp $HOME_NET any -> [117.72.35.189] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239025/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239025; rev:1;) alert tcp $HOME_NET any -> [120.48.101.89] 37128 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239024/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239024; rev:1;) alert tcp $HOME_NET any -> [68.183.86.25] 49492 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239023/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239023; rev:1;) alert tcp $HOME_NET any -> [78.40.116.82] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239022/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239022; rev:1;) alert tcp $HOME_NET any -> [78.47.191.114] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239020/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239020; rev:1;) alert tcp $HOME_NET any -> [78.47.191.114] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239019/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0905554.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239018; rev:1;) alert tcp $HOME_NET any -> [167.86.86.15] 3333 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"23.94.202.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"23.94.202.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"45.90.217.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239010; rev:1;) alert tcp $HOME_NET any -> [20.226.21.146] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239009; rev:1;) alert tcp $HOME_NET any -> [5.42.64.44] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239008/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91239008; rev:1;) alert tcp $HOME_NET any -> [45.77.240.40] 25887 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blsswk93ex/index.php"; depth:21; nocase; http.host; content:"5.42.64.44"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239005; rev:1;) alert tcp $HOME_NET any -> [185.103.100.197] 19049 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239004; rev:1;) alert tcp $HOME_NET any -> [67.71.30.57] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239001/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91239001; rev:1;) alert tcp $HOME_NET any -> [149.109.109.136] 2087 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239000/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91239000; rev:1;) alert tcp $HOME_NET any -> [78.18.250.125] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238999/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238999; rev:1;) alert tcp $HOME_NET any -> [39.40.155.114] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238998; rev:1;) alert tcp $HOME_NET any -> [45.66.248.84] 42282 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238997/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238997; rev:1;) alert tcp $HOME_NET any -> [163.197.247.155] 8889 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238996; rev:1;) alert tcp $HOME_NET any -> [40.87.135.62] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238995; rev:1;) alert tcp $HOME_NET any -> [65.21.64.132] 34779 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"23.94.202.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238993; rev:1;) alert tcp $HOME_NET any -> [34.34.10.37] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238992; rev:1;) alert tcp $HOME_NET any -> [3.75.189.17] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238991; rev:1;) alert tcp $HOME_NET any -> [165.232.179.158] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238990; rev:1;) alert tcp $HOME_NET any -> [181.32.143.15] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238989; rev:1;) alert tcp $HOME_NET any -> [13.49.116.113] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238988; rev:1;) alert tcp $HOME_NET any -> [122.150.85.11] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238987; rev:1;) alert tcp $HOME_NET any -> [173.212.228.153] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238986; rev:1;) alert tcp $HOME_NET any -> [41.78.73.219] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238985; rev:1;) alert tcp $HOME_NET any -> [78.186.239.172] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238984; rev:1;) alert tcp $HOME_NET any -> [172.174.245.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238983; rev:1;) alert tcp $HOME_NET any -> [54.198.97.186] 5432 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238982; rev:1;) alert tcp $HOME_NET any -> [118.31.49.59] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blogger.deenpel.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eco-academy.virtualidevs.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238979; rev:1;) alert tcp $HOME_NET any -> [49.51.69.128] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nanasuuakiaa.host"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.x3qc.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238976; rev:1;) alert tcp $HOME_NET any -> [103.65.235.21] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238975; rev:1;) alert tcp $HOME_NET any -> [93.123.39.165] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-175-203-218.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238973; rev:1;) alert tcp $HOME_NET any -> [23.94.66.115] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238972; rev:1;) alert tcp $HOME_NET any -> [185.194.216.22] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238970; rev:1;) alert tcp $HOME_NET any -> [87.98.147.251] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238971; rev:1;) alert tcp $HOME_NET any -> [4.178.96.222] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238969; rev:1;) alert tcp $HOME_NET any -> [113.30.191.40] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238968; rev:1;) alert tcp $HOME_NET any -> [176.113.115.243] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238967; rev:1;) alert tcp $HOME_NET any -> [193.222.96.48] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238966; rev:1;) alert tcp $HOME_NET any -> [178.33.57.149] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238965; rev:1;) alert tcp $HOME_NET any -> [178.33.57.149] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"staging.recruitis.josefbenjac.cz"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panel.dalkson.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-244-129-215.eu-west-1.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zqpvr01.sandcats.io"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-199-117-47.ap-northeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238959; rev:1;) alert tcp $HOME_NET any -> [159.100.13.218] 1606 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238958; rev:1;) alert tcp $HOME_NET any -> [37.120.237.196] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238957; rev:1;) alert tcp $HOME_NET any -> [185.216.70.225] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238956; rev:1;) alert tcp $HOME_NET any -> [185.216.70.224] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"056hg568786.f4r5t5y8hh8.click"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238954; rev:1;) alert tcp $HOME_NET any -> [92.63.104.174] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238952; rev:1;) alert tcp $HOME_NET any -> [77.73.129.77] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238953; rev:1;) alert tcp $HOME_NET any -> [185.189.196.191] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238950; rev:1;) alert tcp $HOME_NET any -> [34.72.157.21] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238951; rev:1;) alert tcp $HOME_NET any -> [40.66.42.165] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238949; rev:1;) alert tcp $HOME_NET any -> [104.156.247.38] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238948; rev:1;) alert tcp $HOME_NET any -> [114.116.231.53] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238947; rev:1;) alert tcp $HOME_NET any -> [163.197.247.155] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238946/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_10; classtype:trojan-activity; sid:91238946; rev:1;) alert tcp $HOME_NET any -> [119.91.77.189] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238945/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_10; classtype:trojan-activity; sid:91238945; rev:1;) alert tcp $HOME_NET any -> [5.45.111.146] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238943; rev:1;) alert tcp $HOME_NET any -> [5.45.111.146] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238944; rev:1;) alert tcp $HOME_NET any -> [78.40.116.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238942; rev:1;) alert tcp $HOME_NET any -> [124.220.53.223] 4543 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238941; rev:1;) alert tcp $HOME_NET any -> [134.122.164.195] 5566 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238940; rev:1;) alert tcp $HOME_NET any -> [51.38.226.86] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238939; rev:1;) alert tcp $HOME_NET any -> [201.27.182.215] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238937; rev:1;) alert tcp $HOME_NET any -> [196.235.228.141] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2202305171327228750.powersrv.de"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238936; rev:1;) alert tcp $HOME_NET any -> [147.45.47.96] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238899/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238899; rev:1;) alert tcp $HOME_NET any -> [91.92.241.128] 2023 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238898/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238898; rev:1;) alert tcp $HOME_NET any -> [46.246.6.2] 2121 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238897/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238897; rev:1;) alert tcp $HOME_NET any -> [91.92.241.121] 2023 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238896/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238896; rev:1;) alert tcp $HOME_NET any -> [91.92.241.39] 2023 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238895/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238895; rev:1;) alert tcp $HOME_NET any -> [150.143.137.163] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238894/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238894; rev:1;) alert tcp $HOME_NET any -> [54.169.174.23] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238893/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238893; rev:1;) alert tcp $HOME_NET any -> [45.79.196.203] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238892/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238892; rev:1;) alert tcp $HOME_NET any -> [61.19.254.6] 2123 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238891/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238891; rev:1;) alert tcp $HOME_NET any -> [165.154.132.129] 50013 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238890/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238890; rev:1;) alert tcp $HOME_NET any -> [18.117.144.139] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238889/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238889; rev:1;) alert tcp $HOME_NET any -> [40.90.255.165] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238888/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238888; rev:1;) alert tcp $HOME_NET any -> [136.54.125.106] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238887/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238887; rev:1;) alert tcp $HOME_NET any -> [43.132.212.200] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238886/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238886; rev:1;) alert tcp $HOME_NET any -> [185.119.118.59] 8080 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238885; rev:1;) alert tcp $HOME_NET any -> [46.246.82.3] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05b89c2203fb7bde.php"; depth:21; nocase; http.host; content:"77.105.132.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonjavascriptjsdownloads.php"; depth:32; nocase; http.host; content:"007017cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"88.214.27.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0916186.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238872; rev:1;) alert tcp $HOME_NET any -> [5.42.66.25] 3000 (msg:"ThreatFox ObserverStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn.nsgocus.cn.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.0-2.pw"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238858; rev:1;) alert tcp $HOME_NET any -> [178.128.229.91] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238859; rev:1;) alert tcp $HOME_NET any -> [154.22.123.68] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.theasiagroupai.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238856; rev:1;) alert tcp $HOME_NET any -> [45.77.116.186] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.startupmartec.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238854; rev:1;) alert tcp $HOME_NET any -> [199.247.30.209] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.thenewbees.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238852; rev:1;) alert tcp $HOME_NET any -> [18.222.142.217] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.sstr.com.br"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.pwd-reset.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238848; rev:1;) alert tcp $HOME_NET any -> [63.34.195.83] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238849; rev:1;) alert tcp $HOME_NET any -> [173.212.224.123] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cupdater.bbtecno.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"cupdater.bbtecno.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"94.156.65.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238844; rev:1;) alert tcp $HOME_NET any -> [146.235.52.69] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238843; rev:1;) alert tcp $HOME_NET any -> [13.82.186.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238842; rev:1;) alert tcp $HOME_NET any -> [94.156.68.217] 3162 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238841; rev:1;) alert tcp $HOME_NET any -> [31.117.188.253] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238840; rev:1;) alert tcp $HOME_NET any -> [105.155.185.229] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238839; rev:1;) alert tcp $HOME_NET any -> [50.35.141.245] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238838; rev:1;) alert tcp $HOME_NET any -> [109.154.155.130] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238837; rev:1;) alert tcp $HOME_NET any -> [117.200.61.203] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238836; rev:1;) alert tcp $HOME_NET any -> [117.200.61.205] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238835/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238835; rev:1;) alert tcp $HOME_NET any -> [5.182.36.131] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238834/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238834; rev:1;) alert tcp $HOME_NET any -> [185.189.196.191] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238833/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238833; rev:1;) alert tcp $HOME_NET any -> [114.29.237.119] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238832; rev:1;) alert tcp $HOME_NET any -> [172.202.30.12] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238831; rev:1;) alert tcp $HOME_NET any -> [104.238.60.87] 2696 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238830/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238830; rev:1;) alert tcp $HOME_NET any -> [45.148.132.134] 12345 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238829/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238829; rev:1;) alert tcp $HOME_NET any -> [167.86.85.34] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238828/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238828; rev:1;) alert tcp $HOME_NET any -> [5.189.152.51] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238827/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238827; rev:1;) alert tcp $HOME_NET any -> [13.52.244.83] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238826/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0909872.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/db059622.php"; depth:13; nocase; http.host; content:"a0916535.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238824; rev:1;) alert tcp $HOME_NET any -> [124.71.84.65] 8062 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238823/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238823; rev:1;) alert tcp $HOME_NET any -> [111.92.240.246] 50550 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238822/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238822; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238821/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238821; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 1710 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238820/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238820; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238819/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238819; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238818/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238818; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238817/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238817; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238816/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238816; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238815/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238815; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238814/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238814; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238813/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238813; rev:1;) alert tcp $HOME_NET any -> [187.135.144.103] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238812/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238812; rev:1;) alert tcp $HOME_NET any -> [34.141.15.123] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238811/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238811; rev:1;) alert tcp $HOME_NET any -> [35.246.183.49] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238810/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238810; rev:1;) alert tcp $HOME_NET any -> [154.245.7.231] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238809/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238809; rev:1;) alert tcp $HOME_NET any -> [92.246.136.161] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238808/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"192.3.101.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"workonz7.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238804; rev:1;) alert tcp $HOME_NET any -> [91.92.244.55] 13002 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"123.234.75.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238801/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238801; rev:1;) alert tcp $HOME_NET any -> [3.6.98.232] 15032 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238800; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 15032 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238798; rev:1;) alert tcp $HOME_NET any -> [3.6.122.107] 15032 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238799; rev:1;) alert tcp $HOME_NET any -> [3.6.115.64] 15032 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238797; rev:1;) alert tcp $HOME_NET any -> [38.255.33.106] 7896 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238796; rev:1;) alert tcp $HOME_NET any -> [8.213.208.58] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238795/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238795; rev:1;) alert tcp $HOME_NET any -> [8.134.69.22] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238794/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238794; rev:1;) alert tcp $HOME_NET any -> [41.96.89.253] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238793/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238793; rev:1;) alert tcp $HOME_NET any -> [78.167.158.62] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238792/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238792; rev:1;) alert tcp $HOME_NET any -> [109.145.252.188] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238791/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238791; rev:1;) alert tcp $HOME_NET any -> [31.53.190.47] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238790/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238790; rev:1;) alert tcp $HOME_NET any -> [216.137.205.249] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238789/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238789; rev:1;) alert tcp $HOME_NET any -> [117.200.61.201] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238788/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238788; rev:1;) alert tcp $HOME_NET any -> [165.227.122.136] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238787/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238787; rev:1;) alert tcp $HOME_NET any -> [108.181.0.232] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238786/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238786; rev:1;) alert tcp $HOME_NET any -> [143.110.192.8] 58637 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238785/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238785; rev:1;) alert tcp $HOME_NET any -> [178.189.215.120] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238784/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238784; rev:1;) alert tcp $HOME_NET any -> [168.100.8.112] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238783/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238783; rev:1;) alert tcp $HOME_NET any -> [193.233.132.195] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238782/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serviceicloud.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visualstudioupdater"; depth:20; nocase; http.host; content:"linksammosupply.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/data.php"; depth:15; nocase; http.host; content:"mysticselect.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maconlineoffice.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zshrc2"; depth:7; nocase; http.host; content:"linksammosupply.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visualstudioupdaterls2"; depth:23; nocase; http.host; content:"linksammosupply.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zshrc"; depth:6; nocase; http.host; content:"sarkerrentacars.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/previewers"; depth:11; nocase; http.host; content:"turkishfurniture.blog"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238719; rev:1;) alert tcp $HOME_NET any -> [193.29.13.167] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238720; rev:1;) alert tcp $HOME_NET any -> [88.214.26.22] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238721; rev:1;) alert tcp $HOME_NET any -> [193.29.13.167] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-uk.widgetsfordeploy.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238779; rev:1;) alert tcp $HOME_NET any -> [88.214.26.22] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trans1ategooglecom.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saintelzearlava.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238781; rev:1;) alert tcp $HOME_NET any -> [80.66.85.145] 27441 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238704; rev:1;) alert tcp $HOME_NET any -> [5.231.1.213] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238706/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_09; classtype:trojan-activity; sid:91238706; rev:1;) alert tcp $HOME_NET any -> [5.181.202.164] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238707/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_09; classtype:trojan-activity; sid:91238707; rev:1;) alert tcp $HOME_NET any -> [45.129.199.163] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238708/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_09; classtype:trojan-activity; sid:91238708; rev:1;) alert tcp $HOME_NET any -> [47.115.206.4] 54321 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238778/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238778; rev:1;) alert tcp $HOME_NET any -> [54.169.49.63] 10080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238777/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238777; rev:1;) alert tcp $HOME_NET any -> [163.5.169.23] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238776/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238776; rev:1;) alert tcp $HOME_NET any -> [86.107.199.30] 14014 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238775/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238775; rev:1;) alert tcp $HOME_NET any -> [58.53.128.67] 40000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238774/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238774; rev:1;) alert tcp $HOME_NET any -> [74.48.164.62] 8040 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238773/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238773; rev:1;) alert tcp $HOME_NET any -> [108.160.135.65] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238772/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238772; rev:1;) alert tcp $HOME_NET any -> [154.223.17.64] 3306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238771/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238771; rev:1;) alert tcp $HOME_NET any -> [47.104.179.218] 65534 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238770/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238770; rev:1;) alert tcp $HOME_NET any -> [82.117.255.175] 51150 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238769/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238769; rev:1;) alert tcp $HOME_NET any -> [111.231.22.61] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238768/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238768; rev:1;) alert tcp $HOME_NET any -> [8.140.147.193] 55555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238767/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238767; rev:1;) alert tcp $HOME_NET any -> [91.245.253.68] 37982 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238766/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238766; rev:1;) alert tcp $HOME_NET any -> [194.26.135.115] 11699 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238765/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238765; rev:1;) alert tcp $HOME_NET any -> [43.132.175.126] 60666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238764/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238764; rev:1;) alert tcp $HOME_NET any -> [208.83.237.247] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238763/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238763; rev:1;) alert tcp $HOME_NET any -> [124.220.185.197] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238762/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238762; rev:1;) alert tcp $HOME_NET any -> [43.139.189.54] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238761/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238761; rev:1;) alert tcp $HOME_NET any -> [101.43.127.45] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238760/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238760; rev:1;) alert tcp $HOME_NET any -> [47.99.151.68] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238759/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238759; rev:1;) alert tcp $HOME_NET any -> [8.219.228.210] 50010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238758/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238758; rev:1;) alert tcp $HOME_NET any -> [5.255.124.188] 33136 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238757/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238757; rev:1;) alert tcp $HOME_NET any -> [61.75.17.84] 59991 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238756/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238756; rev:1;) alert tcp $HOME_NET any -> [176.97.73.6] 443 (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238755/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238755; rev:1;) alert tcp $HOME_NET any -> [193.233.132.195] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238754; rev:1;) alert tcp $HOME_NET any -> [195.2.76.141] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238753/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238753; rev:1;) alert tcp $HOME_NET any -> [193.233.132.152] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238752/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238752; rev:1;) alert tcp $HOME_NET any -> [45.15.156.161] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238751/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238751; rev:1;) alert tcp $HOME_NET any -> [195.20.16.225] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238750/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238750; rev:1;) alert tcp $HOME_NET any -> [41.216.183.87] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238749/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238749; rev:1;) alert tcp $HOME_NET any -> [195.20.16.127] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238748/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238748; rev:1;) alert tcp $HOME_NET any -> [195.20.16.226] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238747/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238747; rev:1;) alert tcp $HOME_NET any -> [195.20.16.227] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238746/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238746; rev:1;) alert tcp $HOME_NET any -> [116.202.3.242] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238745/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238745; rev:1;) alert tcp $HOME_NET any -> [88.198.107.6] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238744/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238744; rev:1;) alert tcp $HOME_NET any -> [95.217.215.24] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238743/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238743; rev:1;) alert tcp $HOME_NET any -> [78.46.251.181] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238742/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238742; rev:1;) alert tcp $HOME_NET any -> [88.99.38.67] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238741/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238741; rev:1;) alert tcp $HOME_NET any -> [5.75.209.125] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238740/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238740; rev:1;) alert tcp $HOME_NET any -> [5.75.215.113] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238739/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238739; rev:1;) alert tcp $HOME_NET any -> [49.12.118.45] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238738/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238738; rev:1;) alert tcp $HOME_NET any -> [49.12.118.45] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238737/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238737; rev:1;) alert tcp $HOME_NET any -> [5.75.211.127] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238736/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238736; rev:1;) alert tcp $HOME_NET any -> [94.158.247.56] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238735/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"8.130.79.120"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"129.226.154.245"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jp.css"; depth:7; nocase; http.host; content:"78.128.112.205"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"111.230.12.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-lnk-075.epsonupdate.uk"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"cdn-lnk-075.epsonupdate.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"43.153.34.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"192.3.101.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2022/11/lvjh6wkebixyop5aqcjtb"; depth:57; nocase; http.host; content:"aws-apps.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aws-apps.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydr/1337.dat"; depth:13; nocase; http.host; content:"allstocksinc.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vno/1337.dat"; depth:13; nocase; http.host; content:"muellerinfo.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vuihcgp/1337.dat"; depth:17; nocase; http.host; content:"toptrinityblog.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagetodle.php"; depth:15; nocase; http.host; content:"lest1kkror.ru.swtest.ru"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238705; rev:1;) alert tcp $HOME_NET any -> [107.148.1.41] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn.nsfocus.cn.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238702; rev:1;) alert tcp $HOME_NET any -> [94.20.88.63] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238701; rev:1;) alert tcp $HOME_NET any -> [23.226.138.161] 5242 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238699; rev:1;) alert tcp $HOME_NET any -> [37.60.242.86] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t6f5gi/1337.dat"; depth:16; nocase; http.host; content:"professionalficars.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ts5/1337.dat"; depth:13; nocase; http.host; content:"wealthygradi.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"120.48.96.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238696; rev:1;) alert tcp $HOME_NET any -> [129.151.142.36] 8080 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"219.151.137.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"120.222.152.106"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"1.62.64.108"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"120.222.152.85"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"124.225.14.210"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"rw1.dbgblack.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"23.94.202.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"120.48.96.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"64.226.76.0"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"114.115.210.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238678; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 13056 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238676/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_09; classtype:trojan-activity; sid:91238676; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 13056 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238677/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_09; classtype:trojan-activity; sid:91238677; rev:1;) alert tcp $HOME_NET any -> [3.70.168.173] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238675; rev:1;) alert tcp $HOME_NET any -> [23.226.138.143] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238674/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_09; classtype:trojan-activity; sid:91238674; rev:1;) alert tcp $HOME_NET any -> [46.151.214.122] 9090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238673; rev:1;) alert tcp $HOME_NET any -> [47.99.188.195] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238672; rev:1;) alert tcp $HOME_NET any -> [128.199.20.195] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238671; rev:1;) alert tcp $HOME_NET any -> [157.245.104.17] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238670; rev:1;) alert tcp $HOME_NET any -> [159.69.179.190] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238669; rev:1;) alert tcp $HOME_NET any -> [172.105.90.105] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webdisk.dnl-l.ooguy.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notifications.deenpel.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238666; rev:1;) alert tcp $HOME_NET any -> [124.222.21.138] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238663; rev:1;) alert tcp $HOME_NET any -> [180.140.153.238] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238664; rev:1;) alert tcp $HOME_NET any -> [103.16.224.239] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238662; rev:1;) alert tcp $HOME_NET any -> [147.45.45.131] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x3qc.com"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-200-22-116.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238659; rev:1;) alert tcp $HOME_NET any -> [54.175.203.218] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238658; rev:1;) alert tcp $HOME_NET any -> [2.36.57.107] 8000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238657; rev:1;) alert tcp $HOME_NET any -> [185.250.45.130] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238656; rev:1;) alert tcp $HOME_NET any -> [20.241.69.111] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238655; rev:1;) alert tcp $HOME_NET any -> [5.42.92.165] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238653; rev:1;) alert tcp $HOME_NET any -> [20.241.69.111] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238654; rev:1;) alert tcp $HOME_NET any -> [94.156.64.66] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moodle1.feja111.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238651; rev:1;) alert tcp $HOME_NET any -> [93.177.100.138] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238650; rev:1;) alert tcp $HOME_NET any -> [194.48.251.220] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.129.149.13.49.clients.your-server.de"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.161-35-239-147.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-153-179-54.eu-central-1.compute.amazonaws.com"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238647; rev:1;) alert tcp $HOME_NET any -> [51.103.213.14] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qa-dhs.wavenet-solutions.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"159-203-167-57.ipv4.staticdns2.io"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"healthpips.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"172-105-14-104.ip.linodeusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238641; rev:1;) alert tcp $HOME_NET any -> [162.55.40.203] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238640; rev:1;) alert tcp $HOME_NET any -> [73.186.83.59] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238639; rev:1;) alert tcp $HOME_NET any -> [103.120.201.75] 2222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238638; rev:1;) alert tcp $HOME_NET any -> [147.45.45.67] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238637; rev:1;) alert tcp $HOME_NET any -> [91.92.254.225] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238636; rev:1;) alert tcp $HOME_NET any -> [150.107.201.68] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-79-194-172.eu-central-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238633; rev:1;) alert tcp $HOME_NET any -> [95.181.173.164] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"android.l3harris.pro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238632; rev:1;) alert tcp $HOME_NET any -> [185.216.70.225] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238631; rev:1;) alert tcp $HOME_NET any -> [185.216.70.224] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kitrknis.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"21.157.72.34.bc.googleusercontent.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238628; rev:1;) alert tcp $HOME_NET any -> [94.156.69.196] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238627; rev:1;) alert tcp $HOME_NET any -> [94.156.69.196] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238626; rev:1;) alert tcp $HOME_NET any -> [206.123.132.240] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238625; rev:1;) alert tcp $HOME_NET any -> [138.201.176.60] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238624; rev:1;) alert tcp $HOME_NET any -> [20.15.234.170] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238623/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_09; classtype:trojan-activity; sid:91238623; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238621; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2143 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238622; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238620; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238619; rev:1;) alert tcp $HOME_NET any -> [47.97.37.19] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238618; rev:1;) alert tcp $HOME_NET any -> [62.133.60.192] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238617; rev:1;) alert tcp $HOME_NET any -> [134.175.236.110] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238616; rev:1;) alert tcp $HOME_NET any -> [93.33.203.219] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238615; rev:1;) alert tcp $HOME_NET any -> [192.3.98.165] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238614; rev:1;) alert tcp $HOME_NET any -> [196.235.2.142] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238613; rev:1;) alert tcp $HOME_NET any -> [141.98.81.98] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rw1.dbgblack.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238611; rev:1;) alert tcp $HOME_NET any -> [172.245.208.5] 2060 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"merckllc.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11da1c02f1899731.php"; depth:21; nocase; http.host; content:"217.196.98.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238608; rev:1;) alert tcp $HOME_NET any -> [47.88.53.49] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238607/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ee48257d.php"; depth:13; nocase; http.host; content:"a0905211.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238606; rev:1;) alert tcp $HOME_NET any -> [88.214.25.254] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v10.6/w2ge3sc8"; depth:24; nocase; http.host; content:"192.0.2.30"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238604; rev:1;) alert tcp $HOME_NET any -> [34.79.80.97] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238603/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238603; rev:1;) alert tcp $HOME_NET any -> [84.38.132.126] 61445 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238602/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_09; classtype:trojan-activity; sid:91238602; rev:1;) alert tcp $HOME_NET any -> [66.204.14.174] 4506 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238601/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238601; rev:1;) alert tcp $HOME_NET any -> [103.86.131.101] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238600/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238600; rev:1;) alert tcp $HOME_NET any -> [164.92.225.82] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238599/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238599; rev:1;) alert tcp $HOME_NET any -> [178.18.246.136] 2078 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238598; rev:1;) alert tcp $HOME_NET any -> [40.66.42.165] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238597; rev:1;) alert tcp $HOME_NET any -> [20.117.106.245] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238596; rev:1;) alert tcp $HOME_NET any -> [97.118.34.90] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238595; rev:1;) alert tcp $HOME_NET any -> [67.71.30.57] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238594; rev:1;) alert tcp $HOME_NET any -> [12.22.160.81] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238593; rev:1;) alert tcp $HOME_NET any -> [79.113.86.126] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238592/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238592; rev:1;) alert tcp $HOME_NET any -> [104.236.67.20] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238591/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238591; rev:1;) alert tcp $HOME_NET any -> [159.203.167.57] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238590/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238590; rev:1;) alert tcp $HOME_NET any -> [91.107.200.181] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238589; rev:1;) alert tcp $HOME_NET any -> [15.235.167.60] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"selebration17io.io"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"vacantion18ffeu.cc"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"valarioulinity1.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"buriatiarutuhuob.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"cassiosssionunu.me"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"sulugilioiu19.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"goodfooggooftool.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"sjyey.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"babonwo.ru"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"mth.com.ua"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"piratia.pw"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"go-piratia.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"go-piratia.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trad-einmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"tradein-myus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trade-inmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"go-piratia.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trad-einmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"tradein-myus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trade-inmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"go-piratia.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"91.240.118.224"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238104; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 17888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238097/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_09; classtype:trojan-activity; sid:91238097; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 5204 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238075/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_09; classtype:trojan-activity; sid:91238075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"microbanafler.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238066/; target:src_ip; metadata: confidence_level 85, first_seen 2024_02_09; classtype:trojan-activity; sid:91238066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonlowdbtrafficpublic.php"; depth:29; nocase; http.host; content:"837376cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"exhaustless-bracket.000webhostapp.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238586; rev:1;) alert tcp $HOME_NET any -> [101.201.46.105] 8989 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238585/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/servmask.php"; depth:76; nocase; http.host; content:"takartboutique.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/litespeed-cache/lib/css-min/css-min.php"; depth:59; nocase; http.host; content:"nctest.syndicatedcapitalgh.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"cafemocha.thehostmandu.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/ectoplasm/ectoplasm/ectoplasm.php"; depth:54; nocase; http.host; content:"thegardengasteiz.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modules/9abb03e812/includes/functions/functions.php"; depth:52; nocase; http.host; content:"tneacounseling.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/3d-development.com/santacon/santacon.php"; depth:68; nocase; http.host; content:"thesantacon.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.php"; depth:80; nocase; http.host; content:"new.usmortgage.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v2_backup/wp-content/plugins/all-in-one-wp-migration/lib/controller/controller.php"; depth:83; nocase; http.host; content:"uhappyevents.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/images/images.php"; depth:27; nocase; http.host; content:"v775136o.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-product-search-for-woo/lib/predic-widget/assets/sass/sass.php"; depth:90; nocase; http.host; content:"ventasdetodoloqueseteocurra.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/elementor/app/assets/styles/styles.php"; depth:58; nocase; http.host; content:"w3qualitytime.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/images/field-states/field-states.php"; depth:86; nocase; http.host; content:"mytrucknow.volomoso.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ad-inserter/includes/google-api/vendor/firebase/php-jwt/php-jwt.php"; depth:87; nocase; http.host; content:"altcoin-cryptocurrency-trading-platform.what-todo.com"; depth:53; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app_templates/web/up_codelogin_old/documentation/assets/blueprint-css/plugins/buttons/buttons.php"; depth:98; nocase; http.host; content:"wanimation.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"www.autojaro.sk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin.php"; depth:52; nocase; http.host; content:"wynton45.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backup/skyjumpertrampolinepark_20190301/skyjumpertrampolinepark_20190301.php"; depth:77; nocase; http.host; content:"youlovesports.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guestregsystem/wp-content/plugins/all-in-one-wp-migration-with-import-master/lib/view/assets/css/css.php"; depth:105; nocase; http.host; content:"aridient.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awlandsafaris.com.php"; depth:22; nocase; http.host; content:"awlandsafaris.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"zado-shoes.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bulksmspull/assets/plugins/datatables-fixedheader/css/css.php"; depth:62; nocase; http.host; content:"staging.secuodsoft.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"lms.tonalismo.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/affiliate-wp/includes/admin/payouts/payouts.js"; depth:66; nocase; http.host; content:"student.simplelifestrategies.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/themes/twentyfifteen/genericons/genericons/genericons.php"; depth:79; nocase; http.host; content:"www.darskhososy.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/amp/assets/images/reader-themes/reader-themes.php"; depth:69; nocase; http.host; content:"noticiaseh.com.ar"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/netzheft/wp-admin/css/colors/blue/blue.php"; depth:43; nocase; http.host; content:"netzheft.frnrw.de"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.php"; depth:80; nocase; http.host; content:"employee1.1ummah.org.au"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro-master/assets/js/js.php"; depth:70; nocase; http.host; content:"staging.aspectuw.com.au"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bakup4_21_2021/wp-content/cache/page_enhanced/www.yourchoiceplumbers.com.au/2017/06/06.php"; depth:91; nocase; http.host; content:"www.yourchoiceplumbers.com.au"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/cf7-conditional-fields/jsdoc-out/scripts/prettify/prettify.php"; depth:82; nocase; http.host; content:"assuredtreecare.com.au"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/cache.php"; depth:16; nocase; http.host; content:"dreclass.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.noels.be"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/plugin_epayco_woocommerce/includes/admin/admin.php"; depth:70; nocase; http.host; content:"tcmtecnologia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"nimbroeducation.000webhostapp.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app/mu-plugins/acf-medium-editor-field/assets/vendor/medium-editor/css/themes/themes.php"; depth:89; nocase; http.host; content:"dev.edades-west.make.technology"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/well-known/acme-challenge/a/a/a/a/a.php"; depth:40; nocase; http.host; content:"formulario1.frontec.cl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"druck.7uptheme.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/old/wp-content/plugins/contact-form-7/includes/js/jquery-ui/jquery-ui.php"; depth:74; nocase; http.host; content:"jac.b-a.group"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-security-and-firewall/all-in-one-wp-security-and-firewall.php"; depth:95; nocase; http.host; content:"vselectrics.gr"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iraq/wp-content/plugins/accesspress-social-counter/inc/backend/boards/boards.php"; depth:81; nocase; http.host; content:"nidaagroup.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ar/wp-content/plugins/dopts/libraries/gui/images/colorpicker/colorpicker.js"; depth:76; nocase; http.host; content:"drsohrabi.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/code-snippets/css/min/editor-themes/editor-themes.php"; depth:73; nocase; http.host; content:"car.hapeye.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"new.mullicatownship.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/newfold-page-cache/unpicturesquely9lbcy/2f56bactos463103/2f56bactos463103.php"; depth:89; nocase; http.host; content:"danieltravels.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"lawconsult.pe"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/2022/01/138-student-living-uwi-agree-new-concession-terms-business/138-student-living-uwi-agree-new-concession-terms-business.php"; depth:162; nocase; http.host; content:"bellejamaica.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentyseventeen/assets/fonts/libre-franklin/libre-franklin.js"; depth:80; nocase; http.host; content:"www.fbstapes.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"serwis-impacto.pl"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/jquery-ui.php"; depth:70; nocase; http.host; content:"crossco.semseo3.beget.tech"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/builderall-cheetah-for-wp/extensions/ba-cheetah-cache-helper/classes/classes.php"; depth:100; nocase; http.host; content:"idt.builderallwppro.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/images/field-states/field-states.php"; depth:90; nocase; http.host; content:"demo3.itaoda.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"demo31.itaoda.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/inc/timepicker/timepicker.php"; depth:83; nocase; http.host; content:"demo56.itaoda.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/inc/timepicker/timepicker.php"; depth:83; nocase; http.host; content:"demo21.itaoda.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/adminify-pro/inc/modules/admincolumns/assets/css/css.php"; depth:76; nocase; http.host; content:"demo40.itaoda.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/inc/timepicker/timepicker.php"; depth:83; nocase; http.host; content:"demo5.itaoda.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/astra-addon/addons/advanced-headers/assets/js/minified/minified.php"; depth:87; nocase; http.host; content:"demo1.itaoda.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/smoothness.php"; depth:89; nocase; http.host; content:"test.bigbeautifulbuys.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/adminify-pro/inc/modules/admincolumns/assets/assets.php"; depth:75; nocase; http.host; content:"demo46.itaoda.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"progeturepublica.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/042/9f1/9f1.php"; depth:40; nocase; http.host; content:"sakarealestate.co.uk"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/wp-statistics/assets/dev/sass/component/placeholder/placeholder.php"; depth:87; nocase; http.host; content:"regaloscaos.es.ht"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/images/field-states/field-states.php"; depth:86; nocase; http.host; content:"tsc.signalovernoise.co.uk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"florquedafulgor.000webhostapp.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.js"; depth:97; nocase; http.host; content:"alyamama78.000webhostapp.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/view/assets/css/css.js"; depth:70; nocase; http.host; content:"bhawpals.000webhostapp.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"moveterramogi.000webhostapp.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"merelio.000webhostapp.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"computerteknik.000webhostapp.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"latinate-matters.000webhostapp.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"ygbrandmaker.000webhostapp.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"ybc77.000webhostapp.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baystate/wp-content/plugins/cherry-plugin/lib/js/flexslider/fonts/fonts.php"; depth:76; nocase; http.host; content:"aclarilari.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/wp-admin.php"; depth:22; nocase; http.host; content:"medisur-rgl.com.ar"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/distant/jpg/jpg.php"; depth:24; nocase; http.host; content:"www.ccfg-conakry.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/core/languages/plugins/plugins.php"; depth:35; nocase; http.host; content:"szerviz.microstore.hu"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/xml/declaration/declaration.php"; depth:54; nocase; http.host; content:"store.powermatic.co.th"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ajax-search-lite/backend/settings/assets/icons/icons.php"; depth:76; nocase; http.host; content:"annybrenn.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"rashidaljabrigroup.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/css.php"; depth:21; nocase; http.host; content:"shrachirealty.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.php"; depth:80; nocase; http.host; content:"emvision.com.my"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/page_enhanced/track.dioslogistics.com/category/uncategorized/uncategorized.php"; depth:96; nocase; http.host; content:"track.dioslogistics.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/themes/twentytwenty/assets/images/images.php"; depth:59; nocase; http.host; content:"roughdiamond.jp"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/languages.php"; depth:35; nocase; http.host; content:"xbaseweb.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.js"; depth:97; nocase; http.host; content:"femza.org.ar"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.php"; depth:98; nocase; http.host; content:"www.7-dots.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"relacion.traxxcp.com.au"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/supercache/pharmahome.ae/ar/comments/feed/feed.php"; depth:68; nocase; http.host; content:"pharmahome.ae"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/bluehost-wordpress-plugin/vendor/doctrine/inflector/lib/doctrine/common/common.php"; depth:102; nocase; http.host; content:"matesonthemove.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/blog-manager-wp/assets/images/arrow/arrow.php"; depth:65; nocase; http.host; content:"ssl.news"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ebor-framework-master/metaboxes/css/sass/partials/partials.php"; depth:82; nocase; http.host; content:"interplast.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/037/b5a/b5a.js"; depth:39; nocase; http.host; content:"english.cabrerallamas.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/category/uncategorized/uncategorized.php"; depth:73; nocase; http.host; content:"wheelsonthedanforth.ca"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/css/css.php"; depth:65; nocase; http.host; content:"balangabriel.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"sanicorpec.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/bodycenter-extra/lib/scssphp/compass/stylesheets/compass/utilities/color/color.php"; depth:102; nocase; http.host; content:"www.comunidadfit.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"bp8k4k.serveravatartmp.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/classic-editor/classic-editor.js"; depth:52; nocase; http.host; content:"cvts.rut.digital"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/duplicator-pro/assets/css/images/images.php"; depth:63; nocase; http.host; content:"giraganaceuti.compradondevives.es"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/smoothness.php"; depth:89; nocase; http.host; content:"mercadochubut.gob.ar"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-iframe/css/css.php"; depth:47; nocase; http.host; content:"appercity.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/api/integrations/integrations.php"; depth:84; nocase; http.host; content:"e-tirechains.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/010/449/449.php"; depth:40; nocase; http.host; content:"mobile.wisechoicesupplements.ph"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/images/images.js"; depth:91; nocase; http.host; content:"www.jrun.com.hk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/wordpress/wp-content/themes/twentynineteen/template-parts/content/content.js"; depth:82; nocase; http.host; content:"blog.learningpie.in"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"1storiginal.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1tambon1school/schsurvey/core/core.php"; depth:39; nocase; http.host; content:"inno.obec.go.th"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"www.bericht.es"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/coming-soon/languages/languages.php"; depth:55; nocase; http.host; content:"iscrizione.handmadecampania.it"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/burst-statistics/assets/css/admin/modules/dashboard/dashboard.php"; depth:85; nocase; http.host; content:"archiwummuzeumziemizbaszynskiej.zck.org.pl"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__macosx/img/portfolio/fullsize/fullsize.php"; depth:45; nocase; http.host; content:"lisbonvinylcutters.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/api/integrations/integrations.php"; depth:84; nocase; http.host; content:"job-test.ifrigate.ru"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/admin-menu-editor/modules/access-editor/access-editor.php"; depth:77; nocase; http.host; content:"noonanwaste.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/inc/datepicker/images/images.php"; depth:82; nocase; http.host; content:"abrito.wecreateyou.pt"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"legrainparis.fr"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/counter/change_images/logo/logo.php"; depth:42; nocase; http.host; content:"teamvedika.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demos/1stbeauty/wp-content/plugins/better-search-replace/assets/img/img.php"; depth:76; nocase; http.host; content:"cactusgroupwebtest.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/smoothness.php"; depth:89; nocase; http.host; content:"a-onevacuums.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/tool/availabilityconditions/tests/behat/behat.php"; depth:56; nocase; http.host; content:"hlcelms-new.herminahospitals.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/astra-sites/inc/classes/compatibility/astra-pro/astra-pro.php"; depth:81; nocase; http.host; content:"insureafrica.co.za"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/inc/timepicker/timepicker.php"; depth:83; nocase; http.host; content:"ec2-175-41-161-53.ap-southeast-1.compute.amazonaws.com"; depth:54; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demo/wp-content/plugins/elementor/assets/images/app/site-editor/site-editor.php"; depth:80; nocase; http.host; content:"cxosnextgen.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/endurance-page-cache.php"; depth:57; nocase; http.host; content:"dental.simptomi.rs"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"garage.the-namers.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/elementor/app/modules/kit-library/data/kits/endpoints/endpoints.php"; depth:87; nocase; http.host; content:"sosiologi.fisip.unpad.ac.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/social-feed-widgets-for-elementor-using-smash-balloon/assets/css/css.php"; depth:115; nocase; http.host; content:"uat.zeroowatch.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/financials/unaud30092007_files/sheet001_files/sheet001_files.php"; depth:65; nocase; http.host; content:"jkagri.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpmyadmin/js/vendor/jqplot/plugins/plugins.php"; depth:48; nocase; http.host; content:"proxyknow.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/well-known/acme-challenge/a/a/b/a/a.php"; depth:40; nocase; http.host; content:"www.xinyizhou0310.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/plugins/layerslider/static/codemirror/codemirror.php"; depth:74; nocase; http.host; content:"ade.tw"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/wp-content.php"; depth:26; nocase; http.host; content:"plazanorte.pe"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/plugins/attachments/deprecated/css/css.php"; depth:57; nocase; http.host; content:"rossanalabs.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/_ithemes-security-pro/core/lib/lockout/execute-lock/execute-lock.php"; depth:88; nocase; http.host; content:"anfal.com.pk"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/schema/graphs/traits/traits.php"; depth:82; nocase; http.host; content:"blog.qrstaff.in"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"hamza738.000webhostapp.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"trialstaging.trialrun.us"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"go4clinic.000webhostapp.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"savemuch.000webhostapp.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"firdesktop.000webhostapp.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.js"; depth:97; nocase; http.host; content:"congregacionkoinonia.000webhostapp.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"jenniferhallasi652005.000webhostapp.com"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"gtaonlinestore.000webhostapp.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"0777arsy.000webhostapp.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"cartwheels.000webhostapp.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/searchstatistics/searchstatistics.js"; depth:87; nocase; http.host; content:"battological-envelo.000webhostapp.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/view/assets/img/whats-new/whats-new.js"; depth:86; nocase; http.host; content:"lonuestrogsm.000webhostapp.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.js"; depth:97; nocase; http.host; content:"paperbound-bulk.000webhostapp.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.js"; depth:97; nocase; http.host; content:"swedenborgian-gangw.000webhostapp.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"coccal-pocket.000webhostapp.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/modern/modern/modern/modern/modern/modern.php"; depth:66; nocase; http.host; content:"www.asterism.co.nz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/integrations/integrations.php"; depth:80; nocase; http.host; content:"nikesoccerbootoutletol.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"wp.korinek.link"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2015inreview/especial2015/images/prettyphoto/dark_rounded/dark_rounded.js"; depth:74; nocase; http.host; content:"www.chequeado.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/framework/cache/cache.php"; depth:34; nocase; http.host; content:"version.urban-truth.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spero/vendor/automattic/woocommerce/tests/woocommerce/tests/tests.php"; depth:70; nocase; http.host; content:"www.kwik.tn"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"jaimefoxmusic.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/pro/admin/views/views.php"; depth:72; nocase; http.host; content:"clanped2025.com.br"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/schema/graphs/graphs.php"; depth:75; nocase; http.host; content:"boomndeal.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/inc/color-picker-alpha/color-picker-alpha.php"; depth:95; nocase; http.host; content:"bmn-es.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.php"; depth:44; nocase; http.host; content:"39.99.63.187"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"shgl.chao1227.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/erolsalcan.com/bilgilendirme-tesekkuru/bilgilendirme-tesekkuru.php"; depth:94; nocase; http.host; content:"erolsalcan.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/decode/html/html.php"; depth:43; nocase; http.host; content:"devsite.scarlettslandscaping.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paginaviejita/fancybox/recursos/nova-multipurpose-site-template/nova/images/sample/sample.php"; depth:94; nocase; http.host; content:"elparian.com.mx"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"mehryar.mazyar.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/admin-menu-editor/modules/access-editor/access-editor.php"; depth:77; nocase; http.host; content:"api.algoyab.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prod_link/wp-admin/css/colors/blue/blue.php"; depth:44; nocase; http.host; content:"topsportsteams.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fgs/vendor/bmwfont/specimen_files/specimen_files.php"; depth:53; nocase; http.host; content:"fixituae.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/build/css/css.php"; depth:67; nocase; http.host; content:"stage.idandigitali.co.il"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"cruxbd.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/configofr/configofr.php"; depth:24; nocase; http.host; content:"139.99.50.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"www.atouchoflovechildrenscenter.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sky/wp-content/plugins/apollo13-framework-extensions/design_importer/a13-wordpress-importer/a13-wordpress-importer.php"; depth:119; nocase; http.host; content:"chatsky.club"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aroma/dark/assets/plugins/datatable/css/css.js"; depth:47; nocase; http.host; content:"projects.njgraphica.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"versitaopen.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/layerslider/assets/static/admin/img/slider/slider.php"; depth:73; nocase; http.host; content:"dsefaywhq.preview.infomaniak.website"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/schema/graphs/graphs.php"; depth:75; nocase; http.host; content:"3.110.136.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/acf-quickedit-fields/include/acfquickedit/acfquickedit.php"; depth:78; nocase; http.host; content:"shop.ggarabia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/backup/all-in-one-seo-pack-pro/app/common/importexport/rankmath/rankmath.js"; depth:95; nocase; http.host; content:"www.indian-designs.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"wholesaletoys.pk"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ag-custom-admin/images/images.php"; depth:53; nocase; http.host; content:"juliem-ladeco.fr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.php"; depth:44; nocase; http.host; content:"burialinsurancepro.org"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/player-api-master/actionscript/deploy/assets/assets.php"; depth:56; nocase; http.host; content:"vidhionline.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/page_enhanced/www.easisell.com/best-way-to-use-colour-wheel-for-website-design-2/best-way-to-use-colour-wheel-for-website-design-2.php"; depth:152; nocase; http.host; content:"www.easisell.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/impresistem/guzzlehttp/adapter/curl/curl.php"; depth:45; nocase; http.host; content:"digitalepartner.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.js"; depth:43; nocase; http.host; content:"skincare.7uptheme.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"handy.7uptheme.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/page_enhanced/www.cronoscapitalpartners.it/www.cronoscapitalpartners.it.php"; depth:93; nocase; http.host; content:"www.cronoscapitalpartners.it"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/inc/datepicker/images/images.php"; depth:82; nocase; http.host; content:"iserveindia.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assinatura/wp-admin/css/colors/blue/blue.php"; depth:45; nocase; http.host; content:"petdelicia.com.br"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/home-elevators/images/authors/authors.php"; depth:42; nocase; http.host; content:"eliteelevators.in"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backups/wp-content/plugins/acf-extended/includes/admin/views/views.php"; depth:71; nocase; http.host; content:"brown1.ezmartech.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naacmodules/jquery-ui-1.12.1.custom/images/images.php"; depth:54; nocase; http.host; content:"skillhut.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atlas/mobile/javascript/javascript.php"; depth:39; nocase; http.host; content:"psiewdr.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"iustore.7uptheme.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"haustiere.7uptheme.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backup29112022/wp-admin/css/colors/blue/blue.php"; depth:49; nocase; http.host; content:"futxtrm.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nseit/wp-content/plugins/advanced-custom-fields/assets/images/field-states/field-states.js"; depth:91; nocase; http.host; content:"www.nseituat.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/360/sap/sap_3data/cafe_2_105/html5/html5.php"; depth:45; nocase; http.host; content:"mmoseronelink.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/cache/db/singletables/3e7/d91/d91.php"; depth:59; nocase; http.host; content:"idiomas2.8belts.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.scatolificiosantanna.it"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/libarts.pnu.ac.th/all/1649/feed/feed.js"; depth:57; nocase; http.host; content:"libarts.pnu.ac.th"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/pressapps-login-access/includes/skelet/assets/assets.php"; depth:99; nocase; http.host; content:"www.buildingblocksacademy.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.buildingblocksacademyalvin.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jspdf/docs/scripts/prettify/prettify.php"; depth:41; nocase; http.host; content:"neicweb.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/page-scroll-to-id/includes/blocks/blocks.php"; depth:64; nocase; http.host; content:"cc.fenxiang.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/drag-and-drop-multiple-file-upload-contact-form-7.php"; depth:146; nocase; http.host; content:"ajustsolutions.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/creame-whatsapp-me/public/css/css.php"; depth:57; nocase; http.host; content:"conectadosradio.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tsure/wp-content/themes/twentytwentyone/assets/sass/06-components/06-components.php"; depth:84; nocase; http.host; content:"toyotamanilabay.com.ph"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/controller/extension/module/waclient/waclient.php"; depth:56; nocase; http.host; content:"goldenringsoman.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/themeisle-companion/obfx_modules/beaver-widgets/custom-fields/number-field/number-field.php"; depth:111; nocase; http.host; content:"49.232.231.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/view/view.php"; depth:61; nocase; http.host; content:"starzbus.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/administrator/components/com_actionlogs/src/controller/controller.php"; depth:75; nocase; http.host; content:"uranustechnepal.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/litespeed-cache/lib/css-min/css-min.php"; depth:59; nocase; http.host; content:"nctest.syndicatedcapitalgh.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ad-ace/includes/plugins/visual-composer/elements/elements.php"; depth:81; nocase; http.host; content:"cleverthings.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/servmask.php"; depth:76; nocase; http.host; content:"takartboutique.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/ectoplasm/ectoplasm/ectoplasm.php"; depth:54; nocase; http.host; content:"thegardengasteiz.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/3d-development.com/santacon/santacon.php"; depth:68; nocase; http.host; content:"thesantacon.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"cafemocha.thehostmandu.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/astra-local-fonts/josefin-sans/josefin-sans.php"; depth:59; nocase; http.host; content:"cashoutphone.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modules/9abb03e812/includes/functions/functions.php"; depth:52; nocase; http.host; content:"tneacounseling.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v2_backup/wp-content/plugins/all-in-one-wp-migration/lib/controller/controller.php"; depth:83; nocase; http.host; content:"uhappyevents.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/images/field-states/field-states.php"; depth:86; nocase; http.host; content:"mytrucknow.volomoso.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ad-inserter/includes/google-api/vendor/firebase/php-jwt/php-jwt.php"; depth:87; nocase; http.host; content:"altcoin-cryptocurrency-trading-platform.what-todo.com"; depth:53; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app_templates/web/up_codelogin_old/documentation/assets/blueprint-css/plugins/buttons/buttons.php"; depth:98; nocase; http.host; content:"wanimation.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin.php"; depth:52; nocase; http.host; content:"wynton45.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"www.autojaro.sk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guestregsystem/wp-content/plugins/all-in-one-wp-migration-with-import-master/lib/view/assets/css/css.php"; depth:105; nocase; http.host; content:"aridient.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/anywhere-elementor/freemius/assets/css/admin/admin.php"; depth:74; nocase; http.host; content:"autoblazquez.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backup/skyjumpertrampolinepark_20190301/skyjumpertrampolinepark_20190301.php"; depth:77; nocase; http.host; content:"youlovesports.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"zado-shoes.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awlandsafaris.com.php"; depth:22; nocase; http.host; content:"awlandsafaris.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bulksmspull/assets/plugins/datatables-fixedheader/css/css.php"; depth:62; nocase; http.host; content:"staging.secuodsoft.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/themes/twentyfifteen/genericons/genericons/genericons.php"; depth:79; nocase; http.host; content:"www.darskhososy.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/netzheft/wp-admin/css/colors/blue/blue.php"; depth:43; nocase; http.host; content:"netzheft.frnrw.de"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/affiliate-wp/includes/admin/payouts/payouts.js"; depth:66; nocase; http.host; content:"student.simplelifestrategies.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/c/6.3.2/wp-includes/css/dist/dist.js"; depth:60; nocase; http.host; content:"urlaubspanda.at"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro-master/assets/js/js.php"; depth:70; nocase; http.host; content:"staging.aspectuw.com.au"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.php"; depth:80; nocase; http.host; content:"employee1.1ummah.org.au"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/well-known/acme-challenge/a/a/b/b.js"; depth:37; nocase; http.host; content:"backdr.com.au"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bakup4_21_2021/wp-content/cache/page_enhanced/www.yourchoiceplumbers.com.au/2017/06/06.php"; depth:91; nocase; http.host; content:"www.yourchoiceplumbers.com.au"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/cache.php"; depth:16; nocase; http.host; content:"dreclass.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/elementor/assets/lib/eicons/css/css.php"; depth:82; nocase; http.host; content:"enso.atrevia-dev.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"micar.7uptheme.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/plugin_epayco_woocommerce/includes/admin/admin.php"; depth:70; nocase; http.host; content:"tcmtecnologia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new-website/staging-ammartou/wp-content/plugins/acf-flexible-content/includes/5-0/5-0.php"; depth:90; nocase; http.host; content:"ammartours.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app/mu-plugins/acf-medium-editor-field/assets/vendor/medium-editor/css/themes/themes.php"; depth:89; nocase; http.host; content:"dev.edades-west.make.technology"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/well-known/acme-challenge/a/a/a/a/a.php"; depth:40; nocase; http.host; content:"formulario1.frontec.cl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.js"; depth:43; nocase; http.host; content:"fruitshop.7uptheme.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"garten.7uptheme.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.js"; depth:43; nocase; http.host; content:"mmasport.7uptheme.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.js"; depth:43; nocase; http.host; content:"macy.7uptheme.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/old/wp-content/plugins/contact-form-7/includes/js/jquery-ui/jquery-ui.php"; depth:74; nocase; http.host; content:"jac.b-a.group"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/rebelradio.cultnerds.io/2020/03/page/2/2.php"; depth:72; nocase; http.host; content:"rebelradio.cultnerds.io"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1/synergetic/wp-content/plugins/elementor/app/modules/import-export/compatibility/compatibility.php"; depth:101; nocase; http.host; content:"imsx7.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dup-installer/assets/font-awesome/css/css.php"; depth:46; nocase; http.host; content:"sebti.ir"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/bandar.php"; depth:79; nocase; http.host; content:"gmgfavvocati.it"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/admin/css/css.php"; depth:52; nocase; http.host; content:"airsoftgear.mx"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"refonte.notaire-reuter.lu"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/speedycache/consilior.com.mx/consilior.com.mx.php"; depth:67; nocase; http.host; content:"consilior.com.mx"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iraq/wp-content/plugins/accesspress-social-counter/inc/backend/boards/boards.php"; depth:81; nocase; http.host; content:"nidaagroup.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"geschaft.7uptheme.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ar/wp-content/plugins/dopts/libraries/gui/images/colorpicker/colorpicker.js"; depth:76; nocase; http.host; content:"drsohrabi.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/backups-dup-lite/installer/installer.php"; depth:52; nocase; http.host; content:"www.gttours.co.ke"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/newfold-page-cache/unpicturesquely9lbcy/2f56bactos463103/2f56bactos463103.php"; depth:89; nocase; http.host; content:"danieltravels.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/booking.grimerud.no/wp-content/plugins/elementor/app/modules/import-export/runners/export/export.php"; depth:101; nocase; http.host; content:"grimerud.no"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/cf7-conditional-fields/jsdoc-out/scripts/prettify/prettify.php"; depth:82; nocase; http.host; content:"assuredtreecare.com.au"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/bluehost-wordpress-plugin/inc/restapi/restapi.php"; depth:69; nocase; http.host; content:"aquaticasolutions.co.za"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/images/images.php"; depth:27; nocase; http.host; content:"www.redtbs.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/xml/declaration/declaration.php"; depth:54; nocase; http.host; content:"danza.lpgc.online"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bolsadetrabajo/wp-content/plugins/all-in-one-seo-pack/app/common/integrations/integrations.php"; depth:95; nocase; http.host; content:"liceodeartesyoficios.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"new.mullicatownship.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ays-popup-box/admin/partials/export-import/export-import.php"; depth:80; nocase; http.host; content:"dev.jobsacademy.co"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/blocks/archives/archives.js"; depth:40; nocase; http.host; content:"hama.7uptheme.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.js"; depth:43; nocase; http.host; content:"isone.7uptheme.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"kuteshop.7uptheme.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"lamerfashion.7uptheme.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"larcorso.7uptheme.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chat_server/node_modules/express/node_modules/accepts/node_modules/negotiator/lib/lib.php"; depth:90; nocase; http.host; content:"akastars.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/build/css/pro/pro.php"; depth:75; nocase; http.host; content:"marybanksconsult.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cms/assets/bootstrap/css/css.php"; depth:33; nocase; http.host; content:"knrpjatim.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/fastboss.ai/4677-2/automation/27/27.php"; depth:67; nocase; http.host; content:"fastboss.ai"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/astra-sites/inc/classes/compatibility/astra-pro/astra-pro.php"; depth:81; nocase; http.host; content:"civicom.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/2022/01/138-student-living-uwi-agree-new-concession-terms-business/138-student-living-uwi-agree-new-concession-terms-business.php"; depth:162; nocase; http.host; content:"bellejamaica.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test11/wp-content/plugins/creative-mail-by-constant-contact/assets/images/admin-dashboard-widget/admin-dashboard-widget.php"; depth:124; nocase; http.host; content:"skingetsperfect.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/chaty/admin/assets/css/css.php"; depth:50; nocase; http.host; content:"conversemos.itaca.com.pe"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/abiitqx885984/abiitqx885984.php"; depth:64; nocase; http.host; content:"mortoncountyslc.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"lawconsult.pe"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backups/wp-admin/css/colors/blue/blue.php"; depth:42; nocase; http.host; content:"www.leroyschroeder.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"serwis-impacto.pl"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/087/c3e/c3e.php"; depth:40; nocase; http.host; content:"projekty-wloszczowa.pl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/samsyssync_pluginwp/assets/css/css.php"; depth:58; nocase; http.host; content:"ambience.lab.webdados.pt"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/schema/graphs/traits/traits.php"; depth:82; nocase; http.host; content:"heli-school.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/images/images.js"; depth:91; nocase; http.host; content:"www.jrun.com.hk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/themes/twentytwentyone/assets/sass/06-components/06-components.php"; depth:88; nocase; http.host; content:"www.inovcargo.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"science-house.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/smoothness.php"; depth:89; nocase; http.host; content:"cki-company.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/www.femenino.mx/author/admin/page/page.php"; depth:70; nocase; http.host; content:"femenino.mx"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xwp-includes/simplepie/xml/declaration/declaration.js"; depth:54; nocase; http.host; content:"reoninternational.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"newvivarch.cignature.com.sg"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/builderall-cheetah-for-wp/extensions/ba-cheetah-cache-helper/classes/classes.php"; depth:100; nocase; http.host; content:"idt.builderallwppro.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/addons-for-elementor/assets/css/fonts/fonts.php"; depth:67; nocase; http.host; content:"maternews.aprovar.site"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/elementor/app/modules/import-export/runners/export/export.php"; depth:81; nocase; http.host; content:"temp.4-b.site"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"clinicavale.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-cf7-db/admin/admin.php"; depth:51; nocase; http.host; content:"www.rivabeachbari.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/admin-menu-editor/modules/access-editor/access-editor.php"; depth:77; nocase; http.host; content:"api.algoyab.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/player-api-master/actionscript/deploy/assets/assets.php"; depth:56; nocase; http.host; content:"vidhionline.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/travis/deployment/ambidon/certifications/certifications.php"; depth:60; nocase; http.host; content:"blog.ambidon.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/configzei/jump/0-linkgwth/alfa_data/alfacgiapi/alfacgiapi.php"; depth:73; nocase; http.host; content:"linkgrowth.co.uk"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/framework/cache/cache.php"; depth:34; nocase; http.host; content:"version.urban-truth.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/042/9f1/9f1.php"; depth:40; nocase; http.host; content:"sakarealestate.co.uk"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/images/field-states/field-states.php"; depth:86; nocase; http.host; content:"tsc.signalovernoise.co.uk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/wp-statistics/assets/dev/sass/component/placeholder/placeholder.php"; depth:87; nocase; http.host; content:"regaloscaos.es.ht"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/360/aviadores/tiles/node1/cf_0/l_1/c_0/c_0.php"; depth:47; nocase; http.host; content:"www.araguahost.com.ve"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/automatic-translator-addon-for-loco-translate/includes/feedback/feedback.php"; depth:96; nocase; http.host; content:"loja.billiecombina.com.vc"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"vv.zgwc.vip"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-uptime-monitor-extension/app/views/admin/admin.php"; depth:79; nocase; http.host; content:"www.arya.digidom.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.jelliemons.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/insert-headers-and-footers/includes/auto-insert/auto-insert.php"; depth:83; nocase; http.host; content:"006.qndxx.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/grade-system/grade-system.js"; depth:92; nocase; http.host; content:"phanergy.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/charitable/assets/images/campaign-builder/settings/payment/education/education.php"; depth:102; nocase; http.host; content:"orji.kalu.apc.com.ng"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/wp-admin.php"; depth:22; nocase; http.host; content:"medisur-rgl.com.ar"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/core/languages/plugins/plugins.php"; depth:35; nocase; http.host; content:"szerviz.microstore.hu"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/30anos/administrator/components/com_actionlogs/views/actionlogs/tmpl/tmpl.js"; depth:77; nocase; http.host; content:"apav.pt"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/wp-content/plugins/aislin-testimonials/src/compatibility/plugins/testimonial_rotator/testimonial_rotator.php"; depth:113; nocase; http.host; content:"flyholisticschools.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ajax-search-lite/backend/settings/assets/icons/icons.php"; depth:76; nocase; http.host; content:"annybrenn.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/distant/jpg/jpg.php"; depth:24; nocase; http.host; content:"www.ccfg-conakry.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/xml/declaration/declaration.php"; depth:54; nocase; http.host; content:"store.powermatic.co.th"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/themes/twentytwenty/assets/images/images.php"; depth:59; nocase; http.host; content:"roughdiamond.jp"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/142/4fb/4fb.php"; depth:40; nocase; http.host; content:"contrade-co.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"www.atouchoflovechildrenscenter.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/page_enhanced/track.dioslogistics.com/category/uncategorized/uncategorized.php"; depth:96; nocase; http.host; content:"track.dioslogistics.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238253; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/admin-menu-editor/modules/access-editor/access-editor.php"; depth:77; nocase; http.host; content:"noonanwaste.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/plugins/autodescription/inc/classes/admin/seobar/builder/builder.php"; depth:83; nocase; http.host; content:"eautofsm.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/037/b5a/b5a.js"; depth:39; nocase; http.host; content:"english.cabrerallamas.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"relacion.traxxcp.com.au"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/languages.php"; depth:35; nocase; http.host; content:"xbaseweb.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.php"; depth:98; nocase; http.host; content:"www.7-dots.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/supercache/pharmahome.ae/ar/comments/feed/feed.php"; depth:68; nocase; http.host; content:"pharmahome.ae"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/bluehost-wordpress-plugin/vendor/doctrine/inflector/lib/doctrine/common/common.php"; depth:102; nocase; http.host; content:"matesonthemove.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ebor-framework-master/metaboxes/css/sass/partials/partials.php"; depth:82; nocase; http.host; content:"interplast.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/css/css.php"; depth:65; nocase; http.host; content:"balangabriel.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/blog-manager-wp/assets/images/arrow/arrow.php"; depth:65; nocase; http.host; content:"ssl.news"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leos/public/app-assets/css/plugins/forms/pickers/pickers.php"; depth:61; nocase; http.host; content:"nisecurityservices.ae"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/category/uncategorized/uncategorized.php"; depth:73; nocase; http.host; content:"wheelsonthedanforth.ca"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/bodycenter-extra/lib/scssphp/compass/stylesheets/compass/utilities/color/color.php"; depth:102; nocase; http.host; content:"www.comunidadfit.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/classic-editor/classic-editor.js"; depth:52; nocase; http.host; content:"cvts.rut.digital"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ultimate_vc_addons/admin/bsf-core/assets/assets.php"; depth:71; nocase; http.host; content:"camtechuganda.must.ac.ug"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/smoothness.php"; depth:89; nocase; http.host; content:"mercadochubut.gob.ar"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ujian/assets/html2pdf/spipu/html2pdf/src/extension/core/core.php"; depth:65; nocase; http.host; content:"lsp.unisba.ac.id"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/duplicator-pro/assets/css/images/images.php"; depth:63; nocase; http.host; content:"giraganaceuti.compradondevives.es"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendor/composer/composer/doc/fixtures/repo-composer-with-providers/p/bar/bar.js"; depth:80; nocase; http.host; content:"europeanplasticspact.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/010/449/449.php"; depth:40; nocase; http.host; content:"mobile.wisechoicesupplements.ph"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-iframe/css/css.php"; depth:47; nocase; http.host; content:"appercity.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__macosx/wp-includes/simplepie/xml/declaration/declaration.php"; depth:63; nocase; http.host; content:"zuarifarmhub.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/builderall-cheetah-for-wp/extensions/ba-cheetah-user-templates/classes/classes.php"; depth:102; nocase; http.host; content:"pizzaria.builderallwppro.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/images/images.php"; depth:92; nocase; http.host; content:"uptpkp.kaltimbkd.info"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/wordpress/wp-content/themes/twentynineteen/template-parts/content/content.js"; depth:82; nocase; http.host; content:"blog.learningpie.in"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"www.bericht.es"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1tambon1school/schsurvey/core/core.php"; depth:39; nocase; http.host; content:"inno.obec.go.th"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/burst-statistics/assets/css/admin/modules/dashboard/dashboard.php"; depth:85; nocase; http.host; content:"archiwummuzeumziemizbaszynskiej.zck.org.pl"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/coming-soon/languages/languages.php"; depth:55; nocase; http.host; content:"iscrizione.handmadecampania.it"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mainsite/wp-content/plugins/download-plugins-dashboard/langs/langs.php"; depth:71; nocase; http.host; content:"staging-wordpress.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__macosx/img/portfolio/fullsize/fullsize.php"; depth:45; nocase; http.host; content:"lisbonvinylcutters.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/inc/datepicker/images/images.php"; depth:82; nocase; http.host; content:"abrito.wecreateyou.pt"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"lms.tonalismo.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/counter/change_images/logo/logo.php"; depth:42; nocase; http.host; content:"teamvedika.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gallery/backroom/imelda-cajipe-endaya/feed/feed.php"; depth:52; nocase; http.host; content:"www.hiraya.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"legrainparis.fr"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demos/1stbeauty/wp-content/plugins/better-search-replace/assets/img/img.php"; depth:76; nocase; http.host; content:"cactusgroupwebtest.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/smoothness.php"; depth:89; nocase; http.host; content:"a-onevacuums.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/astra-sites/inc/classes/compatibility/astra-pro/astra-pro.php"; depth:81; nocase; http.host; content:"insureafrica.co.za"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/tool/availabilityconditions/tests/behat/behat.php"; depth:56; nocase; http.host; content:"hlcelms-new.herminahospitals.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demo/wp-content/plugins/elementor/assets/images/app/site-editor/site-editor.php"; depth:80; nocase; http.host; content:"cxosnextgen.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"garage.the-namers.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/endurance-page-cache.php"; depth:57; nocase; http.host; content:"dental.simptomi.rs"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/social-feed-widgets-for-elementor-using-smash-balloon/assets/css/css.php"; depth:115; nocase; http.host; content:"uat.zeroowatch.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/elementor/app/modules/kit-library/data/kits/endpoints/endpoints.php"; depth:87; nocase; http.host; content:"sosiologi.fisip.unpad.ac.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpexcel/classes/phpexcel/shared/escher/dggcontainer/bstorecontainer/bstorecontainer.php"; depth:89; nocase; http.host; content:"lanchi.vn"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/firewall/rule/rules/6g/6g.js"; depth:92; nocase; http.host; content:"athena.vm.cs.tcu.ac.jp"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpmyadmin/js/vendor/jqplot/plugins/plugins.php"; depth:48; nocase; http.host; content:"proxyknow.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/financials/unaud30092007_files/sheet001_files/sheet001_files.php"; depth:65; nocase; http.host; content:"jkagri.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/images/images.js"; depth:91; nocase; http.host; content:"municipio-digital.silice.si"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/administrator/components/com_admin/views/sysinfo/tmpl/tmpl.php"; depth:63; nocase; http.host; content:"clear.community"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/well-known/acme-challenge/a/a/b/a/a.php"; depth:40; nocase; http.host; content:"www.xinyizhou0310.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atlas/mobile/javascript/javascript.php"; depth:39; nocase; http.host; content:"psiewdr.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/wp-content.php"; depth:26; nocase; http.host; content:"plazanorte.pe"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/schema/graphs/traits/traits.php"; depth:82; nocase; http.host; content:"blog.qrstaff.in"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/_ithemes-security-pro/core/lib/lockout/execute-lock/execute-lock.php"; depth:88; nocase; http.host; content:"anfal.com.pk"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.js"; depth:97; nocase; http.host; content:"congregacionkoinonia.000webhostapp.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"trialstaging.trialrun.us"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/modern/modern/modern/modern/modern/modern.php"; depth:66; nocase; http.host; content:"www.asterism.co.nz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"wp.korinek.link"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spero/vendor/automattic/woocommerce/tests/woocommerce/tests/tests.php"; depth:70; nocase; http.host; content:"www.kwik.tn"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/bootstrap-carousel-swipe/bootstrap-carousel-swipe.php"; depth:61; nocase; http.host; content:"intranet.solucionesbpo.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/pro/admin/views/views.php"; depth:72; nocase; http.host; content:"clanped2025.com.br"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/home-elevators/images/authors/authors.php"; depth:42; nocase; http.host; content:"eliteelevators.in"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/inc/color-picker-alpha/color-picker-alpha.php"; depth:95; nocase; http.host; content:"bmn-es.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/cmmlconferences.us/author/cmmlconferences/cmmlconferences.php"; depth:89; nocase; http.host; content:"cmmlconferences.us"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-access-manager/application/backend/feature/main/main.php"; depth:85; nocase; http.host; content:"almacenesespana.com.ec"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"shgl.chao1227.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/decode/html/html.php"; depth:43; nocase; http.host; content:"devsite.scarlettslandscaping.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paginaviejita/fancybox/recursos/nova-multipurpose-site-template/nova/images/sample/sample.php"; depth:94; nocase; http.host; content:"elparian.com.mx"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/erolsalcan.com/bilgilendirme-tesekkuru/bilgilendirme-tesekkuru.php"; depth:94; nocase; http.host; content:"erolsalcan.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"mehryar.mazyar.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin-panel/js/pages/cards/cards.php"; depth:37; nocase; http.host; content:"robord.ir"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/configofr/configofr.php"; depth:24; nocase; http.host; content:"139.99.50.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/click-to-chat-for-whatsapp/new/admin/admin_assets/css/dev/dev.php"; depth:85; nocase; http.host; content:"puertovaras.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fgs/vendor/bmwfont/specimen_files/specimen_files.php"; depth:53; nocase; http.host; content:"fixituae.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prod_link/wp-admin/css/colors/blue/blue.php"; depth:44; nocase; http.host; content:"topsportsteams.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aab/wp-content/plugins/expandcollapse-funk/icon-font/icon-font.php"; depth:67; nocase; http.host; content:"biomechanik.pl"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/api/integrations/integrations.php"; depth:84; nocase; http.host; content:"fmtrack.cl"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"cruxbd.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"design-panama.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238172; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/build/css/css.php"; depth:67; nocase; http.host; content:"stage.idandigitali.co.il"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/old/administrator/components/com_banners/views/banners/tmpl/tmpl.php"; depth:69; nocase; http.host; content:"marcelalobos.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fmjoven/fmjoven.php"; depth:20; nocase; http.host; content:"portalmedios.cl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/layerslider/assets/static/admin/img/slider/slider.php"; depth:73; nocase; http.host; content:"dsefaywhq.preview.infomaniak.website"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"versitaopen.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backup-1477507809-wp-includes/requests/exception/http/http.php"; depth:63; nocase; http.host; content:"carolgraceserves.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aroma/dark/assets/plugins/datatable/css/css.js"; depth:47; nocase; http.host; content:"projects.njgraphica.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/acf-quickedit-fields/include/acfquickedit/acfquickedit.php"; depth:78; nocase; http.host; content:"shop.ggarabia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/emailcorporativo/bercati/bercati.php"; depth:37; nocase; http.host; content:"vielco.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/backup/all-in-one-seo-pack-pro/app/common/importexport/rankmath/rankmath.js"; depth:95; nocase; http.host; content:"www.indian-designs.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ag-custom-admin/images/images.php"; depth:53; nocase; http.host; content:"juliem-ladeco.fr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/page_enhanced/www.easisell.com/best-way-to-use-colour-wheel-for-website-design-2/best-way-to-use-colour-wheel-for-website-design-2.php"; depth:152; nocase; http.host; content:"www.easisell.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.js"; depth:43; nocase; http.host; content:"skincare.7uptheme.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.maaviformazione.it"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/briefcase-elementor-widgets/assets/css/css.php"; depth:89; nocase; http.host; content:"musicaenalcala.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.php"; depth:80; nocase; http.host; content:"wijmakencomputers.nl"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/impresistem/guzzlehttp/adapter/curl/curl.php"; depth:45; nocase; http.host; content:"digitalepartner.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"handy.7uptheme.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/page_enhanced/www.cronoscapitalpartners.it/www.cronoscapitalpartners.it.php"; depth:93; nocase; http.host; content:"www.cronoscapitalpartners.it"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/inc/datepicker/images/images.php"; depth:82; nocase; http.host; content:"iserveindia.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assinatura/wp-admin/css/colors/blue/blue.php"; depth:45; nocase; http.host; content:"petdelicia.com.br"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backups/wp-content/plugins/acf-extended/includes/admin/views/views.php"; depth:71; nocase; http.host; content:"brown1.ezmartech.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naacmodules/jquery-ui-1.12.1.custom/images/images.php"; depth:54; nocase; http.host; content:"skillhut.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"haustiere.7uptheme.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"iustore.7uptheme.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration-unlimited-extension/all-in-one-wp-migration-unlimited-extension.js"; depth:110; nocase; http.host; content:"www.bkkps.co.th"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/css.php"; depth:21; nocase; http.host; content:"shrachirealty.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nseit/wp-content/plugins/advanced-custom-fields/assets/images/field-states/field-states.js"; depth:91; nocase; http.host; content:"www.nseituat.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/cache/db/singletables/3e7/d91/d91.php"; depth:59; nocase; http.host; content:"idiomas2.8belts.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backup29112022/wp-admin/css/colors/blue/blue.php"; depth:49; nocase; http.host; content:"futxtrm.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/360/sap/sap_3data/cafe_2_105/html5/html5.php"; depth:45; nocase; http.host; content:"mmoseronelink.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin.php"; depth:148; nocase; http.host; content:"academia.canaturh.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/libarts.pnu.ac.th/all/1649/feed/feed.js"; depth:57; nocase; http.host; content:"libarts.pnu.ac.th"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.scatolificiosantanna.it"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.buildingblocksacademyalvin.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/pressapps-login-access/includes/skelet/assets/assets.php"; depth:99; nocase; http.host; content:"www.buildingblocksacademypasadena.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/pressapps-login-access/includes/skelet/assets/assets.php"; depth:99; nocase; http.host; content:"www.buildingblocksacademy.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jspdf/docs/scripts/prettify/prettify.php"; depth:41; nocase; http.host; content:"neicweb.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/controller/extension/module/waclient/waclient.php"; depth:56; nocase; http.host; content:"goldenringsoman.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/administrator/components/com_actionlogs/src/controller/controller.php"; depth:75; nocase; http.host; content:"uranustechnepal.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"sanicorpec.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/genus-solar-rooftop/plugins/slick/fonts/fonts.php"; depth:50; nocase; http.host; content:"www.genusinnovation.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ultimate_vc_addons/admin/bsf-analytics/assets/css/minified/minified.js"; depth:90; nocase; http.host; content:"iaces.es"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/admin-menu-editor-pro/modules/highlight-new-menus/assets/assets.php"; depth:87; nocase; http.host; content:"v.elegantchina.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.php"; depth:44; nocase; http.host; content:"burialinsurancepro.org"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo.php"; depth:64; nocase; http.host; content:"thzweb.freesite.host"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"calendar-pro.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en/wp-admin/css/colors/blue/blue.php"; depth:37; nocase; http.host; content:"www.itenas.ac.id"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/layerslider/assets/static/dashicons/dashicons.php"; depth:69; nocase; http.host; content:"soundculture.pl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/wp-content/plugins/iwp-client/lib/dropbox/oauth/consumer/consumer.php"; depth:75; nocase; http.host; content:"www.dewildepinchetti.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar.php"; depth:72; nocase; http.host; content:"www.concretosflorense.com.br"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/astra-sites/admin/bsf-analytics/assets/css/minified/minified.php"; depth:84; nocase; http.host; content:"cyberuonline.rsu.ac.th"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/administrator/components/com_admin/views/sysinfo/tmpl/tmpl.php"; depth:63; nocase; http.host; content:"clear.community"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/advanced-nocaptcha-recaptcha/freemius/templates/account/partials/partials.php"; depth:89; nocase; http.host; content:"www.batondejoie.fr"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/admin-menu-editor-pro/modules/highlight-new-menus/assets/assets.php"; depth:87; nocase; http.host; content:"v.elegantchina.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en/wp-admin/css/colors/blue/blue.php"; depth:37; nocase; http.host; content:"www.itenas.ac.id"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo.php"; depth:64; nocase; http.host; content:"thzweb.freesite.host"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/layerslider/assets/static/dashicons/dashicons.php"; depth:69; nocase; http.host; content:"soundculture.pl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"calendar-pro.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backup-1477507809-wp-includes/requests/exception/http/http.php"; depth:63; nocase; http.host; content:"carolgraceserves.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/adthrive/components/static-files/partials/adcentric/adcentric.php"; depth:85; nocase; http.host; content:"182.92.201.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/wp-content/plugins/iwp-client/lib/dropbox/oauth/consumer/consumer.php"; depth:75; nocase; http.host; content:"www.dewildepinchetti.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238109; rev:1;) alert tcp $HOME_NET any -> [192.210.236.218] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238108/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238108; rev:1;) alert tcp $HOME_NET any -> [110.139.46.105] 36969 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238107; rev:1;) alert tcp $HOME_NET any -> [137.220.197.155] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238106/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238106; rev:1;) alert tcp $HOME_NET any -> [72.69.74.23] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238105/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamebigloadwindowscdnuploadstemporary.php"; depth:42; nocase; http.host; content:"265003cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238103; rev:1;) alert tcp $HOME_NET any -> [5.42.65.101] 11084 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238102; rev:1;) alert tcp $HOME_NET any -> [116.196.106.249] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238101/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91238101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"18.118.35.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238099; rev:1;) alert tcp $HOME_NET any -> [101.37.14.112] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238098; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 17888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238096; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 17888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238095; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 17888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238094; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 17888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238093; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 17888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238092; rev:1;) alert tcp $HOME_NET any -> [159.112.177.137] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238091; rev:1;) alert tcp $HOME_NET any -> [88.214.25.254] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v10.6/w2ge3sc8"; depth:24; nocase; http.host; content:"88.214.25.254"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238089; rev:1;) alert tcp $HOME_NET any -> [40.86.174.181] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"159.112.177.137"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"146.235.52.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"update.westus.cloudapp.azure.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.westus.cloudapp.azure.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update37.eastus.cloudapp.azure.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msdn1357.centralus.cloudapp.azure.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"update37.eastus.cloudapp.azure.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"msdn1357.centralus.cloudapp.azure.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msupdate.brazilsouth.cloudapp.azure.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"msupdate.brazilsouth.cloudapp.azure.com"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238078; rev:1;) alert tcp $HOME_NET any -> [185.196.9.234] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238077/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91238077; rev:1;) alert tcp $HOME_NET any -> [18.118.35.133] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238074/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91238074; rev:1;) alert tcp $HOME_NET any -> [139.84.237.229] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238067; rev:1;) alert tcp $HOME_NET any -> [104.129.55.104] 2223 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238068; rev:1;) alert tcp $HOME_NET any -> [37.60.242.85] 9785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238069; rev:1;) alert tcp $HOME_NET any -> [95.179.191.137] 5938 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238070; rev:1;) alert tcp $HOME_NET any -> [65.20.66.218] 5938 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238071; rev:1;) alert tcp $HOME_NET any -> [158.220.80.157] 9785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238072; rev:1;) alert tcp $HOME_NET any -> [104.129.55.103] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9/gate.php"; depth:11; nocase; http.host; content:"couriercare.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"keywordslive.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gardenplaid.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gibbselectrics.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gloverstech.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"investechnical.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brookselectrics.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238030; rev:1;) alert tcp $HOME_NET any -> [85.239.243.155] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238043/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238043; rev:1;) alert tcp $HOME_NET any -> [41.99.49.71] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238042; rev:1;) alert tcp $HOME_NET any -> [121.121.101.33] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238041; rev:1;) alert tcp $HOME_NET any -> [69.58.144.52] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238040; rev:1;) alert tcp $HOME_NET any -> [45.243.131.12] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238039; rev:1;) alert tcp $HOME_NET any -> [86.194.132.111] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238038; rev:1;) alert tcp $HOME_NET any -> [46.19.67.107] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238037; rev:1;) alert tcp $HOME_NET any -> [40.113.39.99] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238036; rev:1;) alert tcp $HOME_NET any -> [78.45.49.197] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238035; rev:1;) alert tcp $HOME_NET any -> [32.143.50.222] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238034; rev:1;) alert tcp $HOME_NET any -> [185.62.57.11] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238033; rev:1;) alert tcp $HOME_NET any -> [49.13.149.129] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238032; rev:1;) alert tcp $HOME_NET any -> [37.152.191.55] 7777 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238031; rev:1;) alert tcp $HOME_NET any -> [45.93.20.76] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238024/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238024; rev:1;) alert tcp $HOME_NET any -> [45.95.146.22] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238023/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_08; classtype:trojan-activity; sid:91238023; rev:1;) alert tcp $HOME_NET any -> [45.95.146.22] 42421 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238022/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_08; classtype:trojan-activity; sid:91238022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tjwz9/"; depth:7; nocase; http.host; content:"gloverstech.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238021; rev:1;) alert tcp $HOME_NET any -> [54.224.134.117] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238020/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91238020; rev:1;) alert tcp $HOME_NET any -> [158.220.80.167] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"107.174.253.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238018; rev:1;) alert tcp $HOME_NET any -> [107.174.253.49] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.fucksec.buzz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fucksec.buzz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyb/gate.php"; depth:15; nocase; http.host; content:"siteseoguide.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/better/multi2eternalrequest/6/mariadbuniversalmariadbexternal/tempdatalife/024update/auth/downloadsflower5downloads/dle/4temporarysql/apicpu53/wordpressdownloads.php"; depth:166; nocase; http.host; content:"185.16.39.248"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyd/gate.php"; depth:15; nocase; http.host; content:"6.magicalomaha.co"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.3.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238011; rev:1;) alert tcp $HOME_NET any -> [116.202.3.242] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238010; rev:1;) alert tcp $HOME_NET any -> [45.142.182.104] 15352 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238009; rev:1;) alert tcp $HOME_NET any -> [8.130.79.120] 8003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238008/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91238008; rev:1;) alert tcp $HOME_NET any -> [2.50.137.183] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238007; rev:1;) alert tcp $HOME_NET any -> [170.64.155.70] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238006; rev:1;) alert tcp $HOME_NET any -> [138.68.141.212] 10443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238005; rev:1;) alert tcp $HOME_NET any -> [3.65.82.134] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238004; rev:1;) alert tcp $HOME_NET any -> [118.193.38.211] 54322 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238003; rev:1;) alert tcp $HOME_NET any -> [159.203.160.168] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238002; rev:1;) alert tcp $HOME_NET any -> [51.75.194.165] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238001; rev:1;) alert tcp $HOME_NET any -> [171.35.43.158] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238000; rev:1;) alert tcp $HOME_NET any -> [35.158.74.188] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fonts.g-a.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"findajobforme.linkedin.loginfor.me"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssl.g-a.fun"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"content.g-a.fun"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clients5.g-a.fun"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xenodochial-austin.142-11-199-59.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237993; rev:1;) alert tcp $HOME_NET any -> [178.79.138.91] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237992; rev:1;) alert tcp $HOME_NET any -> [121.127.252.248] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237991; rev:1;) alert tcp $HOME_NET any -> [149.104.27.224] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237990; rev:1;) alert tcp $HOME_NET any -> [103.16.224.239] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237989; rev:1;) alert tcp $HOME_NET any -> [51.77.121.144] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237988; rev:1;) alert tcp $HOME_NET any -> [37.221.92.58] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237987; rev:1;) alert tcp $HOME_NET any -> [146.19.191.178] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237986; rev:1;) alert tcp $HOME_NET any -> [20.151.153.84] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237985; rev:1;) alert tcp $HOME_NET any -> [164.215.103.171] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237984; rev:1;) alert tcp $HOME_NET any -> [134.255.254.225] 5051 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237983; rev:1;) alert tcp $HOME_NET any -> [194.48.251.10] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237982; rev:1;) alert tcp $HOME_NET any -> [194.48.251.120] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237980; rev:1;) alert tcp $HOME_NET any -> [194.48.251.189] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap449572-1.zap-srv.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237979; rev:1;) alert tcp $HOME_NET any -> [154.61.74.84] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237978; rev:1;) alert tcp $HOME_NET any -> [181.161.3.29] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237976; rev:1;) alert tcp $HOME_NET any -> [114.104.183.54] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237977; rev:1;) alert tcp $HOME_NET any -> [194.147.140.234] 82 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237975; rev:1;) alert tcp $HOME_NET any -> [185.78.76.85] 443 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"photopoiskvk.pro"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237972; rev:1;) alert tcp $HOME_NET any -> [3.79.194.172] 443 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237971; rev:1;) alert tcp $HOME_NET any -> [191.7.32.19] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237970; rev:1;) alert tcp $HOME_NET any -> [93.123.39.192] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237969; rev:1;) alert tcp $HOME_NET any -> [94.156.69.93] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237967; rev:1;) alert tcp $HOME_NET any -> [194.26.192.66] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237968; rev:1;) alert tcp $HOME_NET any -> [94.177.106.44] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237966; rev:1;) alert tcp $HOME_NET any -> [164.92.189.59] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237965; rev:1;) alert tcp $HOME_NET any -> [80.90.179.251] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237964; rev:1;) alert tcp $HOME_NET any -> [185.81.157.179] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237963; rev:1;) alert tcp $HOME_NET any -> [187.24.66.48] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237962; rev:1;) alert tcp $HOME_NET any -> [181.235.80.187] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237960; rev:1;) alert tcp $HOME_NET any -> [181.235.80.187] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237961; rev:1;) alert tcp $HOME_NET any -> [154.16.67.94] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237958; rev:1;) alert tcp $HOME_NET any -> [46.246.82.3] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237959; rev:1;) alert tcp $HOME_NET any -> [93.242.137.1] 51124 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237957; rev:1;) alert tcp $HOME_NET any -> [154.212.145.72] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237956; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237954; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237955; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237953; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237951; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237952; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237950; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237948; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237949; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237947; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237945; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237946; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 1756 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237944; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237943; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237941; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237942; rev:1;) alert tcp $HOME_NET any -> [187.135.146.194] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237940; rev:1;) alert tcp $HOME_NET any -> [116.212.120.32] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237939; rev:1;) alert tcp $HOME_NET any -> [116.212.120.32] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237938; rev:1;) alert tcp $HOME_NET any -> [196.235.104.22] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237936; rev:1;) alert tcp $HOME_NET any -> [43.128.85.89] 8011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237937; rev:1;) alert tcp $HOME_NET any -> [43.228.89.247] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237935; rev:1;) alert tcp $HOME_NET any -> [43.228.89.247] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237934; rev:1;) alert tcp $HOME_NET any -> [205.234.233.180] 2082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237933; rev:1;) alert tcp $HOME_NET any -> [43.228.89.246] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237931; rev:1;) alert tcp $HOME_NET any -> [43.228.89.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237932; rev:1;) alert tcp $HOME_NET any -> [43.228.89.248] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237930; rev:1;) alert tcp $HOME_NET any -> [43.228.89.248] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237929; rev:1;) alert tcp $HOME_NET any -> [120.48.96.69] 9001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237928; rev:1;) alert tcp $HOME_NET any -> [65.20.81.7] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237926; rev:1;) alert tcp $HOME_NET any -> [94.156.69.169] 2000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237927; rev:1;) alert tcp $HOME_NET any -> [115.126.107.244] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237925; rev:1;) alert tcp $HOME_NET any -> [101.201.46.105] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237923; rev:1;) alert tcp $HOME_NET any -> [115.126.107.244] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237924; rev:1;) alert tcp $HOME_NET any -> [43.228.89.245] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237922; rev:1;) alert tcp $HOME_NET any -> [43.228.89.245] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237921; rev:1;) alert tcp $HOME_NET any -> [8.137.50.92] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237919; rev:1;) alert tcp $HOME_NET any -> [79.132.140.216] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237920; rev:1;) alert tcp $HOME_NET any -> [81.56.212.102] 49443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237918; rev:1;) alert tcp $HOME_NET any -> [103.228.108.247] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237917; rev:1;) alert tcp $HOME_NET any -> [47.98.178.246] 4567 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237915; rev:1;) alert tcp $HOME_NET any -> [103.228.108.247] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237916; rev:1;) alert tcp $HOME_NET any -> [163.53.216.157] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237914; rev:1;) alert tcp $HOME_NET any -> [163.53.216.157] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237913; rev:1;) alert tcp $HOME_NET any -> [213.109.202.222] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gifted-khayyam.104-168-102-175.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pensive-brattain.104-168-102-175.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237911; rev:1;) alert tcp $HOME_NET any -> [49.232.220.17] 7000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lucid-albattani.104-168-102-175.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bold-clarke.104-168-102-175.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.priceless-bose.104-168-102-175.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237907; rev:1;) alert tcp $HOME_NET any -> [5.42.65.38] 46185 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237905; rev:1;) alert tcp $HOME_NET any -> [23.155.8.220] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237904/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237904; rev:1;) alert tcp $HOME_NET any -> [103.186.117.77] 1760 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237903; rev:1;) alert tcp $HOME_NET any -> [45.81.23.13] 1433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237862; rev:1;) alert tcp $HOME_NET any -> [45.95.146.13] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237863; rev:1;) alert tcp $HOME_NET any -> [89.190.156.172] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237864; rev:1;) alert tcp $HOME_NET any -> [89.190.156.173] 1306 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237865; rev:1;) alert tcp $HOME_NET any -> [89.190.156.174] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237866; rev:1;) alert tcp $HOME_NET any -> [89.190.156.175] 1517 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237867; rev:1;) alert tcp $HOME_NET any -> [89.190.156.176] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237868; rev:1;) alert tcp $HOME_NET any -> [89.190.156.182] 1725 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237869; rev:1;) alert tcp $HOME_NET any -> [89.190.156.253] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237871; rev:1;) alert tcp $HOME_NET any -> [89.190.156.211] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237870; rev:1;) alert tcp $HOME_NET any -> [185.224.128.49] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237872; rev:1;) alert tcp $HOME_NET any -> [185.224.128.50] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237873; rev:1;) alert tcp $HOME_NET any -> [185.224.128.51] 1435 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237874; rev:1;) alert tcp $HOME_NET any -> [185.224.128.52] 2053 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237875; rev:1;) alert tcp $HOME_NET any -> [185.224.128.53] 2079 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237876; rev:1;) alert tcp $HOME_NET any -> [185.224.128.54] 1629 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237877; rev:1;) alert tcp $HOME_NET any -> [185.224.128.55] 1713 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owuyyziynzhjmjk4/"; depth:18; nocase; http.host; content:"sybrstrmteknopark.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owuyyziynzhjmjk4/"; depth:18; nocase; http.host; content:"sybrstrmteknokalak.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237880/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owuyyziynzhjmjk4/"; depth:18; nocase; http.host; content:"sybrstrmtdiyari.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237881/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzbkmwe2zdm0mwe2/"; depth:18; nocase; http.host; content:"hk-49847.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywfim2vkmmfmnwfh/"; depth:18; nocase; http.host; content:"jolaxodanser.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237882/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywfim2vkmmfmnwfh/"; depth:18; nocase; http.host; content:"jolaxodanserxyz.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237883/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzbkmwe2zdm0mwe2/"; depth:18; nocase; http.host; content:"hk-49847.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237885/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzbkmwe2zdm0mwe2/"; depth:18; nocase; http.host; content:"hk-49847.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237886/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzbkmwe2zdm0mwe2/"; depth:18; nocase; http.host; content:"hk-49847.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237887/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzbkmwe2zdm0mwe2/"; depth:18; nocase; http.host; content:"hk-49847.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237888/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237888; rev:1;) alert tcp $HOME_NET any -> [3.124.67.191] 12609 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_08; classtype:trojan-activity; sid:91237894; rev:1;) alert tcp $HOME_NET any -> [3.125.188.168] 12609 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237895/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_08; classtype:trojan-activity; sid:91237895; rev:1;) alert tcp $HOME_NET any -> [3.133.207.110] 16825 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237902; rev:1;) alert tcp $HOME_NET any -> [94.156.64.202] 4036 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237901; rev:1;) alert tcp $HOME_NET any -> [103.186.117.181] 1775 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237900; rev:1;) alert tcp $HOME_NET any -> [3.136.65.236] 16825 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237899; rev:1;) alert tcp $HOME_NET any -> [3.131.147.49] 16825 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237898; rev:1;) alert tcp $HOME_NET any -> [3.138.180.119] 16825 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalgameserveruniversal.php"; depth:31; nocase; http.host; content:"103761cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237896; rev:1;) alert tcp $HOME_NET any -> [80.66.66.97] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237893/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237893; rev:1;) alert tcp $HOME_NET any -> [5.42.65.38] 2642 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/resellers/2e4wlr6u3uv"; depth:26; nocase; http.host; content:"172.200.160.7"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237890; rev:1;) alert tcp $HOME_NET any -> [172.200.160.7] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237891; rev:1;) alert tcp $HOME_NET any -> [34.147.242.231] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237889/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237889; rev:1;) alert tcp $HOME_NET any -> [185.172.128.136] 32260 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237861; rev:1;) alert tcp $HOME_NET any -> [95.217.243.137] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.243.137"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.209.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.33.99"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.184.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.108.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.0.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.211.127"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237853; rev:1;) alert tcp $HOME_NET any -> [49.13.33.99] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237848; rev:1;) alert tcp $HOME_NET any -> [5.75.211.127] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237849; rev:1;) alert tcp $HOME_NET any -> [88.198.108.242] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237850; rev:1;) alert tcp $HOME_NET any -> [5.75.209.125] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237851; rev:1;) alert tcp $HOME_NET any -> [116.202.0.229] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237852; rev:1;) alert tcp $HOME_NET any -> [116.202.184.165] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237847; rev:1;) alert tcp $HOME_NET any -> [45.11.180.127] 3120 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tosecurepacketgeocpuauthsqlwindowspublictemp.php"; depth:49; nocase; http.host; content:"553689cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiwtreyy456rwty.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237842; rev:1;) alert tcp $HOME_NET any -> [5.180.155.218] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237844/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237844; rev:1;) alert tcp $HOME_NET any -> [185.81.157.14] 8181 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237843/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g8samsa2/index.php"; depth:19; nocase; http.host; content:"5.42.66.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237841; rev:1;) alert tcp $HOME_NET any -> [193.111.248.167] 2003 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237840; rev:1;) alert tcp $HOME_NET any -> [189.140.16.135] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237839; rev:1;) alert tcp $HOME_NET any -> [176.44.89.132] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237838; rev:1;) alert tcp $HOME_NET any -> [201.124.86.37] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237837; rev:1;) alert tcp $HOME_NET any -> [145.82.129.126] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237836; rev:1;) alert tcp $HOME_NET any -> [49.12.7.88] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237835/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237835; rev:1;) alert tcp $HOME_NET any -> [172.105.14.104] 4444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237834/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237834; rev:1;) alert tcp $HOME_NET any -> [51.15.235.86] 53 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237833/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237833; rev:1;) alert tcp $HOME_NET any -> [31.220.80.82] 53 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237832; rev:1;) alert tcp $HOME_NET any -> [209.127.186.234] 64242 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237831; rev:1;) alert tcp $HOME_NET any -> [43.198.240.228] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237830/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237830; rev:1;) alert tcp $HOME_NET any -> [82.146.39.80] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237829/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237829; rev:1;) alert tcp $HOME_NET any -> [46.183.220.203] 40935 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237828; rev:1;) alert tcp $HOME_NET any -> [5.42.67.14] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237827/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237827; rev:1;) alert tcp $HOME_NET any -> [103.67.196.125] 4505 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237826/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_08; classtype:trojan-activity; sid:91237826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/flash.php"; depth:14; nocase; http.host; content:"195.20.16.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doctr8fb7z9/index.php"; depth:22; nocase; http.host; content:"5.42.67.14"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237825; rev:1;) alert tcp $HOME_NET any -> [5.255.113.34] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237805/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237805; rev:1;) alert tcp $HOME_NET any -> [5.255.126.243] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237806/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237806; rev:1;) alert tcp $HOME_NET any -> [45.59.118.118] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237807/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237807; rev:1;) alert tcp $HOME_NET any -> [185.99.133.228] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237809/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237809; rev:1;) alert tcp $HOME_NET any -> [5.230.74.51] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237804/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237804; rev:1;) alert tcp $HOME_NET any -> [146.19.143.113] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237808/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237808; rev:1;) alert tcp $HOME_NET any -> [5.101.44.49] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237802/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237802; rev:1;) alert tcp $HOME_NET any -> [5.230.68.180] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237803/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9659650c81ce1b984c58.js"; depth:24; nocase; http.host; content:"aitcaid.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbk9ko6q3vnxkieio4arsueqh7l82d/o+dxbsug="; depth:41; nocase; http.host; content:"pluralism.themancav.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aitcaid.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pluralism.themancav.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/25012024.js"; depth:12; nocase; http.host; content:"mwasro.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237781; rev:1;) alert tcp $HOME_NET any -> [193.233.132.64] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237791; rev:1;) alert tcp $HOME_NET any -> [45.134.26.17] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237792; rev:1;) alert tcp $HOME_NET any -> [185.172.128.103] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237794; rev:1;) alert tcp $HOME_NET any -> [193.233.132.135] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237793; rev:1;) alert tcp $HOME_NET any -> [94.156.69.28] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237795; rev:1;) alert tcp $HOME_NET any -> [185.215.113.67] 26260 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237800; rev:1;) alert tcp $HOME_NET any -> [185.106.102.82] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237810/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237810; rev:1;) alert tcp $HOME_NET any -> [5.255.113.36] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237811/; target:src_ip; metadata: confidence_level 85, first_seen 2024_02_08; classtype:trojan-activity; sid:91237811; rev:1;) alert tcp $HOME_NET any -> [193.168.143.133] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237812/; target:src_ip; metadata: confidence_level 85, first_seen 2024_02_08; classtype:trojan-activity; sid:91237812; rev:1;) alert tcp $HOME_NET any -> [15.204.245.61] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237816/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_08; classtype:trojan-activity; sid:91237816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firecom.php"; depth:16; nocase; http.host; content:"195.20.16.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237823; rev:1;) alert tcp $HOME_NET any -> [47.115.203.204] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237822/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237822; rev:1;) alert tcp $HOME_NET any -> [52.144.124.61] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237821/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237821; rev:1;) alert tcp $HOME_NET any -> [39.106.74.90] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237820/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237820; rev:1;) alert tcp $HOME_NET any -> [47.104.232.113] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237819/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237819; rev:1;) alert tcp $HOME_NET any -> [121.36.226.214] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237818/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cd43986.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"27.215.214.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237815; rev:1;) alert tcp $HOME_NET any -> [111.230.12.198] 8071 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237814/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0915140.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237813; rev:1;) alert tcp $HOME_NET any -> [90.15.154.112] 4789 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7b7c07c1b3625773.php"; depth:21; nocase; http.host; content:"193.187.174.182"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237799; rev:1;) alert tcp $HOME_NET any -> [23.101.122.219] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"173.212.224.123"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237797; rev:1;) alert tcp $HOME_NET any -> [103.86.130.84] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237796/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237796; rev:1;) alert tcp $HOME_NET any -> [178.73.218.9] 2222 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237790/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237790; rev:1;) alert tcp $HOME_NET any -> [181.141.40.28] 4433 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237789/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237789; rev:1;) alert tcp $HOME_NET any -> [60.241.11.63] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237788/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237788; rev:1;) alert tcp $HOME_NET any -> [188.25.142.172] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237787/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237787; rev:1;) alert tcp $HOME_NET any -> [149.109.109.136] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237786/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237786; rev:1;) alert tcp $HOME_NET any -> [154.247.41.221] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237785/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237785; rev:1;) alert tcp $HOME_NET any -> [99.83.220.181] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237784/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237784; rev:1;) alert tcp $HOME_NET any -> [172.245.156.157] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237783/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"194.26.135.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"du7wh8bicca0t.cloudfront.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237774; rev:1;) alert tcp $HOME_NET any -> [3.208.85.37] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/2k69twx54rr2wjefwla6zyrx9va"; depth:45; nocase; http.host; content:"du7wh8bicca0t.cloudfront.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"64.226.76.0"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"64.226.76.0"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"39.105.101.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mythic-slender.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237768; rev:1;) alert tcp $HOME_NET any -> [3.68.56.232] 12555 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237769/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lookup-domain.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"qltuh.canopusacrux.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"qltuh.shadowflameartisan.top"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"new-bestfortunes.life"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"re-captha-version-3-21.icu"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"webdatatrace.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentyseventeen/et3tah.php"; depth:45; nocase; http.host; content:"www.dicatindustrial.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/3jubhh.php"; depth:45; nocase; http.host; content:"jubileemovement.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwenty/zaevgn.php"; depth:42; nocase; http.host; content:"helpforhypnotherapists.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/css/oxewdf.php"; depth:22; nocase; http.host; content:"emprendi2.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/vu0bkq.php"; depth:45; nocase; http.host; content:"1oneventos.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1oneventos.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emprendi2.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helpforhypnotherapists.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jubileemovement.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dicatindustrial.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237762; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 30650 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237751; rev:1;) alert tcp $HOME_NET any -> [218.156.253.232] 80 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237750/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237750; rev:1;) alert tcp $HOME_NET any -> [74.81.37.165] 666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237749/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237749; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 64418 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tprobuzixc8/index.php"; depth:22; nocase; http.host; content:"autogrant.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237747/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tprobuzixc8/index.php"; depth:22; nocase; http.host; content:"bytehom.online"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237748/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tprobuzixc8/index.php"; depth:22; nocase; http.host; content:"bytehom.online"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237746/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tprobuzixc8/index.php"; depth:22; nocase; http.host; content:"autogrant.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237745/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237745; rev:1;) alert tcp $HOME_NET any -> [107.174.138.159] 1900 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237744/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237744; rev:1;) alert tcp $HOME_NET any -> [193.233.132.32] 36599 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237743; rev:1;) alert tcp $HOME_NET any -> [84.17.61.179] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237742/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237742; rev:1;) alert tcp $HOME_NET any -> [91.92.252.26] 7766 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237741/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237741; rev:1;) alert tcp $HOME_NET any -> [155.254.24.167] 5400 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237740; rev:1;) alert tcp $HOME_NET any -> [125.16.112.10] 33333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237738; rev:1;) alert tcp $HOME_NET any -> [162.19.246.26] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237737; rev:1;) alert tcp $HOME_NET any -> [64.227.96.80] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237736; rev:1;) alert tcp $HOME_NET any -> [13.126.10.251] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237735; rev:1;) alert tcp $HOME_NET any -> [142.93.31.17] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237734; rev:1;) alert tcp $HOME_NET any -> [18.197.24.167] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237733; rev:1;) alert tcp $HOME_NET any -> [52.77.99.94] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237732; rev:1;) alert tcp $HOME_NET any -> [146.235.47.45] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237731; rev:1;) alert tcp $HOME_NET any -> [64.226.125.104] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237730; rev:1;) alert tcp $HOME_NET any -> [51.144.174.31] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237729; rev:1;) alert tcp $HOME_NET any -> [16.171.24.155] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237728; rev:1;) alert tcp $HOME_NET any -> [34.176.172.223] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237727; rev:1;) alert tcp $HOME_NET any -> [35.158.74.188] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237726; rev:1;) alert tcp $HOME_NET any -> [138.197.47.129] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237725; rev:1;) alert tcp $HOME_NET any -> [20.53.247.128] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237724; rev:1;) alert tcp $HOME_NET any -> [3.82.152.9] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237723; rev:1;) alert tcp $HOME_NET any -> [34.202.144.74] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cranky-easley.142-11-199-59.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deenpel.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awesome-villani.142-11-199-59.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237719; rev:1;) alert tcp $HOME_NET any -> [64.226.76.0] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237717/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.admiring-pascal.142-11-199-59.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237718; rev:1;) alert tcp $HOME_NET any -> [43.139.175.28] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237716; rev:1;) alert tcp $HOME_NET any -> [121.40.146.236] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/massaction.html"; depth:16; nocase; http.host; content:"0.0xo.lat"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237714/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237714; rev:1;) alert tcp $HOME_NET any -> [156.227.6.70] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237713; rev:1;) alert tcp $HOME_NET any -> [172.206.26.225] 80 (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237712; rev:1;) alert tcp $HOME_NET any -> [167.172.131.98] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237711; rev:1;) alert tcp $HOME_NET any -> [164.90.246.103] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-panel.su"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237709; rev:1;) alert tcp $HOME_NET any -> [51.77.121.144] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237708; rev:1;) alert tcp $HOME_NET any -> [23.26.247.122] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237707; rev:1;) alert tcp $HOME_NET any -> [45.77.240.70] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3psilonapi.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-210-242-78.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237704; rev:1;) alert tcp $HOME_NET any -> [54.86.17.63] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-237-138-159.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237703; rev:1;) alert tcp $HOME_NET any -> [185.221.198.84] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237701; rev:1;) alert tcp $HOME_NET any -> [85.105.91.170] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237700; rev:1;) alert tcp $HOME_NET any -> [147.50.240.224] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237699; rev:1;) alert tcp $HOME_NET any -> [47.92.123.66] 1311 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237697; rev:1;) alert tcp $HOME_NET any -> [45.112.205.126] 5588 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"great-mcnulty.164-92-180-123.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.23-26-55-9.cprapid.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237696; rev:1;) alert tcp $HOME_NET any -> [122.114.156.104] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237694; rev:1;) alert tcp $HOME_NET any -> [40.90.255.165] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goofy-satoshi.142-202-191-144.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237692; rev:1;) alert tcp $HOME_NET any -> [142.202.191.144] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237691; rev:1;) alert tcp $HOME_NET any -> [45.195.198.204] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237689; rev:1;) alert tcp $HOME_NET any -> [79.109.104.58] 2222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237690; rev:1;) alert tcp $HOME_NET any -> [167.86.86.15] 1010 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237688; rev:1;) alert tcp $HOME_NET any -> [8.222.144.134] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237687; rev:1;) alert tcp $HOME_NET any -> [14.225.210.222] 12024 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237686; rev:1;) alert tcp $HOME_NET any -> [193.233.132.135] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237684; rev:1;) alert tcp $HOME_NET any -> [45.134.26.17] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d.kfaaa.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237683; rev:1;) alert tcp $HOME_NET any -> [93.123.39.225] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237682; rev:1;) alert tcp $HOME_NET any -> [35.246.175.130] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237681; rev:1;) alert tcp $HOME_NET any -> [154.91.83.247] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237680; rev:1;) alert tcp $HOME_NET any -> [185.216.70.118] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237679; rev:1;) alert tcp $HOME_NET any -> [185.81.157.179] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237678; rev:1;) alert tcp $HOME_NET any -> [185.81.157.179] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237677; rev:1;) alert tcp $HOME_NET any -> [45.145.55.81] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237676; rev:1;) alert tcp $HOME_NET any -> [172.96.172.203] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237675; rev:1;) alert tcp $HOME_NET any -> [185.81.157.104] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237673; rev:1;) alert tcp $HOME_NET any -> [185.81.157.104] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237674; rev:1;) alert tcp $HOME_NET any -> [185.81.157.104] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237672; rev:1;) alert tcp $HOME_NET any -> [161.97.151.222] 2011 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237671; rev:1;) alert tcp $HOME_NET any -> [45.141.215.222] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237670; rev:1;) alert tcp $HOME_NET any -> [107.161.81.150] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237669; rev:1;) alert tcp $HOME_NET any -> [107.161.81.150] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237668; rev:1;) alert tcp $HOME_NET any -> [78.161.49.74] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237667; rev:1;) alert tcp $HOME_NET any -> [20.253.24.99] 8444 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237666/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_07; classtype:trojan-activity; sid:91237666; rev:1;) alert tcp $HOME_NET any -> [34.162.154.209] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237665/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_07; classtype:trojan-activity; sid:91237665; rev:1;) alert tcp $HOME_NET any -> [62.113.115.249] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237664/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_07; classtype:trojan-activity; sid:91237664; rev:1;) alert tcp $HOME_NET any -> [67.217.228.4] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237663/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_07; classtype:trojan-activity; sid:91237663; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2177 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237662; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237661; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237659; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237660; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237658; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237657; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237655; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237656; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237654; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 1901 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237653; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237652; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237650; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237651; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 1718 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237649; rev:1;) alert tcp $HOME_NET any -> [154.223.17.64] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237648; rev:1;) alert tcp $HOME_NET any -> [34.149.60.199] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237647; rev:1;) alert tcp $HOME_NET any -> [173.212.224.123] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237646; rev:1;) alert tcp $HOME_NET any -> [117.72.36.211] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237645; rev:1;) alert tcp $HOME_NET any -> [205.234.233.180] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237644; rev:1;) alert tcp $HOME_NET any -> [175.178.175.168] 9100 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"98.lan-za2-1.static.rozabg.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237642; rev:1;) alert tcp $HOME_NET any -> [94.156.65.98] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237641; rev:1;) alert tcp $HOME_NET any -> [94.156.65.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237640; rev:1;) alert tcp $HOME_NET any -> [114.116.18.42] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237639; rev:1;) alert tcp $HOME_NET any -> [45.131.132.55] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237638; rev:1;) alert tcp $HOME_NET any -> [121.40.185.132] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"priceless-bose.104-168-102-175.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237636; rev:1;) alert tcp $HOME_NET any -> [103.35.191.158] 5344 (msg:"ThreatFox XpertRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237635; rev:1;) alert tcp $HOME_NET any -> [103.86.130.61] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237634/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237634; rev:1;) alert tcp $HOME_NET any -> [34.32.44.11] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237633/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"39.174.238.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pastratas.ac.ug"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237631; rev:1;) alert tcp $HOME_NET any -> [165.232.113.85] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237630/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237630; rev:1;) alert tcp $HOME_NET any -> [82.147.85.148] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237629/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237629; rev:1;) alert tcp $HOME_NET any -> [42.3.134.97] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"42.3.134.97"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237627; rev:1;) alert tcp $HOME_NET any -> [179.60.147.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fam_calendar"; depth:13; nocase; http.host; content:"zx.regcssv.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zx.regcssv.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fam_calendar"; depth:13; nocase; http.host; content:"as.regcssv.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"as.regcssv.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qw.regcssv.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fam_calendar"; depth:13; nocase; http.host; content:"qw.regcssv.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237620; rev:1;) alert tcp $HOME_NET any -> [103.86.131.70] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237619/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237619; rev:1;) alert tcp $HOME_NET any -> [103.186.117.232] 1985 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237618; rev:1;) alert tcp $HOME_NET any -> [194.143.146.147] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237608; rev:1;) alert tcp $HOME_NET any -> [194.143.146.141] 1521 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237609; rev:1;) alert tcp $HOME_NET any -> [194.143.146.152] 1433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237610; rev:1;) alert tcp $HOME_NET any -> [87.121.112.29] 1294 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237611; rev:1;) alert tcp $HOME_NET any -> [87.121.112.41] 1299 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237612; rev:1;) alert tcp $HOME_NET any -> [195.14.123.125] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237613; rev:1;) alert tcp $HOME_NET any -> [195.14.123.126] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237614; rev:1;) alert tcp $HOME_NET any -> [51.195.61.8] 65535 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237615; rev:1;) alert tcp $HOME_NET any -> [195.85.114.141] 65535 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237616; rev:1;) alert tcp $HOME_NET any -> [185.196.10.27] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237617; rev:1;) alert tcp $HOME_NET any -> [193.233.132.169] 2880 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237607; rev:1;) alert tcp $HOME_NET any -> [185.74.222.151] 1295 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237603; rev:1;) alert tcp $HOME_NET any -> [80.92.206.176] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237604; rev:1;) alert tcp $HOME_NET any -> [74.119.193.126] 1297 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237605; rev:1;) alert tcp $HOME_NET any -> [94.131.13.80] 1288 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237606; rev:1;) alert tcp $HOME_NET any -> [204.76.203.68] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237509; rev:1;) alert tcp $HOME_NET any -> [62.72.185.36] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237510; rev:1;) alert tcp $HOME_NET any -> [62.72.185.39] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237511; rev:1;) alert tcp $HOME_NET any -> [62.72.185.40] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237513; rev:1;) alert tcp $HOME_NET any -> [62.72.185.35] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237515; rev:1;) alert tcp $HOME_NET any -> [62.72.185.25] 1299 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237518; rev:1;) alert tcp $HOME_NET any -> [204.76.203.52] 1310 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237519; rev:1;) alert tcp $HOME_NET any -> [62.72.185.27] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237520; rev:1;) alert tcp $HOME_NET any -> [62.72.185.12] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237521; rev:1;) alert tcp $HOME_NET any -> [204.76.203.51] 1307 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237522; rev:1;) alert tcp $HOME_NET any -> [204.76.203.49] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237523; rev:1;) alert tcp $HOME_NET any -> [204.76.203.56] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237524; rev:1;) alert tcp $HOME_NET any -> [62.72.185.49] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237525; rev:1;) alert tcp $HOME_NET any -> [62.72.185.46] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237526; rev:1;) alert tcp $HOME_NET any -> [85.204.116.128] 1294 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237598; rev:1;) alert tcp $HOME_NET any -> [204.76.203.54] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237527; rev:1;) alert tcp $HOME_NET any -> [204.76.203.32] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237528; rev:1;) alert tcp $HOME_NET any -> [85.204.116.230] 1287 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237599; rev:1;) alert tcp $HOME_NET any -> [85.204.116.237] 1284 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237600; rev:1;) alert tcp $HOME_NET any -> [85.204.116.247] 1295 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237601; rev:1;) alert tcp $HOME_NET any -> [85.204.116.24] 1293 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237602; rev:1;) alert tcp $HOME_NET any -> [204.76.203.55] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237529; rev:1;) alert tcp $HOME_NET any -> [62.72.185.50] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237530; rev:1;) alert tcp $HOME_NET any -> [204.76.203.20] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237531; rev:1;) alert tcp $HOME_NET any -> [204.76.203.48] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237532; rev:1;) alert tcp $HOME_NET any -> [204.76.203.156] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237534; rev:1;) alert tcp $HOME_NET any -> [204.76.203.30] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237533; rev:1;) alert tcp $HOME_NET any -> [204.76.203.57] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237535; rev:1;) alert tcp $HOME_NET any -> [204.76.203.21] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237538; rev:1;) alert tcp $HOME_NET any -> [204.76.203.58] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237536; rev:1;) alert tcp $HOME_NET any -> [204.76.203.31] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237537; rev:1;) alert tcp $HOME_NET any -> [204.76.203.42] 1332 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237539; rev:1;) alert tcp $HOME_NET any -> [62.72.185.26] 1303 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237540; rev:1;) alert tcp $HOME_NET any -> [62.72.185.28] 1291 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237541; rev:1;) alert tcp $HOME_NET any -> [204.76.203.43] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237542; rev:1;) alert tcp $HOME_NET any -> [204.76.203.36] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237543; rev:1;) alert tcp $HOME_NET any -> [204.76.203.45] 1433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237544; rev:1;) alert tcp $HOME_NET any -> [204.76.203.50] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237545; rev:1;) alert tcp $HOME_NET any -> [204.76.203.60] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237546; rev:1;) alert tcp $HOME_NET any -> [204.76.203.230] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237547; rev:1;) alert tcp $HOME_NET any -> [204.76.203.53] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237548; rev:1;) alert tcp $HOME_NET any -> [62.72.185.47] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237549; rev:1;) alert tcp $HOME_NET any -> [204.76.203.19] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237550; rev:1;) alert tcp $HOME_NET any -> [5.181.80.111] 1289 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237551; rev:1;) alert tcp $HOME_NET any -> [5.181.80.223] 1288 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237552; rev:1;) alert tcp $HOME_NET any -> [5.181.80.231] 1288 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237553; rev:1;) alert tcp $HOME_NET any -> [5.181.80.100] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237554; rev:1;) alert tcp $HOME_NET any -> [45.93.9.113] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237592; rev:1;) alert tcp $HOME_NET any -> [45.93.9.116] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237593; rev:1;) alert tcp $HOME_NET any -> [45.93.9.107] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237594; rev:1;) alert tcp $HOME_NET any -> [45.93.9.108] 1299 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237595; rev:1;) alert tcp $HOME_NET any -> [45.93.9.100] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237596; rev:1;) alert tcp $HOME_NET any -> [45.93.9.98] 1285 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237597; rev:1;) alert tcp $HOME_NET any -> [62.72.185.23] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237512; rev:1;) alert tcp $HOME_NET any -> [62.72.185.31] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237514; rev:1;) alert tcp $HOME_NET any -> [62.72.185.24] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237516; rev:1;) alert tcp $HOME_NET any -> [62.72.185.37] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237517; rev:1;) alert tcp $HOME_NET any -> [62.72.185.20] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237508; rev:1;) alert tcp $HOME_NET any -> [62.72.185.44] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237505; rev:1;) alert tcp $HOME_NET any -> [62.72.185.6] 1298 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237507; rev:1;) alert tcp $HOME_NET any -> [204.76.203.65] 1302 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237506; rev:1;) alert tcp $HOME_NET any -> [62.72.185.14] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237504; rev:1;) alert tcp $HOME_NET any -> [62.72.185.5] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237503; rev:1;) alert tcp $HOME_NET any -> [204.76.203.61] 1291 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237502; rev:1;) alert tcp $HOME_NET any -> [204.76.203.72] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237500; rev:1;) alert tcp $HOME_NET any -> [204.76.203.71] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237501; rev:1;) alert tcp $HOME_NET any -> [62.72.185.4] 1375 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237497; rev:1;) alert tcp $HOME_NET any -> [62.72.185.17] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237498; rev:1;) alert tcp $HOME_NET any -> [62.72.185.16] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237499; rev:1;) alert tcp $HOME_NET any -> [62.72.185.7] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237494; rev:1;) alert tcp $HOME_NET any -> [62.72.185.32] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237496; rev:1;) alert tcp $HOME_NET any -> [62.72.185.21] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237495; rev:1;) alert tcp $HOME_NET any -> [62.72.185.9] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237492; rev:1;) alert tcp $HOME_NET any -> [204.76.203.2] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237493; rev:1;) alert tcp $HOME_NET any -> [204.76.203.69] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237490; rev:1;) alert tcp $HOME_NET any -> [62.72.185.41] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237491; rev:1;) alert tcp $HOME_NET any -> [62.72.185.18] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237488; rev:1;) alert tcp $HOME_NET any -> [62.72.185.3] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237489; rev:1;) alert tcp $HOME_NET any -> [62.72.185.43] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237486; rev:1;) alert tcp $HOME_NET any -> [62.72.185.22] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237487; rev:1;) alert tcp $HOME_NET any -> [62.72.185.38] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237483; rev:1;) alert tcp $HOME_NET any -> [204.76.203.66] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237484; rev:1;) alert tcp $HOME_NET any -> [62.72.185.45] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237485; rev:1;) alert tcp $HOME_NET any -> [204.76.203.44] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237482; rev:1;) alert tcp $HOME_NET any -> [62.72.185.13] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237480; rev:1;) alert tcp $HOME_NET any -> [204.76.203.41] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237481; rev:1;) alert tcp $HOME_NET any -> [62.72.185.33] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237478; rev:1;) alert tcp $HOME_NET any -> [62.72.185.11] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237479; rev:1;) alert tcp $HOME_NET any -> [62.72.185.34] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237476; rev:1;) alert tcp $HOME_NET any -> [62.72.185.30] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237477; rev:1;) alert tcp $HOME_NET any -> [62.72.185.42] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237474; rev:1;) alert tcp $HOME_NET any -> [204.76.203.70] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237475; rev:1;) alert tcp $HOME_NET any -> [5.181.80.221] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237555; rev:1;) alert tcp $HOME_NET any -> [5.181.80.103] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237556; rev:1;) alert tcp $HOME_NET any -> [5.181.80.38] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237557; rev:1;) alert tcp $HOME_NET any -> [5.181.80.39] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237558; rev:1;) alert tcp $HOME_NET any -> [5.181.80.41] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237560; rev:1;) alert tcp $HOME_NET any -> [5.181.80.40] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237559; rev:1;) alert tcp $HOME_NET any -> [5.181.80.43] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237561; rev:1;) alert tcp $HOME_NET any -> [5.181.80.53] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237562; rev:1;) alert tcp $HOME_NET any -> [5.181.80.54] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237563; rev:1;) alert tcp $HOME_NET any -> [5.181.80.150] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237564; rev:1;) alert tcp $HOME_NET any -> [5.181.80.151] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237565; rev:1;) alert tcp $HOME_NET any -> [5.181.80.152] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237566; rev:1;) alert tcp $HOME_NET any -> [5.181.80.153] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237567; rev:1;) alert tcp $HOME_NET any -> [94.156.71.216] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237585; rev:1;) alert tcp $HOME_NET any -> [94.156.71.219] 1290 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237582; rev:1;) alert tcp $HOME_NET any -> [94.156.71.222] 1310 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237583; rev:1;) alert tcp $HOME_NET any -> [94.156.71.218] 1294 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237584; rev:1;) alert tcp $HOME_NET any -> [64.227.106.194] 1288 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237580; rev:1;) alert tcp $HOME_NET any -> [134.209.94.234] 1310 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237581; rev:1;) alert tcp $HOME_NET any -> [157.230.244.224] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237578; rev:1;) alert tcp $HOME_NET any -> [170.64.202.30] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237579; rev:1;) alert tcp $HOME_NET any -> [165.22.101.63] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237575; rev:1;) alert tcp $HOME_NET any -> [68.183.187.38] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237576; rev:1;) alert tcp $HOME_NET any -> [159.223.89.203] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237577; rev:1;) alert tcp $HOME_NET any -> [157.230.242.17] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237573; rev:1;) alert tcp $HOME_NET any -> [68.183.183.68] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237574; rev:1;) alert tcp $HOME_NET any -> [165.22.96.144] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237571; rev:1;) alert tcp $HOME_NET any -> [159.223.89.252] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237572; rev:1;) alert tcp $HOME_NET any -> [104.248.129.146] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237570; rev:1;) alert tcp $HOME_NET any -> [159.223.90.237] 1311 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237569; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 19762 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237568/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237568; rev:1;) alert tcp $HOME_NET any -> [91.92.251.113] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237586; rev:1;) alert tcp $HOME_NET any -> [94.156.67.13] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237587; rev:1;) alert tcp $HOME_NET any -> [94.156.67.14] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237588; rev:1;) alert tcp $HOME_NET any -> [94.156.71.50] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237589; rev:1;) alert tcp $HOME_NET any -> [94.156.71.52] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237590; rev:1;) alert tcp $HOME_NET any -> [94.156.71.53] 61616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.89.175.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"65.21.133.187"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1237467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"masjidalfurqon.id"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1237468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"masjidalfurqon.id"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1237469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"161.97.132.85"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1237470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.253.214.149"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"stutti.de"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237472; rev:1;) alert tcp $HOME_NET any -> [185.236.228.203] 2024 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237466/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237464; rev:1;) alert tcp $HOME_NET any -> [117.50.162.183] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237465; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 19762 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237462; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 19762 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237463; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 19762 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237461; rev:1;) alert tcp $HOME_NET any -> [89.249.73.162] 2479 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237460/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237460; rev:1;) alert tcp $HOME_NET any -> [194.156.98.232] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237459/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237459; rev:1;) alert tcp $HOME_NET any -> [46.246.84.13] 2222 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237458/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237458; rev:1;) alert tcp $HOME_NET any -> [178.73.218.6] 2222 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237457/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237457; rev:1;) alert tcp $HOME_NET any -> [67.71.30.49] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237456/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237456; rev:1;) alert tcp $HOME_NET any -> [86.98.222.105] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237455/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237455; rev:1;) alert tcp $HOME_NET any -> [149.28.94.80] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237454; rev:1;) alert tcp $HOME_NET any -> [71.187.88.67] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237453; rev:1;) alert tcp $HOME_NET any -> [138.68.169.56] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237452; rev:1;) alert tcp $HOME_NET any -> [172.105.14.104] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237451; rev:1;) alert tcp $HOME_NET any -> [164.90.233.164] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237450; rev:1;) alert tcp $HOME_NET any -> [23.229.31.21] 25623 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237449; rev:1;) alert tcp $HOME_NET any -> [220.77.118.115] 53 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237448; rev:1;) alert tcp $HOME_NET any -> [119.190.136.165] 9000 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237447; rev:1;) alert tcp $HOME_NET any -> [65.153.151.175] 10010 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237446; rev:1;) alert tcp $HOME_NET any -> [45.33.59.99] 10724 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237445; rev:1;) alert tcp $HOME_NET any -> [191.252.214.5] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gjvjls3jd2v/login.php"; depth:22; nocase; http.host; content:"193.233.132.73"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237403; rev:1;) alert tcp $HOME_NET any -> [37.60.227.156] 7 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237406/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237406; rev:1;) alert tcp $HOME_NET any -> [91.92.246.148] 3362 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237405; rev:1;) alert tcp $HOME_NET any -> [216.218.135.118] 9583 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gigeconomycase.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pngairservices.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"basicincomeonline.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"basicincomeonline.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"213.109.202.161"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bm341/index.php"; depth:16; nocase; http.host; content:"bmld.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237443; rev:1;) alert tcp $HOME_NET any -> [185.196.8.220] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237442/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237442; rev:1;) alert tcp $HOME_NET any -> [94.232.45.52] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237440/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237440; rev:1;) alert tcp $HOME_NET any -> [46.105.141.60] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237441/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237441; rev:1;) alert tcp $HOME_NET any -> [37.120.247.104] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237438/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237438; rev:1;) alert tcp $HOME_NET any -> [5.255.119.56] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237439/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237439; rev:1;) alert tcp $HOME_NET any -> [65.0.50.125] 22220 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237437; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 1741 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237436/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237436; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237435/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237435; rev:1;) alert tcp $HOME_NET any -> [94.232.47.185] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237434/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237434; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 10445 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237428; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 10445 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237427; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 10445 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237426; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 10445 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237425; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 10445 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237424; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 10445 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237423; rev:1;) alert tcp $HOME_NET any -> [103.86.130.83] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237422/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237422; rev:1;) alert tcp $HOME_NET any -> [104.225.142.194] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237421/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.57.12.167"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"119.3.220.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6provider/_cdn/baseupdatelinux/trafficasyncwprequest/imagevmdefaultbaselinuxasyncuniversaltemporary.php"; depth:104; nocase; http.host; content:"194.87.93.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237416; rev:1;) alert tcp $HOME_NET any -> [117.72.15.82] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"117.72.15.82"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237414; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 1800 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237413/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237413; rev:1;) alert tcp $HOME_NET any -> [41.96.128.248] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237412/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237412; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2259 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237411/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237411; rev:1;) alert tcp $HOME_NET any -> [46.149.77.41] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237409; rev:1;) alert tcp $HOME_NET any -> [109.234.38.247] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237408; rev:1;) alert tcp $HOME_NET any -> [91.92.255.145] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237407/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237407; rev:1;) alert tcp $HOME_NET any -> [92.246.138.88] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237404/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237404; rev:1;) alert tcp $HOME_NET any -> [94.156.65.204] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237402/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237402; rev:1;) alert tcp $HOME_NET any -> [39.105.101.138] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237401/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alma27.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237390/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237390; rev:1;) alert tcp $HOME_NET any -> [79.137.203.183] 36235 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237391; rev:1;) alert tcp $HOME_NET any -> [139.59.10.184] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237400; rev:1;) alert tcp $HOME_NET any -> [188.54.98.85] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237399; rev:1;) alert tcp $HOME_NET any -> [190.28.91.39] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237398; rev:1;) alert tcp $HOME_NET any -> [103.152.221.43] 6607 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237397; rev:1;) alert tcp $HOME_NET any -> [217.114.43.93] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237396; rev:1;) alert tcp $HOME_NET any -> [143.198.131.4] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"5.101.0.245"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/nprgttmfrtmijp7xaraq7p87jp9"; depth:45; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/nprgttmfrtmijp7xaraq7p87jp9"; depth:45; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237392; rev:1;) alert tcp $HOME_NET any -> [185.202.239.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237389/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237389; rev:1;) alert tcp $HOME_NET any -> [46.246.80.14] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237388; rev:1;) alert tcp $HOME_NET any -> [46.246.14.16] 2552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/flash.php"; depth:14; nocase; http.host; content:"77.105.147.130"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/flash.php"; depth:14; nocase; http.host; content:"45.15.156.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yaniqueque.sytes.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237384/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237384; rev:1;) alert tcp $HOME_NET any -> [62.204.41.234] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xmail.cfd"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237282/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237282; rev:1;) alert tcp $HOME_NET any -> [103.186.117.186] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237382; rev:1;) alert tcp $HOME_NET any -> [157.230.175.190] 7754 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237381; rev:1;) alert tcp $HOME_NET any -> [45.128.133.21] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237380; rev:1;) alert tcp $HOME_NET any -> [185.202.175.208] 54600 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237379; rev:1;) alert tcp $HOME_NET any -> [185.236.203.102] 54600 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237378; rev:1;) alert tcp $HOME_NET any -> [174.138.56.147] 8080 (msg:"ThreatFox Octopus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237377; rev:1;) alert tcp $HOME_NET any -> [20.234.140.27] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237376; rev:1;) alert tcp $HOME_NET any -> [46.151.214.196] 9090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237374; rev:1;) alert tcp $HOME_NET any -> [152.32.131.171] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237375; rev:1;) alert tcp $HOME_NET any -> [161.97.89.128] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237373; rev:1;) alert tcp $HOME_NET any -> [20.126.32.228] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237372; rev:1;) alert tcp $HOME_NET any -> [13.244.70.207] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237371; rev:1;) alert tcp $HOME_NET any -> [54.252.170.245] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237370; rev:1;) alert tcp $HOME_NET any -> [40.68.94.216] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237369; rev:1;) alert tcp $HOME_NET any -> [20.73.188.143] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237368; rev:1;) alert tcp $HOME_NET any -> [3.18.169.79] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apis.deenpel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237366; rev:1;) alert tcp $HOME_NET any -> [154.12.25.252] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237365; rev:1;) alert tcp $HOME_NET any -> [103.52.154.243] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237364; rev:1;) alert tcp $HOME_NET any -> [182.16.35.146] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237362; rev:1;) alert tcp $HOME_NET any -> [107.172.144.7] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237363; rev:1;) alert tcp $HOME_NET any -> [182.16.35.150] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237361; rev:1;) alert tcp $HOME_NET any -> [182.16.35.148] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237360; rev:1;) alert tcp $HOME_NET any -> [182.16.35.147] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237359; rev:1;) alert tcp $HOME_NET any -> [114.115.145.188] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237357; rev:1;) alert tcp $HOME_NET any -> [142.171.229.85] 2096 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mine-panel.space"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mine-panel.space"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237356; rev:1;) alert tcp $HOME_NET any -> [212.193.11.40] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237354; rev:1;) alert tcp $HOME_NET any -> [212.193.11.40] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-44-196-101-127.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-208-95-157.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237352; rev:1;) alert tcp $HOME_NET any -> [54.237.138.159] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enter.showconfig.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237349; rev:1;) alert tcp $HOME_NET any -> [41.216.183.64] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237348; rev:1;) alert tcp $HOME_NET any -> [142.93.191.198] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237347; rev:1;) alert tcp $HOME_NET any -> [94.156.68.253] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237346; rev:1;) alert tcp $HOME_NET any -> [94.156.68.254] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237345; rev:1;) alert tcp $HOME_NET any -> [185.172.128.88] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237344; rev:1;) alert tcp $HOME_NET any -> [5.42.67.10] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237343; rev:1;) alert tcp $HOME_NET any -> [108.62.49.215] 88 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237342; rev:1;) alert tcp $HOME_NET any -> [193.163.7.156] 8008 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237341; rev:1;) alert tcp $HOME_NET any -> [45.86.163.142] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237340; rev:1;) alert tcp $HOME_NET any -> [194.48.251.11] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237339; rev:1;) alert tcp $HOME_NET any -> [172.233.240.86] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237338; rev:1;) alert tcp $HOME_NET any -> [103.243.180.16] 5588 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237337; rev:1;) alert tcp $HOME_NET any -> [103.243.180.7] 5588 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237336; rev:1;) alert tcp $HOME_NET any -> [157.254.165.110] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237335; rev:1;) alert tcp $HOME_NET any -> [195.62.47.154] 8890 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237334; rev:1;) alert tcp $HOME_NET any -> [185.238.171.42] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsft-security.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-76-234-184.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap1095765-1.zap-srv.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.5.96.119.168.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237329; rev:1;) alert tcp $HOME_NET any -> [4.255.104.31] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237328; rev:1;) alert tcp $HOME_NET any -> [140.82.48.210] 2404 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237327; rev:1;) alert tcp $HOME_NET any -> [94.156.69.73] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237326; rev:1;) alert tcp $HOME_NET any -> [181.161.6.87] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237325; rev:1;) alert tcp $HOME_NET any -> [149.28.148.246] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hookqd.tttseo.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pensive-shamir.45-134-26-33.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237323; rev:1;) alert tcp $HOME_NET any -> [77.73.131.54] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237321; rev:1;) alert tcp $HOME_NET any -> [185.216.70.119] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237320; rev:1;) alert tcp $HOME_NET any -> [93.123.39.249] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237319; rev:1;) alert tcp $HOME_NET any -> [20.6.81.237] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237318; rev:1;) alert tcp $HOME_NET any -> [185.216.70.117] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsaojzuv225.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.jettresponse.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evgenytchurakin4.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237314; rev:1;) alert tcp $HOME_NET any -> [62.109.15.32] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237313; rev:1;) alert tcp $HOME_NET any -> [27.79.88.176] 8007 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237312; rev:1;) alert tcp $HOME_NET any -> [172.96.172.69] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237311; rev:1;) alert tcp $HOME_NET any -> [45.145.55.81] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237310; rev:1;) alert tcp $HOME_NET any -> [45.154.98.190] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237309; rev:1;) alert tcp $HOME_NET any -> [45.154.98.190] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237308; rev:1;) alert tcp $HOME_NET any -> [216.250.254.227] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237306; rev:1;) alert tcp $HOME_NET any -> [216.250.254.227] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237307; rev:1;) alert tcp $HOME_NET any -> [46.246.82.4] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237305; rev:1;) alert tcp $HOME_NET any -> [172.96.172.203] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237304; rev:1;) alert tcp $HOME_NET any -> [172.96.172.203] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237303; rev:1;) alert tcp $HOME_NET any -> [20.215.41.119] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237302/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_06; classtype:trojan-activity; sid:91237302; rev:1;) alert tcp $HOME_NET any -> [3.133.3.35] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237301/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_06; classtype:trojan-activity; sid:91237301; rev:1;) alert tcp $HOME_NET any -> [43.249.9.224] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237300; rev:1;) alert tcp $HOME_NET any -> [101.43.161.148] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237299; rev:1;) alert tcp $HOME_NET any -> [192.3.101.133] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237298; rev:1;) alert tcp $HOME_NET any -> [104.234.240.6] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237296; rev:1;) alert tcp $HOME_NET any -> [192.3.101.133] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237297; rev:1;) alert tcp $HOME_NET any -> [103.42.30.219] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237295; rev:1;) alert tcp $HOME_NET any -> [137.175.97.93] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237294; rev:1;) alert tcp $HOME_NET any -> [64.226.76.0] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.164-90-169-184.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237292; rev:1;) alert tcp $HOME_NET any -> [47.99.66.200] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237291; rev:1;) alert tcp $HOME_NET any -> [129.226.154.245] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237290; rev:1;) alert tcp $HOME_NET any -> [129.226.154.245] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237289; rev:1;) alert tcp $HOME_NET any -> [20.163.176.140] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"30.210.31.34.bc.googleusercontent.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0913447.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237286; rev:1;) alert tcp $HOME_NET any -> [74.91.116.12] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.46.251.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237284; rev:1;) alert tcp $HOME_NET any -> [78.46.251.181] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"xmail.cfd"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237281; rev:1;) alert tcp $HOME_NET any -> [157.90.20.51] 47753 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"xmail.cfd"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237279/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237279; rev:1;) alert tcp $HOME_NET any -> [91.92.247.252] 8276 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237277/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237277; rev:1;) alert tcp $HOME_NET any -> [91.92.247.252] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237278/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237278; rev:1;) alert tcp $HOME_NET any -> [109.107.181.228] 1676 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237276/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237276; rev:1;) alert tcp $HOME_NET any -> [109.107.181.228] 666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237275/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237275; rev:1;) alert tcp $HOME_NET any -> [103.86.130.120] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237274/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mosaicyoungoccasionnyej.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237272/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"updaterootapplederjuios.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237273/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"modestessayevenmilwek.shop"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237254/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"triangleseasonbenchwj.shop"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237255/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"secretionsuitcasenioise.shop"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237256/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"circulatejobspontane.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237257/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tonguehypnothesislan.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237258/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nationalistvetecanve.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237259/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"inviteaccessiblesaltw.shop"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237260/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stamprollabbeymemberw.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237261/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"donorwifeconfusionstronko.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237262/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"essayinterventiondepof.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237263/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smilesnugglemonstouseo.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237264/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"offsetundressdriveryjow.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237265/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"publishfavorharbouroe.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237266/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"banquetmasteryfailurw.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237267/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"exemptatmospherestingw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237268/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pavementpreferencewjiao.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"benddiscoleideasbridrew.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hovermeatglacierrjuw.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237271/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firecom.php"; depth:16; nocase; http.host; content:"77.105.147.130"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31b57f88e9b186cd.php"; depth:21; nocase; http.host; content:"gsggaoo.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237253; rev:1;) alert tcp $HOME_NET any -> [43.143.228.239] 7766 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237251/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237251; rev:1;) alert tcp $HOME_NET any -> [47.100.170.9] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237250/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/guumxl4dhprl9owye74vbaqcbppfgijt"; depth:37; nocase; http.host; content:"ogind.drobpox.us"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogind.drobpox.us"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237249; rev:1;) alert tcp $HOME_NET any -> [103.186.117.105] 1970 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237247; rev:1;) alert tcp $HOME_NET any -> [212.113.106.100] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237246/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237246; rev:1;) alert tcp $HOME_NET any -> [88.198.107.6] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.107.6"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frozenk.fr"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftp.frozenk.fr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.frozenk.fr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1357229.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maksonsab.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.maksonsab.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.nateeka.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nateeka.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-107-23-38-171.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"farkhunda.3cx.us"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c0mmit.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237215; rev:1;) alert tcp $HOME_NET any -> [93.123.85.149] 38245 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237224/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bot.shop4youv2.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237225/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bot.elite-likes.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237226/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237226; rev:1;) alert tcp $HOME_NET any -> [93.123.85.4] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237234/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237234; rev:1;) alert tcp $HOME_NET any -> [167.56.197.73] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237243/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237243; rev:1;) alert tcp $HOME_NET any -> [124.220.235.28] 1002 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237242/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237242; rev:1;) alert tcp $HOME_NET any -> [3.143.234.125] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237241/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237241; rev:1;) alert tcp $HOME_NET any -> [45.9.191.183] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237240/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237240; rev:1;) alert tcp $HOME_NET any -> [20.224.11.48] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237238/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237238; rev:1;) alert tcp $HOME_NET any -> [216.189.159.197] 53 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237237/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237237; rev:1;) alert tcp $HOME_NET any -> [152.69.220.235] 1443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237236/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237236; rev:1;) alert tcp $HOME_NET any -> [91.92.254.111] 1977 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c6/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237233; rev:1;) alert tcp $HOME_NET any -> [94.156.64.228] 65517 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/26048ad8.php"; depth:13; nocase; http.host; content:"a0915620.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237231; rev:1;) alert tcp $HOME_NET any -> [52.66.148.83] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237230/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237230; rev:1;) alert tcp $HOME_NET any -> [119.3.220.200] 9080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237229/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237229; rev:1;) alert tcp $HOME_NET any -> [190.232.148.118] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237228/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237228; rev:1;) alert tcp $HOME_NET any -> [109.248.151.213] 45682 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237227; rev:1;) alert tcp $HOME_NET any -> [94.156.66.178] 8080 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237223; rev:1;) alert tcp $HOME_NET any -> [45.148.244.206] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237222/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237222; rev:1;) alert tcp $HOME_NET any -> [159.223.72.29] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237221/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91237221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"111.231.22.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237217; rev:1;) alert tcp $HOME_NET any -> [47.76.34.199] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237216/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91237216; rev:1;) alert tcp $HOME_NET any -> [41.201.100.168] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237214/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237214; rev:1;) alert tcp $HOME_NET any -> [109.255.66.174] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237213/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237213; rev:1;) alert tcp $HOME_NET any -> [41.98.4.60] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237212/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237212; rev:1;) alert tcp $HOME_NET any -> [85.107.13.154] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237211/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237211; rev:1;) alert tcp $HOME_NET any -> [94.23.155.217] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237210/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237210; rev:1;) alert tcp $HOME_NET any -> [134.209.244.69] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237209/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237209; rev:1;) alert tcp $HOME_NET any -> [45.152.85.10] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237208/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237208; rev:1;) alert tcp $HOME_NET any -> [154.195.152.232] 63641 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.37.14.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"91.230.110.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.43.161.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.138.156.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"147.124.221.85"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.htm"; depth:10; nocase; http.host; content:"anotherpalece.sytes.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anotherpalece.sytes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"91.230.110.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"101.43.161.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"91.230.110.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237185; rev:1;) alert tcp $HOME_NET any -> [3.216.239.218] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/___utm.gif"; depth:11; nocase; http.host; content:"traincaster.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"traincaster.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"39.105.101.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237181; rev:1;) alert tcp $HOME_NET any -> [47.92.146.233] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"solar.huawei.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"23.94.255.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"121.43.33.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"peasanthovecapspll.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237176; rev:1;) alert tcp $HOME_NET any -> [103.69.96.162] 4502 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237175/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_05; classtype:trojan-activity; sid:91237175; rev:1;) alert tcp $HOME_NET any -> [95.217.215.24] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.215.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237171; rev:1;) alert tcp $HOME_NET any -> [95.216.181.87] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237172; rev:1;) alert tcp $HOME_NET any -> [78.47.233.159] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.233.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newagev"; depth:8; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.181.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199631487327"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237167; rev:1;) alert tcp $HOME_NET any -> [174.138.56.147] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237166/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91237166; rev:1;) alert tcp $HOME_NET any -> [85.215.237.245] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237165; rev:1;) alert tcp $HOME_NET any -> [3.6.122.107] 19208 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237163/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_05; classtype:trojan-activity; sid:91237163; rev:1;) alert tcp $HOME_NET any -> [149.248.17.69] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237164/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91237164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"36.150.160.202"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.221.248.167"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237158; rev:1;) alert tcp $HOME_NET any -> [3.6.115.182] 19208 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237157; rev:1;) alert tcp $HOME_NET any -> [3.6.115.64] 19208 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237156; rev:1;) alert tcp $HOME_NET any -> [3.6.98.232] 19208 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237155; rev:1;) alert tcp $HOME_NET any -> [3.6.30.85] 19208 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"5.230.229.207"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237153; rev:1;) alert tcp $HOME_NET any -> [54.39.179.157] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237152/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91237152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"mysticselect.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ewmrgqnaww.php"; depth:21; nocase; http.host; content:"mysticselect.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bizabiza.mywire.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bizabiza.mywire.org"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1237151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237151; rev:1;) alert tcp $HOME_NET any -> [45.66.248.135] 5833 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237147; rev:1;) alert tcp $HOME_NET any -> [51.38.178.159] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237146; rev:1;) alert tcp $HOME_NET any -> [3.142.70.21] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237145; rev:1;) alert tcp $HOME_NET any -> [3.143.139.73] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237144; rev:1;) alert tcp $HOME_NET any -> [141.145.196.196] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237143; rev:1;) alert tcp $HOME_NET any -> [167.172.47.15] 36936 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237142; rev:1;) alert tcp $HOME_NET any -> [180.139.173.232] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237141; rev:1;) alert tcp $HOME_NET any -> [3.109.228.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237140; rev:1;) alert tcp $HOME_NET any -> [175.24.130.231] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237139; rev:1;) alert tcp $HOME_NET any -> [137.74.7.196] 8001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237138; rev:1;) alert tcp $HOME_NET any -> [4.156.181.32] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237137; rev:1;) alert tcp $HOME_NET any -> [18.194.227.164] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237136; rev:1;) alert tcp $HOME_NET any -> [18.157.139.50] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237135; rev:1;) alert tcp $HOME_NET any -> [172.205.168.27] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237134; rev:1;) alert tcp $HOME_NET any -> [212.39.153.66] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.vitamedicajobccb.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"admiring-pascal.142-11-199-59.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drive.deenpel.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.dnl-l.ooguy.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.charming-wright.142-11-199-59.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.deenpel.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fonts.deenpel.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237126; rev:1;) alert tcp $HOME_NET any -> [49.232.149.43] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237125; rev:1;) alert tcp $HOME_NET any -> [103.108.42.172] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237124; rev:1;) alert tcp $HOME_NET any -> [103.108.43.23] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237123; rev:1;) alert tcp $HOME_NET any -> [103.108.42.171] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237121; rev:1;) alert tcp $HOME_NET any -> [103.108.43.25] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237122; rev:1;) alert tcp $HOME_NET any -> [182.16.35.149] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237120; rev:1;) alert tcp $HOME_NET any -> [103.108.43.24] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237119; rev:1;) alert tcp $HOME_NET any -> [124.223.201.58] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.akunet.host"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237117; rev:1;) alert tcp $HOME_NET any -> [93.123.85.14] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epsilonapi.fr"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237115; rev:1;) alert tcp $HOME_NET any -> [52.200.22.116] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sw.sono.pw"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237113; rev:1;) alert tcp $HOME_NET any -> [66.135.13.235] 9075 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237112; rev:1;) alert tcp $HOME_NET any -> [34.118.118.118] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237111; rev:1;) alert tcp $HOME_NET any -> [35.199.67.241] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237110; rev:1;) alert tcp $HOME_NET any -> [41.216.183.64] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237109; rev:1;) alert tcp $HOME_NET any -> [98.66.153.174] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237108; rev:1;) alert tcp $HOME_NET any -> [89.23.97.83] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237107; rev:1;) alert tcp $HOME_NET any -> [188.27.175.18] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237106; rev:1;) alert tcp $HOME_NET any -> [109.107.182.205] 25 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237105; rev:1;) alert tcp $HOME_NET any -> [194.33.191.239] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237104; rev:1;) alert tcp $HOME_NET any -> [103.243.180.11] 5588 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-175-41-143-87.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-235-248-157.ap-south-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"192-46-228-106.ip.linodeusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap1065782-2.zap-srv.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"files.paronibarry.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237098; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 104 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237097; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 57963 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237096; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 5903 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237094; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 9036 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237095; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 5671 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237093; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 4242 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237092; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237090; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 832 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237091; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 24828 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237089; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 6009 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237087; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 18925 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237088; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 2376 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237086; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 28015 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237085; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237083; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 12920 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237084; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 2375 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237082; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 4781 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237080; rev:1;) alert tcp $HOME_NET any -> [102.117.152.61] 64741 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237081; rev:1;) alert tcp $HOME_NET any -> [41.216.183.126] 3741 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237079; rev:1;) alert tcp $HOME_NET any -> [191.82.252.2] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erp.topixtechnology.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237076; rev:1;) alert tcp $HOME_NET any -> [13.212.79.65] 443 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reksiaeksinov4.fvds.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pegasus.chicecon.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev.racun.app"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237074; rev:1;) alert tcp $HOME_NET any -> [194.48.251.140] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsaojzhn885.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ok.chicecon.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taojszxz.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsaojzuv455.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237069; rev:1;) alert tcp $HOME_NET any -> [79.137.207.154] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237067; rev:1;) alert tcp $HOME_NET any -> [34.107.114.24] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237065; rev:1;) alert tcp $HOME_NET any -> [85.202.160.192] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237066; rev:1;) alert tcp $HOME_NET any -> [31.44.2.39] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237064; rev:1;) alert tcp $HOME_NET any -> [45.61.166.149] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237063; rev:1;) alert tcp $HOME_NET any -> [62.72.32.226] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237062; rev:1;) alert tcp $HOME_NET any -> [104.234.240.231] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237060; rev:1;) alert tcp $HOME_NET any -> [206.189.130.11] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.194-233-74-255.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evgenytchurakin2.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.356142.fun"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karasergkaravaev.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nickbaseev6.fvds.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"194-233-74-255.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237054; rev:1;) alert tcp $HOME_NET any -> [93.123.39.215] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237052; rev:1;) alert tcp $HOME_NET any -> [193.233.254.64] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237053; rev:1;) alert tcp $HOME_NET any -> [137.184.43.170] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.64-225-100-2.cprapid.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237051; rev:1;) alert tcp $HOME_NET any -> [172.96.172.69] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237048; rev:1;) alert tcp $HOME_NET any -> [172.96.172.69] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237049; rev:1;) alert tcp $HOME_NET any -> [20.106.168.188] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237047; rev:1;) alert tcp $HOME_NET any -> [20.106.168.188] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237046; rev:1;) alert tcp $HOME_NET any -> [45.141.215.222] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237045; rev:1;) alert tcp $HOME_NET any -> [190.28.167.19] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237043; rev:1;) alert tcp $HOME_NET any -> [45.154.98.190] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237044; rev:1;) alert tcp $HOME_NET any -> [107.161.81.150] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237042; rev:1;) alert tcp $HOME_NET any -> [45.154.98.34] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237041; rev:1;) alert tcp $HOME_NET any -> [68.67.203.245] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237039; rev:1;) alert tcp $HOME_NET any -> [45.154.98.34] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237040; rev:1;) alert tcp $HOME_NET any -> [206.123.132.163] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237038; rev:1;) alert tcp $HOME_NET any -> [194.26.229.212] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-134-234-207.eu-west-2.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237037; rev:1;) alert tcp $HOME_NET any -> [38.6.177.120] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237035; rev:1;) alert tcp $HOME_NET any -> [44.219.14.139] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237034/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_05; classtype:trojan-activity; sid:91237034; rev:1;) alert tcp $HOME_NET any -> [187.135.91.246] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237033; rev:1;) alert tcp $HOME_NET any -> [187.135.91.246] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237032; rev:1;) alert tcp $HOME_NET any -> [187.135.91.246] 1718 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237030; rev:1;) alert tcp $HOME_NET any -> [187.135.91.246] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237031; rev:1;) alert tcp $HOME_NET any -> [187.135.91.246] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237029; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237027; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237028; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237026; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237024; rev:1;) alert tcp $HOME_NET any -> [187.135.83.117] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237025; rev:1;) alert tcp $HOME_NET any -> [91.92.242.62] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237023; rev:1;) alert tcp $HOME_NET any -> [91.92.242.62] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237022; rev:1;) alert tcp $HOME_NET any -> [78.24.223.222] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237020; rev:1;) alert tcp $HOME_NET any -> [91.92.242.62] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237021; rev:1;) alert tcp $HOME_NET any -> [123.60.10.196] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237019; rev:1;) alert tcp $HOME_NET any -> [167.179.86.31] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237018; rev:1;) alert tcp $HOME_NET any -> [68.183.213.199] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237016; rev:1;) alert tcp $HOME_NET any -> [140.143.223.55] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237017; rev:1;) alert tcp $HOME_NET any -> [4.228.218.10] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237015; rev:1;) alert tcp $HOME_NET any -> [4.228.218.10] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237014; rev:1;) alert tcp $HOME_NET any -> [93.179.124.200] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237012; rev:1;) alert tcp $HOME_NET any -> [82.147.85.148] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237013; rev:1;) alert tcp $HOME_NET any -> [43.143.241.241] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237011; rev:1;) alert tcp $HOME_NET any -> [117.50.196.59] 3255 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237010; rev:1;) alert tcp $HOME_NET any -> [123.56.81.44] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237009; rev:1;) alert tcp $HOME_NET any -> [124.221.248.167] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237008; rev:1;) alert tcp $HOME_NET any -> [104.236.196.5] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237007; rev:1;) alert tcp $HOME_NET any -> [141.98.81.97] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237006; rev:1;) alert tcp $HOME_NET any -> [34.31.210.30] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237005; rev:1;) alert tcp $HOME_NET any -> [129.204.245.247] 10080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237003; rev:1;) alert tcp $HOME_NET any -> [129.204.245.247] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237004; rev:1;) alert tcp $HOME_NET any -> [101.201.46.105] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237002; rev:1;) alert tcp $HOME_NET any -> [222.187.224.70] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237001; rev:1;) alert tcp $HOME_NET any -> [124.222.173.133] 9443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236999; rev:1;) alert tcp $HOME_NET any -> [49.235.144.122] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237000; rev:1;) alert tcp $HOME_NET any -> [43.143.168.186] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236998; rev:1;) alert tcp $HOME_NET any -> [8.130.80.79] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236996; rev:1;) alert tcp $HOME_NET any -> [74.48.125.18] 2086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236997; rev:1;) alert tcp $HOME_NET any -> [185.154.14.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236995; rev:1;) alert tcp $HOME_NET any -> [5.135.224.155] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236993; rev:1;) alert tcp $HOME_NET any -> [188.166.22.203] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236994; rev:1;) alert tcp $HOME_NET any -> [104.168.102.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gifted-khayyam.104-168-102-175.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236991; rev:1;) alert tcp $HOME_NET any -> [134.122.164.214] 5566 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.optimistic-rubin.104-168-102-175.plesk.page"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236990; rev:1;) alert tcp $HOME_NET any -> [122.51.243.31] 39689 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236988; rev:1;) alert tcp $HOME_NET any -> [175.24.130.231] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236987; rev:1;) alert tcp $HOME_NET any -> [202.79.168.65] 5511 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236985; rev:1;) alert tcp $HOME_NET any -> [120.27.132.223] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"confident-bouman.104-168-102-175.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quirky-williamson.104-168-102-175.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kind-villani.104-168-102-175.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236982; rev:1;) alert tcp $HOME_NET any -> [45.134.225.247] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.modest-colden.104-168-102-175.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sync.maksonsab.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.brave-herschel.104-168-102-175.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.optimistic-almeida.104-168-102-175.plesk.page"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.happy-burnell.104-168-102-175.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-36-225-33.eu-west-3.compute.amazonaws.com"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibrant-fermat.104-168-102-175.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fervent-gates.104-168-102-175.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hardcore-wescoff.104-168-102-175.plesk.page"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modest-colden.104-168-102-175.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"our.openarmscv.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236969; rev:1;) alert tcp $HOME_NET any -> [88.119.169.207] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 99%)"; dns_query; content:"i.wanna.see.20242525.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236968/; target:src_ip; metadata: confidence_level 99, first_seen 2024_02_05; classtype:trojan-activity; sid:91236968; rev:1;) alert tcp $HOME_NET any -> [175.24.197.196] 8001 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 99%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236967/; target:src_ip; metadata: confidence_level 99, first_seen 2024_02_05; classtype:trojan-activity; sid:91236967; rev:1;) alert tcp $HOME_NET any -> [193.233.132.95] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236966; rev:1;) alert tcp $HOME_NET any -> [43.136.71.208] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/methon/scan"; depth:16; nocase; http.host; content:"www.micros0fti.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236964; rev:1;) alert tcp $HOME_NET any -> [172.67.165.208] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236962/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_05; classtype:trojan-activity; sid:91236962; rev:1;) alert tcp $HOME_NET any -> [104.21.73.201] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236963/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_05; classtype:trojan-activity; sid:91236963; rev:1;) alert tcp $HOME_NET any -> [101.201.46.105] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236961/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91236961; rev:1;) alert tcp $HOME_NET any -> [156.251.19.27] 20399 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236960; rev:1;) alert tcp $HOME_NET any -> [39.105.101.138] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236959/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91236959; rev:1;) alert tcp $HOME_NET any -> [45.142.182.104] 4568 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236957/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_05; classtype:trojan-activity; sid:91236957; rev:1;) alert tcp $HOME_NET any -> [130.61.130.111] 2087 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236958/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91236958; rev:1;) alert tcp $HOME_NET any -> [91.230.110.126] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236956/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91236956; rev:1;) alert tcp $HOME_NET any -> [147.124.221.85] 8086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236955/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91236955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.5"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.99.38.67"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236953; rev:1;) alert tcp $HOME_NET any -> [95.217.28.5] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236952; rev:1;) alert tcp $HOME_NET any -> [88.99.38.67] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236951; rev:1;) alert tcp $HOME_NET any -> [91.92.245.248] 1985 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236950; rev:1;) alert tcp $HOME_NET any -> [45.15.159.130] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236949/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236949; rev:1;) alert tcp $HOME_NET any -> [103.145.107.109] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236948/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236948; rev:1;) alert tcp $HOME_NET any -> [116.204.123.237] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236947/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236947; rev:1;) alert tcp $HOME_NET any -> [123.57.3.221] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236946/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236946; rev:1;) alert tcp $HOME_NET any -> [41.99.71.216] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236945/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236945; rev:1;) alert tcp $HOME_NET any -> [41.251.199.21] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236944/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236944; rev:1;) alert tcp $HOME_NET any -> [41.98.253.127] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236943/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236943; rev:1;) alert tcp $HOME_NET any -> [41.97.152.52] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236942/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236942; rev:1;) alert tcp $HOME_NET any -> [84.237.209.170] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236941/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236941; rev:1;) alert tcp $HOME_NET any -> [45.137.10.34] 3333 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236940/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236940; rev:1;) alert tcp $HOME_NET any -> [141.98.168.243] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236939/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236939; rev:1;) alert tcp $HOME_NET any -> [141.98.168.243] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236938/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236938; rev:1;) alert tcp $HOME_NET any -> [45.78.32.214] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236937/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236937; rev:1;) alert tcp $HOME_NET any -> [35.73.145.106] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236936; rev:1;) alert tcp $HOME_NET any -> [20.61.4.19] 4005 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236934; rev:1;) alert tcp $HOME_NET any -> [20.61.4.19] 4006 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236935; rev:1;) alert tcp $HOME_NET any -> [193.222.96.162] 53535 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236933; rev:1;) alert tcp $HOME_NET any -> [193.222.96.162] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"telergraml.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"telergraml.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236896; rev:1;) alert tcp $HOME_NET any -> [192.236.162.234] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_05; classtype:trojan-activity; sid:91236928; rev:1;) alert tcp $HOME_NET any -> [91.92.247.108] 1986 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/667f720d.php"; depth:13; nocase; http.host; content:"hammiest-dependents.000webhostapp.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236930; rev:1;) alert tcp $HOME_NET any -> [103.86.130.85] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236929/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91236929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"59.178.76.117"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"193.222.96.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236926; rev:1;) alert tcp $HOME_NET any -> [124.220.49.74] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236925/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236925; rev:1;) alert tcp $HOME_NET any -> [5.149.249.74] 47987 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236924; rev:1;) alert tcp $HOME_NET any -> [165.22.116.84] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236923/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236923; rev:1;) alert tcp $HOME_NET any -> [118.24.128.204] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236922/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236922; rev:1;) alert tcp $HOME_NET any -> [101.35.141.80] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236921/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236921; rev:1;) alert tcp $HOME_NET any -> [20.2.223.43] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236920/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236920; rev:1;) alert tcp $HOME_NET any -> [47.115.230.159] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236919/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236919; rev:1;) alert tcp $HOME_NET any -> [43.143.130.124] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236918/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236918; rev:1;) alert tcp $HOME_NET any -> [47.115.225.184] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236917/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236917; rev:1;) alert tcp $HOME_NET any -> [20.56.70.245] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236916/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236916; rev:1;) alert tcp $HOME_NET any -> [45.195.76.82] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236915/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236915; rev:1;) alert tcp $HOME_NET any -> [45.93.20.242] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236914/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236914; rev:1;) alert tcp $HOME_NET any -> [103.13.210.210] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236913; rev:1;) alert tcp $HOME_NET any -> [91.230.110.126] 4321 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236912/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236912; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 16322 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236911; rev:1;) alert tcp $HOME_NET any -> [3.127.253.86] 16322 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236910; rev:1;) alert tcp $HOME_NET any -> [94.156.69.136] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236909/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236909; rev:1;) alert tcp $HOME_NET any -> [103.66.59.68] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236908/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236908; rev:1;) alert tcp $HOME_NET any -> [74.48.220.31] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236907; rev:1;) alert tcp $HOME_NET any -> [142.154.101.77] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236906; rev:1;) alert tcp $HOME_NET any -> [74.12.144.248] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236904; rev:1;) alert tcp $HOME_NET any -> [154.246.150.122] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236905; rev:1;) alert tcp $HOME_NET any -> [31.190.194.12] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236903; rev:1;) alert tcp $HOME_NET any -> [94.98.76.163] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236902; rev:1;) alert tcp $HOME_NET any -> [86.222.181.33] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236901; rev:1;) alert tcp $HOME_NET any -> [193.178.147.164] 8010 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236900; rev:1;) alert tcp $HOME_NET any -> [143.198.78.107] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236899; rev:1;) alert tcp $HOME_NET any -> [38.62.236.182] 34712 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236898; rev:1;) alert tcp $HOME_NET any -> [51.158.96.140] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236897; rev:1;) alert tcp $HOME_NET any -> [175.24.197.196] 53576 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f993692117a3fda2.php"; depth:21; nocase; http.host; content:"185.172.128.24"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31b57f88e9b186cd.php"; depth:21; nocase; http.host; content:"91.206.178.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236892; rev:1;) alert tcp $HOME_NET any -> [167.235.26.247] 9300 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236891/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236891; rev:1;) alert tcp $HOME_NET any -> [195.201.242.216] 443 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236890/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236890; rev:1;) alert tcp $HOME_NET any -> [123.206.29.183] 1234 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236889/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236889; rev:1;) alert tcp $HOME_NET any -> [91.92.244.240] 1234 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236888/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236888; rev:1;) alert tcp $HOME_NET any -> [194.9.172.238] 1443 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236887/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236887; rev:1;) alert tcp $HOME_NET any -> [218.161.70.146] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236886/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236886; rev:1;) alert tcp $HOME_NET any -> [171.5.180.138] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236885/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236885; rev:1;) alert tcp $HOME_NET any -> [109.205.61.95] 3777 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236884; rev:1;) alert tcp $HOME_NET any -> [147.229.148.205] 5000 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236883/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236883; rev:1;) alert tcp $HOME_NET any -> [141.255.167.250] 4760 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236882/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236882; rev:1;) alert tcp $HOME_NET any -> [103.223.12.163] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236881/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236881; rev:1;) alert tcp $HOME_NET any -> [178.63.172.20] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236880/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236880; rev:1;) alert tcp $HOME_NET any -> [94.188.60.245] 3333 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236879; rev:1;) alert tcp $HOME_NET any -> [159.65.156.37] 9990 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236878/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236878; rev:1;) alert tcp $HOME_NET any -> [94.156.69.37] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updacon.hopto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236832; rev:1;) alert tcp $HOME_NET any -> [192.253.251.98] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236877/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236877; rev:1;) alert tcp $HOME_NET any -> [186.169.69.242] 8523 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236876/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236876; rev:1;) alert tcp $HOME_NET any -> [45.76.12.238] 5555 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236875/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236875; rev:1;) alert tcp $HOME_NET any -> [178.236.247.250] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236874/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236874; rev:1;) alert tcp $HOME_NET any -> [111.92.243.131] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236873/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236873; rev:1;) alert tcp $HOME_NET any -> [91.92.242.235] 9898 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236872/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236872; rev:1;) alert tcp $HOME_NET any -> [45.76.196.96] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236871/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236871; rev:1;) alert tcp $HOME_NET any -> [47.242.73.99] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236870/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236870; rev:1;) alert tcp $HOME_NET any -> [141.255.159.87] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236869/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236869; rev:1;) alert tcp $HOME_NET any -> [38.181.35.232] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236868/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236868; rev:1;) alert tcp $HOME_NET any -> [141.255.159.135] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236867/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236867; rev:1;) alert tcp $HOME_NET any -> [154.246.204.6] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236866/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236866; rev:1;) alert tcp $HOME_NET any -> [198.13.49.217] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236865/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236865; rev:1;) alert tcp $HOME_NET any -> [139.99.186.184] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236864/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236864; rev:1;) alert tcp $HOME_NET any -> [154.247.243.232] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236863/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236863; rev:1;) alert tcp $HOME_NET any -> [171.80.235.121] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236862/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236862; rev:1;) alert tcp $HOME_NET any -> [154.246.107.125] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236861/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236861; rev:1;) alert tcp $HOME_NET any -> [154.247.197.111] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236860/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236860; rev:1;) alert tcp $HOME_NET any -> [141.255.146.46] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236859/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236859; rev:1;) alert tcp $HOME_NET any -> [94.156.69.93] 4444 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236858/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236858; rev:1;) alert tcp $HOME_NET any -> [171.41.199.216] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236857/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236857; rev:1;) alert tcp $HOME_NET any -> [91.92.249.225] 2023 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236856/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236856; rev:1;) alert tcp $HOME_NET any -> [166.88.61.138] 9898 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236855/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236855; rev:1;) alert tcp $HOME_NET any -> [91.92.255.107] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236854/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236854; rev:1;) alert tcp $HOME_NET any -> [213.226.117.48] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236853/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236853; rev:1;) alert tcp $HOME_NET any -> [95.72.172.97] 9080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236852/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236852; rev:1;) alert tcp $HOME_NET any -> [171.80.251.240] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236851/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236851; rev:1;) alert tcp $HOME_NET any -> [64.176.217.187] 6666 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236850/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236850; rev:1;) alert tcp $HOME_NET any -> [183.105.191.36] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236849/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236849; rev:1;) alert tcp $HOME_NET any -> [154.204.178.170] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236848/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236848; rev:1;) alert tcp $HOME_NET any -> [171.80.235.135] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236847/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236847; rev:1;) alert tcp $HOME_NET any -> [85.209.176.79] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236846/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236846; rev:1;) alert tcp $HOME_NET any -> [171.80.234.90] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236845/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236845; rev:1;) alert tcp $HOME_NET any -> [210.56.49.4] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236844/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236844; rev:1;) alert tcp $HOME_NET any -> [148.135.34.21] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236843/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236843; rev:1;) alert tcp $HOME_NET any -> [91.92.253.204] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236842/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236842; rev:1;) alert tcp $HOME_NET any -> [88.99.150.167] 4444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236841/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236841; rev:1;) alert tcp $HOME_NET any -> [88.99.150.149] 4444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236840/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236840; rev:1;) alert tcp $HOME_NET any -> [88.99.150.167] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236839/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236839; rev:1;) alert tcp $HOME_NET any -> [104.248.249.135] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236838/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236838; rev:1;) alert tcp $HOME_NET any -> [44.200.32.105] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236837/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236837; rev:1;) alert tcp $HOME_NET any -> [13.235.8.98] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236836/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236836; rev:1;) alert tcp $HOME_NET any -> [3.83.182.180] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236835/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236835; rev:1;) alert tcp $HOME_NET any -> [175.41.143.87] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236834/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3cd2b41cbde8fc9c.php"; depth:21; nocase; http.host; content:"185.172.128.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"101.33.221.102"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236830; rev:1;) alert tcp $HOME_NET any -> [107.23.38.171] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dmobd90auod5w.cloudfront.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"dmobd90auod5w.cloudfront.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d2zp39t2eezbsc.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"d2zp39t2eezbsc.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/acap.html"; depth:10; nocase; http.host; content:"167.71.88.65"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"k-hbgsakedfme8azej.a03.azurefd.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w3c.js"; depth:7; nocase; http.host; content:"k-hbgsakedfme8azej.a03.azurefd.net"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236821; rev:1;) alert tcp $HOME_NET any -> [47.119.19.34] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236820; rev:1;) alert tcp $HOME_NET any -> [104.131.9.172] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w3c.js"; depth:7; nocase; http.host; content:"adibh.azureedge.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adibh.azureedge.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236818; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 17960 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236816/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236816; rev:1;) alert tcp $HOME_NET any -> [101.37.14.112] 8899 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236815/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236815; rev:1;) alert tcp $HOME_NET any -> [172.187.200.225] 443 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236814/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.105.147.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"194.87.31.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"95.216.100.78"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.205.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.185.85.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.205.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"85.192.63.65"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.182.87.160"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"85.192.63.35"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.182.87.27"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"95.181.173.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.105.147.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236694; rev:1;) alert tcp $HOME_NET any -> [195.85.207.219] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236683; rev:1;) alert tcp $HOME_NET any -> [31.210.50.162] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236684; rev:1;) alert tcp $HOME_NET any -> [94.131.113.192] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236685; rev:1;) alert tcp $HOME_NET any -> [31.42.190.137] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236687; rev:1;) alert tcp $HOME_NET any -> [154.198.245.50] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236686; rev:1;) alert tcp $HOME_NET any -> [194.195.245.97] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236689; rev:1;) alert tcp $HOME_NET any -> [195.10.205.18] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236688; rev:1;) alert tcp $HOME_NET any -> [207.180.224.118] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236690; rev:1;) alert tcp $HOME_NET any -> [91.92.249.240] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236691; rev:1;) alert tcp $HOME_NET any -> [20.90.160.195] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.202.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.77.121"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"146.70.161.13"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"185.149.146.159"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"193.233.133.81"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"95.181.173.181"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"178.236.247.9"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"185.26.239.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"185.106.94.31"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"212.118.52.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"8.217.23.144"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.150.65.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"212.113.116.56"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"20.0.25.177"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"178.236.246.39"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.107.181.169"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.185.85.132"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"95.181.173.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.207.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"78.141.239.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.72.7"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"178.20.46.217"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"178.20.43.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.107.173.48"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"74.50.93.136"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"51.81.243.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.72.48"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.74.19.107"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"185.106.94.70"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"185.17.0.222"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"178.236.246.253"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.203.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"94.228.170.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"194.87.71.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.203.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"95.181.173.235"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"95.181.173.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.105.147.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.78.61"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.199.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.207.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"64.52.80.13"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"193.233.133.97"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.202.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.208.103.72"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.105.146.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"185.225.200.120"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.194.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236753; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 30520 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236558/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jd03-30520.portmap.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236559/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236559; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 14881 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236574/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"auto-benjamin.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236575/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236575; rev:1;) alert tcp $HOME_NET any -> [213.159.61.169] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236663/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vinijr27.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236662/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"noiphabibi.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236664/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail4.the-kup-key.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236794; rev:1;) alert tcp $HOME_NET any -> [123.207.50.70] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236791; rev:1;) alert tcp $HOME_NET any -> [74.48.84.59] 23 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail4.the-kup-key.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mta4.aerostatus.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail4.the-kup-key.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns.go2tr.ir"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mta4.theaerie.ca"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mta4.sharenscookbook.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236787; rev:1;) alert tcp $HOME_NET any -> [50.18.8.146] 17240 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0.tcp.us-cal-1.ngrok.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.aist.world"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236785; rev:1;) alert tcp $HOME_NET any -> [184.72.44.51] 17240 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236781; rev:1;) alert tcp $HOME_NET any -> [54.193.184.75] 17240 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236782; rev:1;) alert tcp $HOME_NET any -> [3.140.223.7] 15696 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236769/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tuxy.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236779; rev:1;) alert tcp $HOME_NET any -> [52.8.87.87] 17240 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twjdy.freemyip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moveleiros-projeto.ddns.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjhghyfgtttyuuugfd7654332.cfd"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qweuurgr86765.cfd"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjghgfgftdrdssst7654345.cfd"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjgjghfgfhgdhfgsed56.cfd"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hghgfttcdsstyytff655cvhf.cfd"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjfhwefhuuuuf8383992.cfd"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gfffhtdrtggdd654346.cfd"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghgfjfgfgfty6765433.cfd"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghgfttyuujg87654.cfd"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewuhruewhrhurw7837.cfd"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fffsddhddd3.cfd"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dfjfglklihilughgf434wdfg.cfd"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236800; rev:1;) alert tcp $HOME_NET any -> [5.42.65.107] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236797; rev:1;) alert tcp $HOME_NET any -> [206.237.15.161] 8096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ygyjgjygjyfjyfftt6654433.cfd"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ytytyfghhjhyt77865.cfd"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windowstestjavascript/provider3/dletopython8/voiddblowprovider/bigloadasync0temp/packetgametemporary.php"; depth:105; nocase; http.host; content:"185.195.27.26"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236798; rev:1;) alert tcp $HOME_NET any -> [84.2.81.135] 6923 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.116.198.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"39.106.74.90"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236775; rev:1;) alert tcp $HOME_NET any -> [84.45.122.150] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"can.comewithme.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236773; rev:1;) alert tcp $HOME_NET any -> [193.222.96.25] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"copper-king.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236771; rev:1;) alert tcp $HOME_NET any -> [103.86.130.72] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236770/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236770; rev:1;) alert tcp $HOME_NET any -> [189.140.50.67] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236768/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236768; rev:1;) alert tcp $HOME_NET any -> [159.235.5.173] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236767/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236767; rev:1;) alert tcp $HOME_NET any -> [74.12.144.248] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236766/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236766; rev:1;) alert tcp $HOME_NET any -> [45.243.218.9] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236765/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236765; rev:1;) alert tcp $HOME_NET any -> [151.30.51.238] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236764/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236764; rev:1;) alert tcp $HOME_NET any -> [79.107.138.79] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236763/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236763; rev:1;) alert tcp $HOME_NET any -> [91.92.253.160] 6075 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236762/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236762; rev:1;) alert tcp $HOME_NET any -> [94.103.87.88] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236761/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236761; rev:1;) alert tcp $HOME_NET any -> [204.28.111.10] 8843 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236760/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"178.141.170.135"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236759/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cm56126.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236758; rev:1;) alert tcp $HOME_NET any -> [13.245.184.253] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236757/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236757; rev:1;) alert tcp $HOME_NET any -> [119.91.89.203] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236756/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236756; rev:1;) alert tcp $HOME_NET any -> [185.39.204.47] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236755/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/game/3/securetestuniversal/phpjshttpprocessorauthsqlwp.php"; depth:59; nocase; http.host; content:"85.209.9.184"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236754; rev:1;) alert tcp $HOME_NET any -> [164.155.203.165] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236693; rev:1;) alert tcp $HOME_NET any -> [188.127.24.220] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236682/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236682; rev:1;) alert tcp $HOME_NET any -> [103.86.130.35] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236681/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236681; rev:1;) alert tcp $HOME_NET any -> [94.228.123.188] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236680/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236680; rev:1;) alert tcp $HOME_NET any -> [154.8.157.205] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236679/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236679; rev:1;) alert tcp $HOME_NET any -> [147.78.103.18] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236678/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalsecurehttppacketbigloadsqltest.php"; depth:42; nocase; http.host; content:"907916cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236677; rev:1;) alert tcp $HOME_NET any -> [101.43.161.148] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236676; rev:1;) alert tcp $HOME_NET any -> [13.36.225.33] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236675; rev:1;) alert tcp $HOME_NET any -> [154.8.157.205] 8999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236674; rev:1;) alert tcp $HOME_NET any -> [23.94.255.161] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236673/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236673; rev:1;) alert tcp $HOME_NET any -> [88.214.25.253] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/latest/v2.36/mz6phzvyk"; depth:23; nocase; http.host; content:"88.214.25.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/latest/v2.36/mz6phzvyk"; depth:23; nocase; http.host; content:"invoce-social.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236670; rev:1;) alert tcp $HOME_NET any -> [88.214.25.253] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/latest/v2.36/mz6phzvyk"; depth:23; nocase; http.host; content:"88.214.25.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"invoce-social.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/latest/v2.36/mz6phzvyk"; depth:23; nocase; http.host; content:"invoce-social.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236666; rev:1;) alert tcp $HOME_NET any -> [194.147.140.138] 3320 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236665; rev:1;) alert tcp $HOME_NET any -> [46.246.4.20] 3030 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236661; rev:1;) alert tcp $HOME_NET any -> [185.196.8.89] 4443 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236660/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236660; rev:1;) alert tcp $HOME_NET any -> [173.44.141.146] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236659/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236659; rev:1;) alert tcp $HOME_NET any -> [13.56.214.28] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236658/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236658; rev:1;) alert tcp $HOME_NET any -> [178.73.218.3] 101 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236657; rev:1;) alert tcp $HOME_NET any -> [138.201.19.103] 3336 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236656; rev:1;) alert tcp $HOME_NET any -> [85.10.133.189] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236655; rev:1;) alert tcp $HOME_NET any -> [34.198.81.115] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236654; rev:1;) alert tcp $HOME_NET any -> [34.128.110.49] 9443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236653; rev:1;) alert tcp $HOME_NET any -> [52.146.15.133] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236652; rev:1;) alert tcp $HOME_NET any -> [3.25.226.216] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236651; rev:1;) alert tcp $HOME_NET any -> [35.199.114.125] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236650; rev:1;) alert tcp $HOME_NET any -> [18.157.139.50] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236649; rev:1;) alert tcp $HOME_NET any -> [34.237.150.77] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236648; rev:1;) alert tcp $HOME_NET any -> [47.100.81.121] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236647; rev:1;) alert tcp $HOME_NET any -> [37.60.239.239] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236646; rev:1;) alert tcp $HOME_NET any -> [18.194.227.164] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236645; rev:1;) alert tcp $HOME_NET any -> [49.234.190.91] 8083 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236644; rev:1;) alert tcp $HOME_NET any -> [104.238.214.47] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"account.vitamedicajobccb.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236642; rev:1;) alert tcp $HOME_NET any -> [142.11.199.59] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"outlook.vitamedicajobccb.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236640; rev:1;) alert tcp $HOME_NET any -> [60.204.203.14] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236639; rev:1;) alert tcp $HOME_NET any -> [110.40.36.67] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236638; rev:1;) alert tcp $HOME_NET any -> [143.92.58.61] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236637; rev:1;) alert tcp $HOME_NET any -> [176.124.32.23] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mywestpac.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"103.54.57.251.sslip.io"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236634; rev:1;) alert tcp $HOME_NET any -> [123.99.201.37] 808 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jolly-ganguly.45-141-215-173.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"node1.abcd2.monster"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236631; rev:1;) alert tcp $HOME_NET any -> [95.111.238.79] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236630; rev:1;) alert tcp $HOME_NET any -> [18.139.243.205] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236629; rev:1;) alert tcp $HOME_NET any -> [188.26.86.131] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srv001e.feja111.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236627; rev:1;) alert tcp $HOME_NET any -> [91.92.248.152] 6606 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236626; rev:1;) alert tcp $HOME_NET any -> [91.92.248.121] 5902 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"premier-stream.co.uk"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-235-8-98.ap-south-1.compute.amazonaws.com"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.premier-stream.co.uk"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ambankgruop.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www-12.eekal.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236620; rev:1;) alert tcp $HOME_NET any -> [94.156.69.28] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236619; rev:1;) alert tcp $HOME_NET any -> [193.163.7.139] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236618; rev:1;) alert tcp $HOME_NET any -> [194.233.74.255] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236617; rev:1;) alert tcp $HOME_NET any -> [185.172.128.131] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"356142.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236614; rev:1;) alert tcp $HOME_NET any -> [3.72.85.14] 8001 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.194-233-74-255.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsola256.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236613; rev:1;) alert tcp $HOME_NET any -> [3.1.206.216] 8001 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236611; rev:1;) alert tcp $HOME_NET any -> [178.236.247.158] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236610; rev:1;) alert tcp $HOME_NET any -> [154.12.30.64] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236609; rev:1;) alert tcp $HOME_NET any -> [45.145.55.81] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236608; rev:1;) alert tcp $HOME_NET any -> [186.112.194.124] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236607; rev:1;) alert tcp $HOME_NET any -> [20.106.168.188] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236605; rev:1;) alert tcp $HOME_NET any -> [151.67.33.99] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236606; rev:1;) alert tcp $HOME_NET any -> [216.250.254.227] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236604; rev:1;) alert tcp $HOME_NET any -> [91.92.252.126] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236603; rev:1;) alert tcp $HOME_NET any -> [45.154.98.34] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236602; rev:1;) alert tcp $HOME_NET any -> [190.123.44.228] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236600/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_03; classtype:trojan-activity; sid:91236600; rev:1;) alert tcp $HOME_NET any -> [34.162.154.209] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236601/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_03; classtype:trojan-activity; sid:91236601; rev:1;) alert tcp $HOME_NET any -> [47.111.31.7] 43365 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236599/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_03; classtype:trojan-activity; sid:91236599; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 13975 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236598/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_03; classtype:trojan-activity; sid:91236598; rev:1;) alert tcp $HOME_NET any -> [185.82.219.87] 2351 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236597; rev:1;) alert tcp $HOME_NET any -> [187.135.240.152] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236595; rev:1;) alert tcp $HOME_NET any -> [187.135.240.152] 1896 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236596; rev:1;) alert tcp $HOME_NET any -> [88.214.26.54] 52047 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236594; rev:1;) alert tcp $HOME_NET any -> [154.3.0.131] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236593; rev:1;) alert tcp $HOME_NET any -> [91.92.242.143] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236592; rev:1;) alert tcp $HOME_NET any -> [43.154.190.128] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236591; rev:1;) alert tcp $HOME_NET any -> [162.14.125.5] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236590; rev:1;) alert tcp $HOME_NET any -> [45.148.244.206] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236589; rev:1;) alert tcp $HOME_NET any -> [43.136.71.208] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236587; rev:1;) alert tcp $HOME_NET any -> [107.174.243.15] 554 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236588; rev:1;) alert tcp $HOME_NET any -> [154.9.252.97] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236586; rev:1;) alert tcp $HOME_NET any -> [192.3.235.87] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236585; rev:1;) alert tcp $HOME_NET any -> [107.189.14.144] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236584; rev:1;) alert tcp $HOME_NET any -> [47.120.54.55] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236582; rev:1;) alert tcp $HOME_NET any -> [43.138.156.178] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236583; rev:1;) alert tcp $HOME_NET any -> [107.172.201.247] 19211 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236581; rev:1;) alert tcp $HOME_NET any -> [110.42.209.75] 812 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-116-205-190-164.compute.hwclouds-dns.com"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236579; rev:1;) alert tcp $HOME_NET any -> [185.216.70.81] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-22-66-152.us-east-2.compute.amazonaws.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236577; rev:1;) alert tcp $HOME_NET any -> [176.122.189.30] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236576; rev:1;) alert tcp $HOME_NET any -> [5.42.73.251] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236573/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236573; rev:1;) alert tcp $HOME_NET any -> [43.228.125.144] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236572/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236572; rev:1;) alert tcp $HOME_NET any -> [43.143.236.67] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236571/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236571; rev:1;) alert tcp $HOME_NET any -> [78.16.61.94] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236570/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236570; rev:1;) alert tcp $HOME_NET any -> [96.87.28.171] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236569/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236569; rev:1;) alert tcp $HOME_NET any -> [41.99.50.6] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236568/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236568; rev:1;) alert tcp $HOME_NET any -> [77.8.150.104] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236567/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236567; rev:1;) alert tcp $HOME_NET any -> [148.135.11.253] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236566/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236566; rev:1;) alert tcp $HOME_NET any -> [20.38.38.37] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236565/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236565; rev:1;) alert tcp $HOME_NET any -> [124.222.63.238] 8029 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236564/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236564; rev:1;) alert tcp $HOME_NET any -> [91.132.196.39] 9090 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236563/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236563; rev:1;) alert tcp $HOME_NET any -> [20.61.4.19] 4007 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236562/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236562; rev:1;) alert tcp $HOME_NET any -> [193.222.96.161] 53535 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236561/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowuniversal.php"; depth:17; nocase; http.host; content:"076902cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236560; rev:1;) alert tcp $HOME_NET any -> [92.222.212.74] 1450 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"38.181.2.11"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236556; rev:1;) alert tcp $HOME_NET any -> [212.224.86.54] 58003 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236555; rev:1;) alert tcp $HOME_NET any -> [216.98.13.172] 26604 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236554; rev:1;) alert tcp $HOME_NET any -> [3.141.142.211] 17366 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vbatallafinal23.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236553/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236553; rev:1;) alert tcp $HOME_NET any -> [46.246.86.4] 101 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7a957ef6cc168ff6.php"; depth:21; nocase; http.host; content:"194.120.116.120"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236550; rev:1;) alert tcp $HOME_NET any -> [3.132.159.158] 17366 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236542; rev:1;) alert tcp $HOME_NET any -> [3.140.223.7] 17366 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236543; rev:1;) alert tcp $HOME_NET any -> [3.141.177.1] 17366 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236544; rev:1;) alert tcp $HOME_NET any -> [3.141.210.37] 17366 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236545; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 13538 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236546/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236546; rev:1;) alert tcp $HOME_NET any -> [3.22.30.40] 13747 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236547/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236547; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 13538 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236548/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236548; rev:1;) alert tcp $HOME_NET any -> [103.86.131.106] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236549/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236549; rev:1;) alert tcp $HOME_NET any -> [88.210.9.117] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236541; rev:1;) alert tcp $HOME_NET any -> [209.38.216.156] 2087 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236540/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"149.104.27.40"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"120.24.70.197"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"42.193.248.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.115.225.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.115.230.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"45.195.76.82"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"120.24.70.197"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"139.155.135.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"60.204.208.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"182.254.140.58"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"124.221.151.149"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ping"; depth:5; nocase; http.host; content:"cdns.casacam.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/methon/scan"; depth:16; nocase; http.host; content:"www.micros0fti.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.micros0fti.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.99.93.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"185.196.10.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"139.155.90.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0913347.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236516; rev:1;) alert tcp $HOME_NET any -> [85.239.34.70] 9110 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236514/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"z.botnet.rocks"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236515/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236515; rev:1;) alert tcp $HOME_NET any -> [191.101.209.29] 20427 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"statisticsong.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.statisticsong.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panal.statisticsong.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panel.statisticsong.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236511; rev:1;) alert tcp $HOME_NET any -> [45.13.227.186] 3912 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236512/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236512; rev:1;) alert tcp $HOME_NET any -> [45.13.227.186] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236513/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236513; rev:1;) alert tcp $HOME_NET any -> [42.236.91.107] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236506/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236506; rev:1;) alert tcp $HOME_NET any -> [103.61.139.69] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"103.61.139.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236504; rev:1;) alert tcp $HOME_NET any -> [89.247.50.191] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236503/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236503; rev:1;) alert tcp $HOME_NET any -> [62.72.5.16] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236502/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236502; rev:1;) alert tcp $HOME_NET any -> [89.208.103.187] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kami.magication.us"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"karleonno.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236499/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236499; rev:1;) alert tcp $HOME_NET any -> [18.229.146.63] 18785 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236497/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236497; rev:1;) alert tcp $HOME_NET any -> [18.228.115.60] 18785 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236495/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236495; rev:1;) alert tcp $HOME_NET any -> [18.229.248.167] 18785 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236496/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"111.231.22.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236498; rev:1;) alert tcp $HOME_NET any -> [167.71.88.65] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236494; rev:1;) alert tcp $HOME_NET any -> [74.12.146.248] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236493; rev:1;) alert tcp $HOME_NET any -> [79.107.143.65] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236492; rev:1;) alert tcp $HOME_NET any -> [122.114.8.164] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236491; rev:1;) alert tcp $HOME_NET any -> [158.160.65.88] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236490; rev:1;) alert tcp $HOME_NET any -> [104.238.60.14] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236489; rev:1;) alert tcp $HOME_NET any -> [103.195.6.58] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236488; rev:1;) alert tcp $HOME_NET any -> [47.236.237.46] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236487; rev:1;) alert tcp $HOME_NET any -> [209.127.186.195] 9443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236486; rev:1;) alert tcp $HOME_NET any -> [60.247.153.126] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236485/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"39.105.51.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"39.105.51.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"39.105.51.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"91.92.242.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236481; rev:1;) alert tcp $HOME_NET any -> [192.210.140.35] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236480/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236480; rev:1;) alert tcp $HOME_NET any -> [42.193.248.127] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236479/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236479; rev:1;) alert tcp $HOME_NET any -> [18.158.35.237] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236478; rev:1;) alert tcp $HOME_NET any -> [18.158.35.237] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236477; rev:1;) alert tcp $HOME_NET any -> [3.95.67.254] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236476; rev:1;) alert tcp $HOME_NET any -> [37.60.239.240] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www2.deenpel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"content.deenpel.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236473; rev:1;) alert tcp $HOME_NET any -> [58.59.222.51] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236472; rev:1;) alert tcp $HOME_NET any -> [62.204.41.197] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.controlpanel29.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-3-173-99.compute-1.amazonaws.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236469; rev:1;) alert tcp $HOME_NET any -> [73.3.46.163] 4855 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236468; rev:1;) alert tcp $HOME_NET any -> [193.233.132.64] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taobao7737.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236466; rev:1;) alert tcp $HOME_NET any -> [193.233.255.105] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236465; rev:1;) alert tcp $HOME_NET any -> [34.29.228.84] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236464; rev:1;) alert tcp $HOME_NET any -> [45.141.215.222] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236463; rev:1;) alert tcp $HOME_NET any -> [43.139.189.26] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236462; rev:1;) alert tcp $HOME_NET any -> [91.236.116.26] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236461/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_02; classtype:trojan-activity; sid:91236461; rev:1;) alert tcp $HOME_NET any -> [144.202.25.198] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236460/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_02; classtype:trojan-activity; sid:91236460; rev:1;) alert tcp $HOME_NET any -> [206.166.251.32] 18443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236459; rev:1;) alert tcp $HOME_NET any -> [116.205.190.164] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.133.156.69"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236457; rev:1;) alert tcp $HOME_NET any -> [157.245.222.152] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forge/static/hulnwcwi"; depth:22; nocase; http.host; content:"service-jnajkkdg-1318687485.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-jnajkkdg-1318687485.gz.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236455; rev:1;) alert tcp $HOME_NET any -> [84.45.122.150] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"comewithme.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"comewithme.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"39.105.51.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236450; rev:1;) alert tcp $HOME_NET any -> [91.92.242.143] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"91.92.242.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236448; rev:1;) alert tcp $HOME_NET any -> [41.97.220.8] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236447/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236447; rev:1;) alert tcp $HOME_NET any -> [45.150.79.56] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236446/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b0f62e5c.php"; depth:13; nocase; http.host; content:"109.107.182.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236445; rev:1;) alert tcp $HOME_NET any -> [95.217.65.174] 11130 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236444; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 11080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236424/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236424; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 11544 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236442/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236442; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 11544 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236443/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236443; rev:1;) alert tcp $HOME_NET any -> [8.130.17.64] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236441; rev:1;) alert tcp $HOME_NET any -> [79.130.53.226] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236440/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236440; rev:1;) alert tcp $HOME_NET any -> [41.96.88.102] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236439; rev:1;) alert tcp $HOME_NET any -> [201.137.204.103] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236438/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236438; rev:1;) alert tcp $HOME_NET any -> [90.42.9.121] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236437/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236437; rev:1;) alert tcp $HOME_NET any -> [154.247.198.92] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236436/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236436; rev:1;) alert tcp $HOME_NET any -> [92.223.160.132] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236435/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236435; rev:1;) alert tcp $HOME_NET any -> [138.197.134.200] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236434/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236434; rev:1;) alert tcp $HOME_NET any -> [91.92.253.138] 6075 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236433/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236433; rev:1;) alert tcp $HOME_NET any -> [84.32.44.210] 64543 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236431/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236431; rev:1;) alert tcp $HOME_NET any -> [193.233.132.73] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236430/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236430; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 11544 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236429; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 11544 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gjvjls3jd2v/index.php"; depth:22; nocase; http.host; content:"193.233.132.73"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99210de056092a58.php"; depth:21; nocase; http.host; content:"104.245.33.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236426; rev:1;) alert tcp $HOME_NET any -> [159.69.86.27] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236425; rev:1;) alert tcp $HOME_NET any -> [35.228.7.192] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236423/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236423; rev:1;) alert tcp $HOME_NET any -> [20.106.168.188] 5050 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236422; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 11080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236420; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 11080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236421; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 11080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236419; rev:1;) alert tcp $HOME_NET any -> [77.1.170.194] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236418; rev:1;) alert tcp $HOME_NET any -> [38.62.236.152] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236417; rev:1;) alert tcp $HOME_NET any -> [152.203.66.173] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236416; rev:1;) alert tcp $HOME_NET any -> [3.219.110.4] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236414; rev:1;) alert tcp $HOME_NET any -> [189.112.212.12] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236415; rev:1;) alert tcp $HOME_NET any -> [113.37.87.82] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236413; rev:1;) alert tcp $HOME_NET any -> [18.191.227.114] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236412; rev:1;) alert tcp $HOME_NET any -> [70.34.252.126] 5333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236410; rev:1;) alert tcp $HOME_NET any -> [18.198.146.182] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236411; rev:1;) alert tcp $HOME_NET any -> [141.94.244.50] 444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236409; rev:1;) alert tcp $HOME_NET any -> [64.226.108.52] 17240 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236408; rev:1;) alert tcp $HOME_NET any -> [63.35.217.229] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236407; rev:1;) alert tcp $HOME_NET any -> [34.29.171.229] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236406; rev:1;) alert tcp $HOME_NET any -> [20.195.169.69] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236405; rev:1;) alert tcp $HOME_NET any -> [40.76.178.37] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236404; rev:1;) alert tcp $HOME_NET any -> [54.174.138.45] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236403; rev:1;) alert tcp $HOME_NET any -> [34.226.155.20] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236402; rev:1;) alert tcp $HOME_NET any -> [34.125.18.85] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236400; rev:1;) alert tcp $HOME_NET any -> [40.67.208.154] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-15-206-174-2.ap-south-1.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236399; rev:1;) alert tcp $HOME_NET any -> [123.249.83.178] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236398; rev:1;) alert tcp $HOME_NET any -> [120.55.85.239] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236397; rev:1;) alert tcp $HOME_NET any -> [47.113.218.12] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236396; rev:1;) alert tcp $HOME_NET any -> [8.137.106.49] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236395; rev:1;) alert tcp $HOME_NET any -> [47.108.233.40] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236394; rev:1;) alert tcp $HOME_NET any -> [23.105.197.219] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236393; rev:1;) alert tcp $HOME_NET any -> [142.171.229.78] 2096 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mywestpac.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.panitor.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panelbar.ct8.pl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236389; rev:1;) alert tcp $HOME_NET any -> [68.233.120.219] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236388; rev:1;) alert tcp $HOME_NET any -> [45.139.104.69] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236387; rev:1;) alert tcp $HOME_NET any -> [93.123.85.79] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236386; rev:1;) alert tcp $HOME_NET any -> [51.195.83.136] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236385; rev:1;) alert tcp $HOME_NET any -> [79.137.197.6] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236384; rev:1;) alert tcp $HOME_NET any -> [114.29.236.137] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236383; rev:1;) alert tcp $HOME_NET any -> [37.60.235.110] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236382; rev:1;) alert tcp $HOME_NET any -> [20.14.88.85] 8447 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236381; rev:1;) alert tcp $HOME_NET any -> [115.79.230.192] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236380; rev:1;) alert tcp $HOME_NET any -> [115.79.230.192] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236379; rev:1;) alert tcp $HOME_NET any -> [193.169.245.86] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236378; rev:1;) alert tcp $HOME_NET any -> [193.168.141.92] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236377; rev:1;) alert tcp $HOME_NET any -> [94.156.68.145] 7639 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236376; rev:1;) alert tcp $HOME_NET any -> [181.162.151.66] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236375; rev:1;) alert tcp $HOME_NET any -> [88.210.9.117] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236374; rev:1;) alert tcp $HOME_NET any -> [45.87.153.107] 81 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nickbaseev1.fvds.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omgs.asia"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236371; rev:1;) alert tcp $HOME_NET any -> [91.92.244.215] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nickbaseev4.fvds.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236369; rev:1;) alert tcp $HOME_NET any -> [20.236.74.148] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236368; rev:1;) alert tcp $HOME_NET any -> [165.232.64.60] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236367; rev:1;) alert tcp $HOME_NET any -> [64.226.104.86] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236366; rev:1;) alert tcp $HOME_NET any -> [64.225.100.2] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-140-197-75.us-east-2.compute.amazonaws.com"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236364; rev:1;) alert tcp $HOME_NET any -> [91.92.240.147] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236363; rev:1;) alert tcp $HOME_NET any -> [46.246.84.15] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236362; rev:1;) alert tcp $HOME_NET any -> [18.134.234.207] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236361; rev:1;) alert tcp $HOME_NET any -> [186.112.194.124] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236360; rev:1;) alert tcp $HOME_NET any -> [179.61.251.93] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236359; rev:1;) alert tcp $HOME_NET any -> [39.105.213.32] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236358; rev:1;) alert tcp $HOME_NET any -> [163.197.211.60] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236357; rev:1;) alert tcp $HOME_NET any -> [20.241.197.233] 8444 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236355/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_02; classtype:trojan-activity; sid:91236355; rev:1;) alert tcp $HOME_NET any -> [170.64.194.84] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236356/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_02; classtype:trojan-activity; sid:91236356; rev:1;) alert tcp $HOME_NET any -> [187.135.240.152] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236353; rev:1;) alert tcp $HOME_NET any -> [187.135.149.169] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236354; rev:1;) alert tcp $HOME_NET any -> [187.135.240.152] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236352; rev:1;) alert tcp $HOME_NET any -> [187.135.240.152] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236351; rev:1;) alert tcp $HOME_NET any -> [93.80.47.229] 81 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236350; rev:1;) alert tcp $HOME_NET any -> [91.92.242.62] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236349; rev:1;) alert tcp $HOME_NET any -> [91.92.242.62] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236348; rev:1;) alert tcp $HOME_NET any -> [91.92.249.234] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236346; rev:1;) alert tcp $HOME_NET any -> [91.92.242.62] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236347; rev:1;) alert tcp $HOME_NET any -> [91.92.242.143] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236345; rev:1;) alert tcp $HOME_NET any -> [23.26.137.225] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236344; rev:1;) alert tcp $HOME_NET any -> [154.221.17.44] 2999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236343; rev:1;) alert tcp $HOME_NET any -> [201.68.220.236] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236342; rev:1;) alert tcp $HOME_NET any -> [134.122.164.200] 5566 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236341; rev:1;) alert tcp $HOME_NET any -> [207.180.224.247] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236340; rev:1;) alert tcp $HOME_NET any -> [185.91.127.221] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236338; rev:1;) alert tcp $HOME_NET any -> [123.57.174.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236339; rev:1;) alert tcp $HOME_NET any -> [91.92.249.233] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236337; rev:1;) alert tcp $HOME_NET any -> [195.85.250.96] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236335; rev:1;) alert tcp $HOME_NET any -> [74.48.84.59] 23 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236336; rev:1;) alert tcp $HOME_NET any -> [154.9.252.97] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236334; rev:1;) alert tcp $HOME_NET any -> [34.143.208.146] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236333; rev:1;) alert tcp $HOME_NET any -> [1.94.11.140] 39443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236332; rev:1;) alert tcp $HOME_NET any -> [91.92.243.77] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236331; rev:1;) alert tcp $HOME_NET any -> [172.233.25.65] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-89-165-37.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236329; rev:1;) alert tcp $HOME_NET any -> [8.137.118.200] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236328; rev:1;) alert tcp $HOME_NET any -> [121.41.4.196] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236327; rev:1;) alert tcp $HOME_NET any -> [89.149.23.88] 20427 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"technoblade.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236325; rev:1;) alert tcp $HOME_NET any -> [39.32.193.156] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236326/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236326; rev:1;) alert tcp $HOME_NET any -> [38.46.13.118] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"101.34.251.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236322; rev:1;) alert tcp $HOME_NET any -> [38.46.13.115] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.46.13.114"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"8.134.165.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"85.208.109.15"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"103.239.247.51"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236317; rev:1;) alert tcp $HOME_NET any -> [43.143.130.124] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"121.43.62.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"3.22.66.152"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236314; rev:1;) alert tcp $HOME_NET any -> [42.193.248.127] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236313/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"okled.cc"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"okled.cc"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.okled.cc"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.okled.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdns.casacam.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236307; rev:1;) alert tcp $HOME_NET any -> [104.168.158.242] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/login"; depth:13; nocase; http.host; content:"cdns.casacam.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"20.56.70.245"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236305; rev:1;) alert tcp $HOME_NET any -> [121.41.4.196] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-2kefhgzl-1316598603.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-2kefhgzl-1316598603.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"34.143.208.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"43.142.170.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236299; rev:1;) alert tcp $HOME_NET any -> [94.156.67.11] 65517 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236291; rev:1;) alert tcp $HOME_NET any -> [103.86.131.102] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236298/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236295; rev:1;) alert tcp $HOME_NET any -> [158.160.124.3] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236294/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236294; rev:1;) alert tcp $HOME_NET any -> [54.227.145.71] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236293/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236293; rev:1;) alert tcp $HOME_NET any -> [45.129.199.136] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236292/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236292; rev:1;) alert tcp $HOME_NET any -> [139.155.90.81] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"139.155.90.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236289; rev:1;) alert tcp $HOME_NET any -> [80.79.7.197] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236287/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236287; rev:1;) alert tcp $HOME_NET any -> [80.79.7.197] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236288/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236288; rev:1;) alert tcp $HOME_NET any -> [80.79.7.197] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236286/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236286; rev:1;) alert tcp $HOME_NET any -> [172.105.62.186] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236285/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236285; rev:1;) alert tcp $HOME_NET any -> [192.52.166.9] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236284/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236284; rev:1;) alert tcp $HOME_NET any -> [54.199.117.47] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236283/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236283; rev:1;) alert tcp $HOME_NET any -> [47.76.61.241] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236282/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236282; rev:1;) alert tcp $HOME_NET any -> [38.62.230.181] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236281/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236281; rev:1;) alert tcp $HOME_NET any -> [38.62.230.181] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236280/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236280; rev:1;) alert tcp $HOME_NET any -> [5.161.225.160] 80 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236279/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236279; rev:1;) alert tcp $HOME_NET any -> [43.198.97.99] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236278/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236278; rev:1;) alert tcp $HOME_NET any -> [84.201.141.119] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236277/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236277; rev:1;) alert tcp $HOME_NET any -> [151.236.9.226] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236250/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236250; rev:1;) alert tcp $HOME_NET any -> [185.123.53.208] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236252/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236252; rev:1;) alert tcp $HOME_NET any -> [185.36.143.155] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236251/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236251; rev:1;) alert tcp $HOME_NET any -> [45.155.121.203] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236248/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236248; rev:1;) alert tcp $HOME_NET any -> [45.155.121.157] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236247/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236247; rev:1;) alert tcp $HOME_NET any -> [85.239.34.69] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236249/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236249; rev:1;) alert tcp $HOME_NET any -> [45.129.199.23] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236244/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236244; rev:1;) alert tcp $HOME_NET any -> [45.129.199.165] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236245/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236245; rev:1;) alert tcp $HOME_NET any -> [45.155.120.130] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236246/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236246; rev:1;) alert tcp $HOME_NET any -> [5.230.41.133] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236243/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236243; rev:1;) alert tcp $HOME_NET any -> [147.45.45.81] 30063 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236221; rev:1;) alert tcp $HOME_NET any -> [193.168.141.27] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236253/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236253; rev:1;) alert tcp $HOME_NET any -> [193.168.141.104] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236254/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236254; rev:1;) alert tcp $HOME_NET any -> [213.232.235.220] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236255/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236255; rev:1;) alert tcp $HOME_NET any -> [18.228.115.60] 11264 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236269; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 11264 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236270; rev:1;) alert tcp $HOME_NET any -> [94.156.68.158] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236265/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236265; rev:1;) alert tcp $HOME_NET any -> [54.94.248.37] 11264 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236268/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236268; rev:1;) alert tcp $HOME_NET any -> [5.230.42.207] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236256/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236256; rev:1;) alert tcp $HOME_NET any -> [91.235.234.194] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236257/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236257; rev:1;) alert tcp $HOME_NET any -> [185.123.53.150] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236258/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236258; rev:1;) alert tcp $HOME_NET any -> [5.231.0.38] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236259/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236259; rev:1;) alert tcp $HOME_NET any -> [194.110.247.73] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236260/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236260; rev:1;) alert tcp $HOME_NET any -> [20.56.70.245] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236276/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236276; rev:1;) alert tcp $HOME_NET any -> [129.159.134.19] 8080 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236275; rev:1;) alert tcp $HOME_NET any -> [31.210.173.10] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236274/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236274; rev:1;) alert tcp $HOME_NET any -> [103.86.131.79] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236273/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236273; rev:1;) alert tcp $HOME_NET any -> [47.115.225.184] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236272/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temporary/sql6js8/wordpress3/7sqlasync/8/publicmariadb/central/to_serverasyncpublictemp.php"; depth:92; nocase; http.host; content:"185.87.199.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236271; rev:1;) alert tcp $HOME_NET any -> [185.243.115.50] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236266/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236266; rev:1;) alert tcp $HOME_NET any -> [147.45.40.196] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"182.124.119.149"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236263/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/3secure/packet/gameflowerflowerpacket/local/generatoruniversal/asynclinesqlwindows/7javascripthttp/db57/track1python1/requestdatalifeexternal/packet4dbproton/providervm/testwindowstest/5javascriptwindows/pipe02public/processor/1securejavascript9/packetwp.php"; depth:261; nocase; http.host; content:"77.222.54.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236262; rev:1;) alert tcp $HOME_NET any -> [100.21.141.96] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236261/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236261; rev:1;) alert tcp $HOME_NET any -> [47.242.111.13] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236242/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236242; rev:1;) alert tcp $HOME_NET any -> [136.244.78.33] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236241/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236241; rev:1;) alert tcp $HOME_NET any -> [176.124.199.126] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236240/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236240; rev:1;) alert tcp $HOME_NET any -> [91.151.93.75] 9443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236239/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236239; rev:1;) alert tcp $HOME_NET any -> [182.254.140.58] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236238/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236238; rev:1;) alert tcp $HOME_NET any -> [122.51.220.170] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236237/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236237; rev:1;) alert tcp $HOME_NET any -> [47.76.56.64] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/make/apache/t0ztsfr9u"; depth:22; nocase; http.host; content:"waltonfoods.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236234; rev:1;) alert tcp $HOME_NET any -> [45.15.156.209] 40481 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236233; rev:1;) alert tcp $HOME_NET any -> [45.139.104.69] 443 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236232/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236232; rev:1;) alert tcp $HOME_NET any -> [94.156.65.19] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236231/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236231; rev:1;) alert tcp $HOME_NET any -> [38.12.28.242] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236230/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236230; rev:1;) alert tcp $HOME_NET any -> [2.56.109.134] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236229/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236229; rev:1;) alert tcp $HOME_NET any -> [74.12.146.248] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236228/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236228; rev:1;) alert tcp $HOME_NET any -> [194.219.192.97] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236227/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236227; rev:1;) alert tcp $HOME_NET any -> [18.188.25.88] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236226/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236226; rev:1;) alert tcp $HOME_NET any -> [164.92.180.123] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236225/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236225; rev:1;) alert tcp $HOME_NET any -> [103.116.248.171] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236224/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236224; rev:1;) alert tcp $HOME_NET any -> [165.232.64.60] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236223/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236223; rev:1;) alert tcp $HOME_NET any -> [146.190.126.61] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236222/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236222; rev:1;) alert tcp $HOME_NET any -> [85.208.109.15] 9966 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236220/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236220; rev:1;) alert tcp $HOME_NET any -> [147.124.207.124] 24624 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236219; rev:1;) alert tcp $HOME_NET any -> [54.94.248.37] 12136 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236030/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"0.tcp.sa.ngrok.io"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236031/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pjnbadfjandkadm3kd.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pjnbadfjandkadm3kd.com"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1236215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qcpanel.hackcrack.io"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236216/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagelongpollapiprotectdefaultlinuxflowerprivate.php"; depth:53; nocase; http.host; content:"369023cm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236218; rev:1;) alert tcp $HOME_NET any -> [124.221.151.149] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236217/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236217; rev:1;) alert tcp $HOME_NET any -> [103.191.15.137] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236213/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236213; rev:1;) alert tcp $HOME_NET any -> [5.181.156.118] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpsecureupdatelongpollmultiprotecttestlocaldownloads.php"; depth:58; nocase; http.host; content:"681428cm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236211; rev:1;) alert tcp $HOME_NET any -> [84.155.4.131] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236210; rev:1;) alert tcp $HOME_NET any -> [2.50.137.98] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236209; rev:1;) alert tcp $HOME_NET any -> [81.213.221.120] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236208; rev:1;) alert tcp $HOME_NET any -> [45.58.52.17] 9090 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236207; rev:1;) alert tcp $HOME_NET any -> [143.110.192.8] 18336 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236206; rev:1;) alert tcp $HOME_NET any -> [38.62.236.152] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236205; rev:1;) alert tcp $HOME_NET any -> [102.134.252.5] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236204; rev:1;) alert tcp $HOME_NET any -> [154.41.253.67] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236202; rev:1;) alert tcp $HOME_NET any -> [18.184.153.186] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236201; rev:1;) alert tcp $HOME_NET any -> [45.142.100.44] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236200; rev:1;) alert tcp $HOME_NET any -> [146.190.32.94] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236199; rev:1;) alert tcp $HOME_NET any -> [87.254.230.24] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236198; rev:1;) alert tcp $HOME_NET any -> [139.162.173.229] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236197; rev:1;) alert tcp $HOME_NET any -> [120.26.3.31] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sts.drivevvyze.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236195; rev:1;) alert tcp $HOME_NET any -> [182.92.209.12] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236194; rev:1;) alert tcp $HOME_NET any -> [47.108.153.169] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236193; rev:1;) alert tcp $HOME_NET any -> [47.115.228.149] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236192; rev:1;) alert tcp $HOME_NET any -> [8.130.80.37] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236191; rev:1;) alert tcp $HOME_NET any -> [8.130.123.192] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236190; rev:1;) alert tcp $HOME_NET any -> [8.130.86.242] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236188; rev:1;) alert tcp $HOME_NET any -> [203.9.150.113] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236189; rev:1;) alert tcp $HOME_NET any -> [121.42.9.148] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236187; rev:1;) alert tcp $HOME_NET any -> [16.62.149.189] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236186; rev:1;) alert tcp $HOME_NET any -> [5.42.64.32] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panitor.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.doobiefly.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236183; rev:1;) alert tcp $HOME_NET any -> [45.118.146.123] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.3psil0n.fr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236181; rev:1;) alert tcp $HOME_NET any -> [91.92.249.158] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236180; rev:1;) alert tcp $HOME_NET any -> [91.92.249.158] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236179; rev:1;) alert tcp $HOME_NET any -> [94.156.144.48] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236178; rev:1;) alert tcp $HOME_NET any -> [189.152.202.202] 8880 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236177; rev:1;) alert tcp $HOME_NET any -> [134.195.90.8] 8890 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rss-bridge.emkd.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236174; rev:1;) alert tcp $HOME_NET any -> [192.46.228.106] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-15-206-164-202.ap-south-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emkd.ru"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236172; rev:1;) alert tcp $HOME_NET any -> [211.24.117.21] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236171; rev:1;) alert tcp $HOME_NET any -> [45.147.250.155] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236170; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 33920 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236168; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 45118 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236169; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 465 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236167; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 102 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236166; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 12078 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236165; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6667 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236163; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 8000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236164; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 5220 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236162; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2079 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236160; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236161; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 4840 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236159; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2004 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236158; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 48148 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236157; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 52200 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236155; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 16993 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236156; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 43014 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236154; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 5432 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236152; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 63842 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236153; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 110 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236151; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 60000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236149; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 64611 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236150; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 50956 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236148; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 45910 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236147; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 5672 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236145; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236146; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 64374 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236144; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236143; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 5307 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236142; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 20547 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236140; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 51376 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236141; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 18084 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236139; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 16196 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236138; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 11467 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236137; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2380 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236135; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 8389 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236136; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2096 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236134; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 49451 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236133; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6699 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236132; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 9042 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236130; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6697 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236131; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6002 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236129; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 27199 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236127; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 31763 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236128; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 24663 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236126; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6006 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236125; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 8443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236123; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2701 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236124; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6513 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236122; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 8010 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236121; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 37215 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236119; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 5903 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236120; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 36043 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236118; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 28139 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236117; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 50580 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236115; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 46207 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236116; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 40329 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236114; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 58603 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236112; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 61616 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236113; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 995 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236111; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236110; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 9000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236108; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 18029 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236109; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6362 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236107; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2762 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236105; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 5902 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236106; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 1521 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236104; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2761 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236103; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 40000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236101; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2078 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236102; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 10000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236100; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 5900 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236098; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6008 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236099; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 1200 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236097; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 1080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236096; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 10443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236094; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 18049 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236095; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 8081 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236093; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2323 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236091; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 4887 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236092; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 10258 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236090; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 57983 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236088; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6004 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236089; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 52219 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236087; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 50001 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236086; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 2095 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236084; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 4369 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236085; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 40846 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236083; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 27017 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236082; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6001 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236080; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 7170 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236081; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 3390 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236079; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 44332 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236077; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 104 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236078; rev:1;) alert tcp $HOME_NET any -> [197.225.117.157] 6597 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236076; rev:1;) alert tcp $HOME_NET any -> [191.82.244.204] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236075; rev:1;) alert tcp $HOME_NET any -> [91.92.247.180] 57420 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236074; rev:1;) alert tcp $HOME_NET any -> [5.42.67.89] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236073; rev:1;) alert tcp $HOME_NET any -> [42.96.11.30] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236072; rev:1;) alert tcp $HOME_NET any -> [172.94.4.158] 8088 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236071; rev:1;) alert tcp $HOME_NET any -> [176.103.52.51] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236070; rev:1;) alert tcp $HOME_NET any -> [178.73.192.6] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236069; rev:1;) alert tcp $HOME_NET any -> [142.171.213.30] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236068; rev:1;) alert tcp $HOME_NET any -> [38.147.189.43] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236067; rev:1;) alert tcp $HOME_NET any -> [34.162.103.107] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236066/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_01; classtype:trojan-activity; sid:91236066; rev:1;) alert tcp $HOME_NET any -> [212.73.150.182] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236065/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_01; classtype:trojan-activity; sid:91236065; rev:1;) alert tcp $HOME_NET any -> [187.135.122.173] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236064; rev:1;) alert tcp $HOME_NET any -> [187.135.122.173] 1765 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236063; rev:1;) alert tcp $HOME_NET any -> [187.135.149.169] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236061; rev:1;) alert tcp $HOME_NET any -> [187.135.149.169] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236062; rev:1;) alert tcp $HOME_NET any -> [187.135.149.169] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236060; rev:1;) alert tcp $HOME_NET any -> [187.135.149.169] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236058; rev:1;) alert tcp $HOME_NET any -> [187.135.149.169] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236059; rev:1;) alert tcp $HOME_NET any -> [221.159.15.231] 80 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236057/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236057; rev:1;) alert tcp $HOME_NET any -> [124.70.140.36] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236055; rev:1;) alert tcp $HOME_NET any -> [121.36.198.30] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236056; rev:1;) alert tcp $HOME_NET any -> [193.29.56.172] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236053; rev:1;) alert tcp $HOME_NET any -> [192.151.243.135] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236054; rev:1;) alert tcp $HOME_NET any -> [122.51.220.170] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236052; rev:1;) alert tcp $HOME_NET any -> [172.105.48.31] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236051; rev:1;) alert tcp $HOME_NET any -> [34.170.254.228] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236050; rev:1;) alert tcp $HOME_NET any -> [34.170.254.228] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236048; rev:1;) alert tcp $HOME_NET any -> [34.170.254.228] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236049; rev:1;) alert tcp $HOME_NET any -> [1.117.60.33] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236047; rev:1;) alert tcp $HOME_NET any -> [149.104.27.40] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236046; rev:1;) alert tcp $HOME_NET any -> [107.150.5.191] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236044; rev:1;) alert tcp $HOME_NET any -> [192.210.186.187] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236045; rev:1;) alert tcp $HOME_NET any -> [47.236.108.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236043; rev:1;) alert tcp $HOME_NET any -> [47.109.74.65] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236042; rev:1;) alert tcp $HOME_NET any -> [47.95.31.78] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236041; rev:1;) alert tcp $HOME_NET any -> [59.110.47.212] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236039; rev:1;) alert tcp $HOME_NET any -> [152.136.100.26] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236040; rev:1;) alert tcp $HOME_NET any -> [20.171.192.244] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236038; rev:1;) alert tcp $HOME_NET any -> [205.185.118.120] 1200 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236037; rev:1;) alert tcp $HOME_NET any -> [23.224.81.191] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236036; rev:1;) alert tcp $HOME_NET any -> [81.70.79.31] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236035; rev:1;) alert tcp $HOME_NET any -> [185.91.127.221] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236033; rev:1;) alert tcp $HOME_NET any -> [43.248.189.11] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236034; rev:1;) alert tcp $HOME_NET any -> [117.50.185.133] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236032; rev:1;) alert tcp $HOME_NET any -> [103.86.131.103] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236029/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"124.70.140.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236028; rev:1;) alert tcp $HOME_NET any -> [185.222.57.87] 4505 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236027/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.215.113"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236025; rev:1;) alert tcp $HOME_NET any -> [5.75.215.113] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.159.136.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"cdn-014.epsonupdate.uk"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.99.93.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236015; rev:1;) alert tcp $HOME_NET any -> [4.246.234.87] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cnn/cnnx/qwerty/stream_hdt/1/cnnxlive1_6.bootstrap"; depth:51; nocase; http.host; content:"20.42.56.4"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236013; rev:1;) alert tcp $HOME_NET any -> [93.123.85.91] 3912 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236010/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236010; rev:1;) alert tcp $HOME_NET any -> [93.123.85.91] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236011/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236011; rev:1;) alert tcp $HOME_NET any -> [41.216.183.193] 4258 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236012/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236012; rev:1;) alert tcp $HOME_NET any -> [172.111.10.14] 9506 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236006/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236006; rev:1;) alert tcp $HOME_NET any -> [172.111.10.14] 9621 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236007/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236007; rev:1;) alert tcp $HOME_NET any -> [94.156.71.208] 3912 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236008/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236008; rev:1;) alert tcp $HOME_NET any -> [94.156.71.208] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236009/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f1aba1fe.php"; depth:13; nocase; http.host; content:"self-lighting-subpr.000webhostapp.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mail830071003.mywebspace.zone"; depth:29; nocase; reference:url, threatfox.abuse.ch/ioc/1235996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mail838727492.mywebspace.zone"; depth:29; nocase; reference:url, threatfox.abuse.ch/ioc/1235997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"rinababyshop.com"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1235998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"li334-138.members.linode.com"; depth:28; nocase; reference:url, threatfox.abuse.ch/ioc/1235999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"novaesolution.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1236000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"umzug-logistic.de"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1236001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"database.umzug-logistic.de"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1236002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mail.tezcaniletisim.com.tr"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1236004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"tezcaniletisim.com.tr"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1236003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236003; rev:1;) alert tcp $HOME_NET any -> [51.222.51.154] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235945; rev:1;) alert tcp $HOME_NET any -> [51.222.51.155] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235946; rev:1;) alert tcp $HOME_NET any -> [51.222.51.156] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235947; rev:1;) alert tcp $HOME_NET any -> [51.222.51.152] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235943; rev:1;) alert tcp $HOME_NET any -> [51.222.51.153] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235944; rev:1;) alert tcp $HOME_NET any -> [51.222.51.149] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235940; rev:1;) alert tcp $HOME_NET any -> [51.222.51.150] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235941; rev:1;) alert tcp $HOME_NET any -> [51.222.51.151] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235942; rev:1;) alert tcp $HOME_NET any -> [51.222.51.146] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235937; rev:1;) alert tcp $HOME_NET any -> [51.222.51.147] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235938; rev:1;) alert tcp $HOME_NET any -> [51.222.51.148] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235939; rev:1;) alert tcp $HOME_NET any -> [51.222.51.145] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235936; rev:1;) alert tcp $HOME_NET any -> [37.187.1.37] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235935; rev:1;) alert tcp $HOME_NET any -> [51.222.51.157] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235948; rev:1;) alert tcp $HOME_NET any -> [51.222.51.158] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235949; rev:1;) alert tcp $HOME_NET any -> [167.114.173.191] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235950; rev:1;) alert tcp $HOME_NET any -> [198.50.214.209] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235951; rev:1;) alert tcp $HOME_NET any -> [198.50.214.210] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235952; rev:1;) alert tcp $HOME_NET any -> [198.50.214.212] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235954; rev:1;) alert tcp $HOME_NET any -> [198.50.214.211] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235953; rev:1;) alert tcp $HOME_NET any -> [198.50.214.213] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235955; rev:1;) alert tcp $HOME_NET any -> [198.50.214.214] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235956; rev:1;) alert tcp $HOME_NET any -> [198.50.214.215] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235957; rev:1;) alert tcp $HOME_NET any -> [198.50.214.216] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235958; rev:1;) alert tcp $HOME_NET any -> [198.50.214.217] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235959; rev:1;) alert tcp $HOME_NET any -> [198.50.214.218] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235960; rev:1;) alert tcp $HOME_NET any -> [198.50.214.219] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235961; rev:1;) alert tcp $HOME_NET any -> [198.50.214.220] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235962; rev:1;) alert tcp $HOME_NET any -> [198.50.214.221] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235963; rev:1;) alert tcp $HOME_NET any -> [198.50.214.222] 8100 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235964; rev:1;) alert tcp $HOME_NET any -> [138.197.150.104] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235966; rev:1;) alert tcp $HOME_NET any -> [159.203.48.121] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235968; rev:1;) alert tcp $HOME_NET any -> [104.248.54.93] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235967; rev:1;) alert tcp $HOME_NET any -> [159.203.3.76] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235969; rev:1;) alert tcp $HOME_NET any -> [87.106.251.121] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235970; rev:1;) alert tcp $HOME_NET any -> [212.227.141.35] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235971; rev:1;) alert tcp $HOME_NET any -> [45.76.179.15] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235972; rev:1;) alert tcp $HOME_NET any -> [45.77.45.237] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235973; rev:1;) alert tcp $HOME_NET any -> [207.148.89.210] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235974; rev:1;) alert tcp $HOME_NET any -> [190.96.113.171] 8082 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235975; rev:1;) alert tcp $HOME_NET any -> [190.96.113.173] 8082 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235976; rev:1;) alert tcp $HOME_NET any -> [190.96.113.174] 8082 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235977; rev:1;) alert tcp $HOME_NET any -> [190.92.148.174] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235978; rev:1;) alert tcp $HOME_NET any -> [96.126.101.138] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235980; rev:1;) alert tcp $HOME_NET any -> [190.92.148.73] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235979; rev:1;) alert tcp $HOME_NET any -> [218.158.186.176] 18888 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235981; rev:1;) alert tcp $HOME_NET any -> [222.107.255.119] 18888 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235982; rev:1;) alert tcp $HOME_NET any -> [13.79.72.214] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235983; rev:1;) alert tcp $HOME_NET any -> [20.124.237.208] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235984; rev:1;) alert tcp $HOME_NET any -> [5.11.183.214] 1080 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235985; rev:1;) alert tcp $HOME_NET any -> [202.158.36.51] 2134 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235988; rev:1;) alert tcp $HOME_NET any -> [188.59.3.0] 30150 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235986; rev:1;) alert tcp $HOME_NET any -> [68.178.148.35] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235987; rev:1;) alert tcp $HOME_NET any -> [45.146.252.6] 2687 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235989; rev:1;) alert tcp $HOME_NET any -> [202.169.44.105] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235990; rev:1;) alert tcp $HOME_NET any -> [117.200.78.4] 8080 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235991; rev:1;) alert tcp $HOME_NET any -> [185.78.165.105] 80 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235992; rev:1;) alert tcp $HOME_NET any -> [13.208.144.176] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235995/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235995; rev:1;) alert tcp $HOME_NET any -> [103.86.131.78] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235994/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"sjyey.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235934/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91235934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"babonwo.ru"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235933/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91235933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geoasync7/6traffic/asynchttp5multi/3/wordpressimagewordpressprivate/1update/request/4/pollvmlineproton/eternal/phpphp/eternalpythonsecurecpulongpolldefaultlinuxflowergeneratordatalife.php"; depth:188; nocase; http.host; content:"5.35.80.183"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235932; rev:1;) alert tcp $HOME_NET any -> [91.92.249.69] 3609 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"harold.jetos.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235930; rev:1;) alert tcp $HOME_NET any -> [139.28.36.84] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235929/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91235929; rev:1;) alert tcp $HOME_NET any -> [65.108.24.114] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghf3fkdw/post.php"; depth:18; nocase; http.host; content:"81.19.140.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235927; rev:1;) alert tcp $HOME_NET any -> [47.99.98.42] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91235926; rev:1;) alert tcp $HOME_NET any -> [41.227.202.142] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91235925; rev:1;) alert tcp $HOME_NET any -> [72.27.102.76] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235924/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91235924; rev:1;) alert tcp $HOME_NET any -> [3.142.167.4] 12738 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235912/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91235912; rev:1;) alert tcp $HOME_NET any -> [3.67.62.142] 11024 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91235915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tzitziklishop3.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"125.41.0.91"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91235923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiund98272sb01jshbq.con-ip.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235922; rev:1;) alert tcp $HOME_NET any -> [91.92.254.42] 6548 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235921; rev:1;) alert tcp $HOME_NET any -> [51.81.69.127] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235919/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91235919; rev:1;) alert tcp $HOME_NET any -> [191.233.28.7] 1024 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jpdsj3d4m/index.php"; depth:20; nocase; http.host; content:"51.81.69.127"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235917; rev:1;) alert tcp $HOME_NET any -> [81.214.129.138] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235916/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235916; rev:1;) alert tcp $HOME_NET any -> [45.195.76.82] 9966 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235914/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235914; rev:1;) alert tcp $HOME_NET any -> [3.22.66.152] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235913/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235913; rev:1;) alert tcp $HOME_NET any -> [3.142.81.166] 12738 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235911; rev:1;) alert tcp $HOME_NET any -> [3.19.130.43] 12738 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235910; rev:1;) alert tcp $HOME_NET any -> [3.142.167.54] 12738 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235909; rev:1;) alert tcp $HOME_NET any -> [13.58.157.220] 12738 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235908; rev:1;) alert tcp $HOME_NET any -> [103.86.131.107] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235907/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235907; rev:1;) alert tcp $HOME_NET any -> [47.76.34.199] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235906/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atedhilarlymcken.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eriegentsfsepara.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lacycuratedhila.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"licncesispervicear.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lymckensecuryre.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naightdecipientc.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"normaticalacycurat.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nscormationw.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"petropicalnorma.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yclearneriegen.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235902; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 11797 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235892/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spain-se-lab.eastus.cloudapp.azure.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235888; rev:1;) alert tcp $HOME_NET any -> [20.42.56.4] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redflagssecurity.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.redflagssecurity.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235886; rev:1;) alert tcp $HOME_NET any -> [141.98.7.15] 1985 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235883/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bots.gxz.me"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235885/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235885; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 12041 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235875/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235875; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 12041 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235876/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235876; rev:1;) alert tcp $HOME_NET any -> [105.96.242.45] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235905/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235905; rev:1;) alert tcp $HOME_NET any -> [103.86.131.69] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235904/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.99.93.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235903; rev:1;) alert tcp $HOME_NET any -> [101.34.251.178] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235891/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/longpolltrack.php"; depth:18; nocase; http.host; content:"718710cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235890; rev:1;) alert tcp $HOME_NET any -> [38.46.13.114] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235884; rev:1;) alert tcp $HOME_NET any -> [102.113.185.187] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235882/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235882; rev:1;) alert tcp $HOME_NET any -> [141.136.44.219] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235881/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235881; rev:1;) alert tcp $HOME_NET any -> [98.186.108.222] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235880/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235880; rev:1;) alert tcp $HOME_NET any -> [5.75.211.130] 2271 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.211.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235878; rev:1;) alert tcp $HOME_NET any -> [159.223.64.235] 4483 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235877; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 12041 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235874; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 12041 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsquery-3.3.1.min.js"; depth:21; nocase; http.host; content:"192.243.102.171"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235872; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 10673 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235871; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 10673 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235870; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 10673 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.networkspacer.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"waltonfoods.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.waltonfoods.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.globalusa.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"globalusa.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asb-help-assistance.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"networkspacer.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kennahammond.autos"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kennahammond.autos"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kayleycuevas.autos"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kayleycuevas.autos"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.reidkelley.autos"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cademoses.autos"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.madisonbartlett.autos"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cademoses.autos"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reidkelley.autos"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zzwibxun.jimmychunglin.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"madisonbartlett.autos"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/doomday.zip"; depth:22; nocase; http.host; content:"5.181.159.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235849; rev:1;) alert tcp $HOME_NET any -> [5.181.159.49] 80 (msg:"ThreatFox DarkGate payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/91c007b5.php"; depth:13; nocase; http.host; content:"185.185.68.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"209.126.102.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"followcache.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ui_cache.js"; depth:12; nocase; http.host; content:"followcache.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"152.89.218.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"andiandnoah.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"andiandnoah.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blessingjumarou1ubk01.duckdns.org"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"blessingjumarou1ubk01.duckdns.org"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235823; rev:1;) alert tcp $HOME_NET any -> [104.243.242.194] 39841 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brodbeckconsulting.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/filmcensurernes.png"; depth:31; nocase; http.host; content:"brodbeckconsulting.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"159.253.214.149"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1235743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.91.45.248"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1235744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.79.99.120"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1235745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"67.205.139.23"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1235746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"183.90.230.5"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1235747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"162.19.24.166"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1235748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"62.210.137.149"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1235749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.82.120.47"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1235750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235750; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 15520 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235754/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.66.9.215"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1235741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"128.199.66.118"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1235742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"216.69.162.32"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1235739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"161.97.132.85"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1235740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.241.48.106"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1235737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.176.58.32"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1235738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235738; rev:1;) alert tcp $HOME_NET any -> [38.180.60.31] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235847/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"api.d-n-s.name"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235828/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"areekaweb.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235829/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"clickcom.click"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235830/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"clicko.click"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235831/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ehangmun.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235832/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"entraide-internationale.fr"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235833/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"line-api.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235834/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"miltonhouse.nl"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235835/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"secure-cama.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235836/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"symantke.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235837/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235837; rev:1;) alert tcp $HOME_NET any -> [206.188.196.44] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235827/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235827; rev:1;) alert tcp $HOME_NET any -> [94.103.87.88] 25 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235821; rev:1;) alert tcp $HOME_NET any -> [154.53.160.71] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235820; rev:1;) alert tcp $HOME_NET any -> [34.193.15.213] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235819; rev:1;) alert tcp $HOME_NET any -> [3.208.237.246] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235818; rev:1;) alert tcp $HOME_NET any -> [154.8.138.27] 2222 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drivevvyze.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myaccount.deenpel.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235815; rev:1;) alert tcp $HOME_NET any -> [47.109.136.12] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235814; rev:1;) alert tcp $HOME_NET any -> [211.97.157.183] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235813; rev:1;) alert tcp $HOME_NET any -> [124.223.56.72] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235812; rev:1;) alert tcp $HOME_NET any -> [43.138.110.8] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"23.105.197.219.16clouds.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235811; rev:1;) alert tcp $HOME_NET any -> [123.249.86.77] 8089 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235809; rev:1;) alert tcp $HOME_NET any -> [51.195.83.136] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235808; rev:1;) alert tcp $HOME_NET any -> [51.195.83.136] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235807; rev:1;) alert tcp $HOME_NET any -> [147.45.40.99] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235806; rev:1;) alert tcp $HOME_NET any -> [45.93.251.166] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235805; rev:1;) alert tcp $HOME_NET any -> [81.28.6.17] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235804; rev:1;) alert tcp $HOME_NET any -> [193.233.254.10] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235803; rev:1;) alert tcp $HOME_NET any -> [95.181.151.118] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235801; rev:1;) alert tcp $HOME_NET any -> [69.87.216.87] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235802; rev:1;) alert tcp $HOME_NET any -> [189.152.202.202] 49152 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235799; rev:1;) alert tcp $HOME_NET any -> [189.152.202.202] 81 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235800; rev:1;) alert tcp $HOME_NET any -> [189.152.202.202] 31193 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235798; rev:1;) alert tcp $HOME_NET any -> [189.152.202.202] 16714 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235797; rev:1;) alert tcp $HOME_NET any -> [189.152.202.202] 222 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235796; rev:1;) alert tcp $HOME_NET any -> [91.92.252.217] 10443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235795; rev:1;) alert tcp $HOME_NET any -> [79.137.226.104] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pgad.emkd.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235794; rev:1;) alert tcp $HOME_NET any -> [46.4.80.247] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karasergkaravaev1.fvds.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nl1.nextpg.cfd"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235790; rev:1;) alert tcp $HOME_NET any -> [188.119.112.49] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235789; rev:1;) alert tcp $HOME_NET any -> [193.233.254.106] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235788; rev:1;) alert tcp $HOME_NET any -> [89.148.24.117] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235787; rev:1;) alert tcp $HOME_NET any -> [34.32.55.86] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235786/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_31; classtype:trojan-activity; sid:91235786; rev:1;) alert tcp $HOME_NET any -> [44.219.14.139] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235785/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_31; classtype:trojan-activity; sid:91235785; rev:1;) alert tcp $HOME_NET any -> [187.135.130.228] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235784; rev:1;) alert tcp $HOME_NET any -> [187.135.130.228] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235783; rev:1;) alert tcp $HOME_NET any -> [187.135.122.173] 2295 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235782; rev:1;) alert tcp $HOME_NET any -> [187.135.122.173] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235781; rev:1;) alert tcp $HOME_NET any -> [43.128.203.170] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235780; rev:1;) alert tcp $HOME_NET any -> [47.99.93.124] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235778; rev:1;) alert tcp $HOME_NET any -> [136.244.98.215] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235779; rev:1;) alert tcp $HOME_NET any -> [154.12.85.223] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235777; rev:1;) alert tcp $HOME_NET any -> [124.222.19.248] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235776; rev:1;) alert tcp $HOME_NET any -> [47.93.98.77] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"209.lan-za2-1.static.rozabg.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baselocal/73updategame/external06temporary/processor/universal/eternalgeomultiasynctestuniversalwptempcdncentral.php"; depth:117; nocase; http.host; content:"77.91.124.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.139.177.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"185.196.10.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"110.40.151.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"217.194.133.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.113.216.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"31.41.244.172"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"110.40.151.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"31.41.244.172"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"8.222.165.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235764; rev:1;) alert tcp $HOME_NET any -> [139.59.238.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/set/v9.32/omdf83jf6h"; depth:21; nocase; http.host; content:"139.59.238.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235762; rev:1;) alert tcp $HOME_NET any -> [119.161.100.84] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235761/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235761; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 15520 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235753; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 15520 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235752; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 15520 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"css2.officeserver.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235735; rev:1;) alert tcp $HOME_NET any -> [20.170.42.196] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235736; rev:1;) alert tcp $HOME_NET any -> [8.212.183.173] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.unitedromtech.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235733; rev:1;) alert tcp $HOME_NET any -> [78.46.135.92] 1575 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235732; rev:1;) alert tcp $HOME_NET any -> [172.96.14.67] 9785 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235731/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235731; rev:1;) alert tcp $HOME_NET any -> [172.96.14.30] 6871 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235730/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.138.62.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"1.13.17.173"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.159.136.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"139.155.0.238"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"108.165.113.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"108.165.113.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"115.29.171.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"120.26.196.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"service-dlrbbup7-1309697666.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.ibmxwork.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support.ibmxwork.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"60.204.135.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235712; rev:1;) alert tcp $HOME_NET any -> [47.99.54.48] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235711/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235711; rev:1;) alert tcp $HOME_NET any -> [103.86.130.79] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235710/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235710; rev:1;) alert tcp $HOME_NET any -> [115.243.250.34] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235709/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235709; rev:1;) alert tcp $HOME_NET any -> [185.38.142.22] 666 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235701/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235701; rev:1;) alert tcp $HOME_NET any -> [45.140.146.208] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235708/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235708; rev:1;) alert tcp $HOME_NET any -> [172.94.32.33] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235707/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235707; rev:1;) alert tcp $HOME_NET any -> [172.94.32.33] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235706/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235706; rev:1;) alert tcp $HOME_NET any -> [172.94.32.33] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235705/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235705; rev:1;) alert tcp $HOME_NET any -> [172.94.32.33] 8881 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235704; rev:1;) alert tcp $HOME_NET any -> [124.70.140.36] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsprotectdefaultwpcdn.php"; depth:26; nocase; http.host; content:"193.187.172.13"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235702; rev:1;) alert tcp $HOME_NET any -> [5.42.64.45] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235691; rev:1;) alert tcp $HOME_NET any -> [95.214.52.175] 13735 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235690/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235690; rev:1;) alert tcp $HOME_NET any -> [20.215.193.147] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235700; rev:1;) alert tcp $HOME_NET any -> [38.6.177.93] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235699; rev:1;) alert tcp $HOME_NET any -> [34.244.129.215] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235698; rev:1;) alert tcp $HOME_NET any -> [185.49.70.105] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235697; rev:1;) alert tcp $HOME_NET any -> [149.248.21.89] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235696; rev:1;) alert tcp $HOME_NET any -> [5.188.86.214] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235695/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.20.16.155"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235694; rev:1;) alert tcp $HOME_NET any -> [217.194.133.68] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235693; rev:1;) alert tcp $HOME_NET any -> [187.135.122.173] 2067 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235692/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mfreshbnrem.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mfreshbnrem.ddns.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235679; rev:1;) alert tcp $HOME_NET any -> [192.177.111.126] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235680; rev:1;) alert tcp $HOME_NET any -> [89.213.142.199] 28189 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235689; rev:1;) alert tcp $HOME_NET any -> [45.137.148.124] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235688/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235688; rev:1;) alert tcp $HOME_NET any -> [86.190.166.133] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235687/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235687; rev:1;) alert tcp $HOME_NET any -> [72.27.36.68] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235686/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235686; rev:1;) alert tcp $HOME_NET any -> [189.140.22.230] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235685/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235685; rev:1;) alert tcp $HOME_NET any -> [62.15.128.250] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235684/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235684; rev:1;) alert tcp $HOME_NET any -> [154.247.28.232] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235683/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235683; rev:1;) alert tcp $HOME_NET any -> [5.42.64.4] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235682/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updategovua/upd/downloads/words.exe"; depth:36; nocase; http.host; content:"bitbucket.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235681; rev:1;) alert tcp $HOME_NET any -> [65.21.212.85] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235677; rev:1;) alert tcp $HOME_NET any -> [3.67.112.102] 11024 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235675/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235675; rev:1;) alert tcp $HOME_NET any -> [138.124.183.37] 443 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235676/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235676; rev:1;) alert tcp $HOME_NET any -> [94.156.65.209] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jpdsj3d4m/index.php"; depth:20; nocase; http.host; content:"5.42.64.4"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"nationalistvetecanve.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"gemcreedarticulateod.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"secretionsuitcasenioise.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"liabilityarrangemenyit.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"claimconcessionrebe.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"modestessayevenmilwek.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"triangleseasonbenchwj.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"culturesketchfinanciall.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sofahuntingslidedine.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235664; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 11024 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235663; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 11024 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235662; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 11024 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235661; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 18227 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235660; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 18227 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235659; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 18227 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235658; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 18227 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235597; rev:1;) alert tcp $HOME_NET any -> [210.61.91.39] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235656/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klosherskymoneyd.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"klosherskymoneyd.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1235605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moon.spartabig.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ok.spartabig.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sell.spartabig.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"count.spartabig.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"spartabig.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ndbplus.rs"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m5.jpg"; depth:7; nocase; http.host; content:"ndbplus.rs"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/plugzx.exe"; depth:23; nocase; http.host; content:"nab.blueyonderllc.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/plugzx.exe"; depth:23; nocase; http.host; content:"nab.blueyonderllc.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nab.blueyonderllc.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235545; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 53003 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235543/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bit-number.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235544/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ewmrgqnaww.php"; depth:21; nocase; http.host; content:"andiandnoah.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"andiandnoah.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235526; rev:1;) alert tcp $HOME_NET any -> [192.243.102.171] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235655/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235655; rev:1;) alert tcp $HOME_NET any -> [34.125.227.117] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235654; rev:1;) alert tcp $HOME_NET any -> [3.80.84.233] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235653; rev:1;) alert tcp $HOME_NET any -> [52.21.211.84] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235652; rev:1;) alert tcp $HOME_NET any -> [8.137.54.12] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235651; rev:1;) alert tcp $HOME_NET any -> [43.136.58.193] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235650; rev:1;) alert tcp $HOME_NET any -> [154.223.17.208] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"node115.5-systems.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235648/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235648; rev:1;) alert tcp $HOME_NET any -> [134.255.252.185] 3000 (msg:"ThreatFox Bahamut botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235647; rev:1;) alert tcp $HOME_NET any -> [54.249.71.250] 18082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235646; rev:1;) alert tcp $HOME_NET any -> [82.115.19.151] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235645; rev:1;) alert tcp $HOME_NET any -> [85.209.176.113] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235644; rev:1;) alert tcp $HOME_NET any -> [85.209.176.184] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235643; rev:1;) alert tcp $HOME_NET any -> [91.92.252.217] 7443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235642; rev:1;) alert tcp $HOME_NET any -> [50.118.225.41] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235641; rev:1;) alert tcp $HOME_NET any -> [181.162.169.153] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235640; rev:1;) alert tcp $HOME_NET any -> [191.82.204.88] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235639; rev:1;) alert tcp $HOME_NET any -> [185.172.128.103] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evgenytchurakin.fvds.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ramzanlee.fvds.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asp.keyshape.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235636; rev:1;) alert tcp $HOME_NET any -> [5.42.67.88] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235634; rev:1;) alert tcp $HOME_NET any -> [185.172.128.85] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235632; rev:1;) alert tcp $HOME_NET any -> [212.109.195.164] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235633; rev:1;) alert tcp $HOME_NET any -> [64.227.124.8] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235631; rev:1;) alert tcp $HOME_NET any -> [209.145.56.0] 1995 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235630; rev:1;) alert tcp $HOME_NET any -> [91.92.240.147] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235629; rev:1;) alert tcp $HOME_NET any -> [94.156.67.155] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235628; rev:1;) alert tcp $HOME_NET any -> [186.112.205.208] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235627; rev:1;) alert tcp $HOME_NET any -> [3.19.71.233] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235626/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_30; classtype:trojan-activity; sid:91235626; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235624; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235625; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235623; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235622; rev:1;) alert tcp $HOME_NET any -> [39.106.2.138] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235621; rev:1;) alert tcp $HOME_NET any -> [139.224.33.120] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235620; rev:1;) alert tcp $HOME_NET any -> [139.224.33.120] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235619; rev:1;) alert tcp $HOME_NET any -> [172.245.34.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235618; rev:1;) alert tcp $HOME_NET any -> [107.189.14.144] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235616; rev:1;) alert tcp $HOME_NET any -> [199.127.63.241] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235617; rev:1;) alert tcp $HOME_NET any -> [124.223.201.58] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235615; rev:1;) alert tcp $HOME_NET any -> [158.247.238.238] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235614; rev:1;) alert tcp $HOME_NET any -> [82.157.71.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235612; rev:1;) alert tcp $HOME_NET any -> [106.54.63.106] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235613; rev:1;) alert tcp $HOME_NET any -> [8.222.165.110] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235611; rev:1;) alert tcp $HOME_NET any -> [8.136.4.15] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1450/ladyisbeautiful.vbs"; depth:25; nocase; http.host; content:"65.20.81.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1450/irs.txt"; depth:13; nocase; http.host; content:"65.20.81.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drd/microsoftupdationgoingformicrosoftofficeupgradingtonewmsofficeprotoecoltoreducethesys.doc"; depth:94; nocase; http.host; content:"65.20.81.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"allsmt.cam"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235606; rev:1;) alert tcp $HOME_NET any -> [103.86.130.54] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235603/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"124.71.9.23"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.223.220.137"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w3c.js"; depth:7; nocase; http.host; content:"dctrvi.azureedge.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.115.212.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"81.70.0.37"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"39.106.26.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.104.232.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.92.246.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"114.55.133.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"114.55.133.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"123.60.57.13"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"117.72.13.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jp.css"; depth:7; nocase; http.host; content:"91.238.181.237"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"204.44.94.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/interpret/today/vzardxorlr"; depth:27; nocase; http.host; content:"111.230.103.176"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235528; rev:1;) alert tcp $HOME_NET any -> [49.7.197.52] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235525/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235525; rev:1;) alert tcp $HOME_NET any -> [1.15.247.249] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235524/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235524; rev:1;) alert tcp $HOME_NET any -> [47.92.199.201] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235523/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235523; rev:1;) alert tcp $HOME_NET any -> [186.169.71.216] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235520/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srryapi.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235521; rev:1;) alert tcp $HOME_NET any -> [103.86.130.76] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235522/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235522; rev:1;) alert tcp $HOME_NET any -> [8.218.137.213] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.t0nger.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235518; rev:1;) alert tcp $HOME_NET any -> [119.45.62.15] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.gac-oa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.gac-oa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.gac-oa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235514; rev:1;) alert tcp $HOME_NET any -> [150.158.34.235] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235513; rev:1;) alert tcp $HOME_NET any -> [81.19.136.234] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.atchesonprint.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235511; rev:1;) alert tcp $HOME_NET any -> [114.115.210.125] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c1.tqrjfru.cn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"usdtethchasmanthiummgl.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235502/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"usdtethchasmanthiumkls.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235501/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"usdtethchasmanthiumapp.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235499/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"usdtethchasmanthiumtch.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235500/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"usdtethchasmanthiumlg.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235498/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"usdtethchasmanthiumsmg.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235497/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"94.156.68.144"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235496/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235496; rev:1;) alert tcp $HOME_NET any -> [3.68.56.232] 14537 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235493/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235493; rev:1;) alert tcp $HOME_NET any -> [3.126.224.214] 14537 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235492/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235492; rev:1;) alert tcp $HOME_NET any -> [149.210.96.205] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235508/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235508; rev:1;) alert tcp $HOME_NET any -> [94.102.148.42] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235507/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0912091.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/originate/temporal/yv3bjpo5btv9"; depth:32; nocase; http.host; content:"103.50.206.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235504; rev:1;) alert tcp $HOME_NET any -> [103.50.206.45] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/originate/temporal/yv3bjpo5btv9"; depth:32; nocase; http.host; content:"cloudflairly.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235503; rev:1;) alert tcp $HOME_NET any -> [103.86.130.50] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235495/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235495; rev:1;) alert tcp $HOME_NET any -> [103.72.97.236] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpsqlwindows.php"; depth:18; nocase; http.host; content:"562173cm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235491; rev:1;) alert tcp $HOME_NET any -> [3.6.40.24] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235490/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235490; rev:1;) alert tcp $HOME_NET any -> [3.125.188.168] 14537 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235489; rev:1;) alert tcp $HOME_NET any -> [35.157.111.131] 14537 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235488; rev:1;) alert tcp $HOME_NET any -> [3.67.15.169] 14537 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ccaue6.leadershiplink.my.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ccaue6.leadershiplink.my.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ccaue6.leadershiplink.my.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ccaue6.leadershiplink.my.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ccaue6.leadershiplink.my.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ccaue6.leadershiplink.my.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.27.26.28"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235486; rev:1;) alert tcp $HOME_NET any -> [37.27.26.28] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235485; rev:1;) alert tcp $HOME_NET any -> [103.69.194.227] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235484/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.100.170.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235476; rev:1;) alert tcp $HOME_NET any -> [110.43.68.243] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235475/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235475; rev:1;) alert tcp $HOME_NET any -> [62.204.41.234] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235474; rev:1;) alert tcp $HOME_NET any -> [2.87.13.117] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235473/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235473; rev:1;) alert tcp $HOME_NET any -> [91.92.253.138] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235472; rev:1;) alert tcp $HOME_NET any -> [143.110.192.8] 44387 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235471; rev:1;) alert tcp $HOME_NET any -> [61.19.254.6] 2024 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235384; rev:1;) alert tcp $HOME_NET any -> [39.105.51.11] 28101 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235385; rev:1;) alert tcp $HOME_NET any -> [39.105.51.11] 28104 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235386; rev:1;) alert tcp $HOME_NET any -> [186.169.37.61] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235391/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235391; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 14272 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235399/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235399; rev:1;) alert tcp $HOME_NET any -> [195.144.21.204] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235406/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/editcontent"; depth:12; nocase; http.host; content:"mkng.honors.howamerica.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unitylibrarymanager.exe"; depth:24; nocase; http.host; content:"3psil0n.fr"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unitylibrarymanager.exe"; depth:24; nocase; http.host; content:"3psil0n.fr"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3psil0n.fr"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"178.236.246.25"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"howamerica.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/editcontent"; depth:12; nocase; http.host; content:"honors.howamerica.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"honors.howamerica.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235371; rev:1;) alert tcp $HOME_NET any -> [45.15.156.201] 10208 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235358; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 15309 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235356/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"people-primarily.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235357/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235357; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 16777 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235355/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.classicstandupcomedylive.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.classicstandupcomedy.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whyzup.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.louangelwolf.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"louangelwolf.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235333; rev:1;) alert tcp $HOME_NET any -> [64.225.12.181] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235334; rev:1;) alert tcp $HOME_NET any -> [192.252.183.121] 8524 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/editcontent"; depth:12; nocase; http.host; content:"clbh.honors.howamerica.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235340; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235470/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235470; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235469/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235469; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 1935 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235468/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235468; rev:1;) alert tcp $HOME_NET any -> [65.109.90.47] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235467; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 1925 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235466/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235466; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235465/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235465; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235464/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235464; rev:1;) alert tcp $HOME_NET any -> [103.86.131.57] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235463/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235463; rev:1;) alert tcp $HOME_NET any -> [188.241.240.187] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235462/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235462; rev:1;) alert tcp $HOME_NET any -> [110.40.151.20] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235461/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235461; rev:1;) alert tcp $HOME_NET any -> [65.109.90.47] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn752656009.softether.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235459; rev:1;) alert tcp $HOME_NET any -> [41.216.183.31] 80 (msg:"ThreatFox GhostLocker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235458; rev:1;) alert tcp $HOME_NET any -> [190.135.185.214] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235457; rev:1;) alert tcp $HOME_NET any -> [88.214.25.249] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235456; rev:1;) alert tcp $HOME_NET any -> [18.198.146.182] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235455; rev:1;) alert tcp $HOME_NET any -> [47.100.210.152] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235454; rev:1;) alert tcp $HOME_NET any -> [45.155.124.147] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235453; rev:1;) alert tcp $HOME_NET any -> [35.184.204.195] 10443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235452; rev:1;) alert tcp $HOME_NET any -> [138.68.72.211] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235451; rev:1;) alert tcp $HOME_NET any -> [64.23.184.213] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235450; rev:1;) alert tcp $HOME_NET any -> [64.23.184.213] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235449; rev:1;) alert tcp $HOME_NET any -> [47.76.34.199] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235448; rev:1;) alert tcp $HOME_NET any -> [120.46.45.74] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235447; rev:1;) alert tcp $HOME_NET any -> [120.25.226.253] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235446; rev:1;) alert tcp $HOME_NET any -> [122.10.68.253] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235445; rev:1;) alert tcp $HOME_NET any -> [2.58.113.172] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235444; rev:1;) alert tcp $HOME_NET any -> [5.182.86.194] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235443; rev:1;) alert tcp $HOME_NET any -> [194.36.88.211] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235442; rev:1;) alert tcp $HOME_NET any -> [45.94.31.205] 6969 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ekfb.site"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235440; rev:1;) alert tcp $HOME_NET any -> [91.92.253.160] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235439; rev:1;) alert tcp $HOME_NET any -> [91.92.252.217] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235438; rev:1;) alert tcp $HOME_NET any -> [185.93.69.149] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235437; rev:1;) alert tcp $HOME_NET any -> [3.140.197.75] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235436; rev:1;) alert tcp $HOME_NET any -> [45.61.137.134] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235435; rev:1;) alert tcp $HOME_NET any -> [91.92.240.147] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235434; rev:1;) alert tcp $HOME_NET any -> [150.138.77.39] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235433; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235432; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235431; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235429; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235430; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235428; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235427; rev:1;) alert tcp $HOME_NET any -> [52.146.1.235] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235426; rev:1;) alert tcp $HOME_NET any -> [123.60.57.13] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235425; rev:1;) alert tcp $HOME_NET any -> [20.62.251.205] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235423; rev:1;) alert tcp $HOME_NET any -> [124.221.47.36] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235424; rev:1;) alert tcp $HOME_NET any -> [117.72.42.234] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235422; rev:1;) alert tcp $HOME_NET any -> [123.249.114.61] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235421; rev:1;) alert tcp $HOME_NET any -> [188.213.198.232] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235420; rev:1;) alert tcp $HOME_NET any -> [45.144.232.99] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235419; rev:1;) alert tcp $HOME_NET any -> [45.144.232.99] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235418; rev:1;) alert tcp $HOME_NET any -> [5.42.64.32] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1poll/3external/50provider0/windows/windowslongpoll/0externaljavascriptjs/phpphp/0async7/61gamevoiddb/tolongpollwindowsprivate.php"; depth:131; nocase; http.host; content:"185.244.51.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0912235.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235408; rev:1;) alert tcp $HOME_NET any -> [47.113.216.45] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235407/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235407; rev:1;) alert tcp $HOME_NET any -> [94.102.155.46] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235405/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235405; rev:1;) alert tcp $HOME_NET any -> [110.40.151.20] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235404/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235404; rev:1;) alert tcp $HOME_NET any -> [94.49.176.147] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235403/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235403; rev:1;) alert tcp $HOME_NET any -> [187.135.84.89] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235402/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235402; rev:1;) alert tcp $HOME_NET any -> [47.92.231.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235401/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235401; rev:1;) alert tcp $HOME_NET any -> [182.61.25.107] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235398/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235398; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 14272 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235397; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 14272 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235396; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 17426 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235395; rev:1;) alert tcp $HOME_NET any -> [3.127.253.86] 17426 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235394; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 17426 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235393; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 17426 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235392; rev:1;) alert tcp $HOME_NET any -> [65.21.176.122] 11263 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235390; rev:1;) alert tcp $HOME_NET any -> [86.126.216.130] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235370/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235370; rev:1;) alert tcp $HOME_NET any -> [31.117.0.33] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235369/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235369; rev:1;) alert tcp $HOME_NET any -> [154.246.153.209] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235368/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235368; rev:1;) alert tcp $HOME_NET any -> [47.17.109.197] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235366/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235366; rev:1;) alert tcp $HOME_NET any -> [145.82.146.57] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235365/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235365; rev:1;) alert tcp $HOME_NET any -> [185.113.8.123] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235364/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235364; rev:1;) alert tcp $HOME_NET any -> [2.49.56.253] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235362/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235362; rev:1;) alert tcp $HOME_NET any -> [38.242.209.51] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235361/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"callii.ydns.eu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235359; rev:1;) alert tcp $HOME_NET any -> [34.88.85.211] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235354/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"negliganceassumeruew.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ama.exe"; depth:8; nocase; http.host; content:"185.172.128.154"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235351/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cp.exe"; depth:7; nocase; http.host; content:"185.172.128.154"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235352/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ma.exe"; depth:7; nocase; http.host; content:"185.172.128.154"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235350/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"braidfadefriendklypk.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"acquisitionfinancej.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cooperatecliqueobstac.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"racerecessionrestrai.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"carvewomanflavourwop.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"vesselspeedcrosswakew.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"retainfactorypunishjkw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"communicationinchoicer.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"brickabsorptiondullyi.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235341; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 16777 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235339; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 16777 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235338; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 16777 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235337; rev:1;) alert tcp $HOME_NET any -> [103.86.130.51] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235336/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.currencyandsecurity.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"currencyandsecurity.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235319; rev:1;) alert tcp $HOME_NET any -> [5.181.159.27] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"167-172-234-147.ipv4.staticdns2.io"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235317; rev:1;) alert tcp $HOME_NET any -> [167.172.234.147] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235320; rev:1;) alert tcp $HOME_NET any -> [64.237.213.102] 1800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235316/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235316; rev:1;) alert tcp $HOME_NET any -> [45.137.116.2] 443 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235314; rev:1;) alert tcp $HOME_NET any -> [85.209.11.168] 443 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235315; rev:1;) alert tcp $HOME_NET any -> [2.58.14.224] 443 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235313; rev:1;) alert tcp $HOME_NET any -> [45.156.84.190] 443 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/securepacketgamedbtrack.php"; depth:38; nocase; http.host; content:"46.174.52.97"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235311; rev:1;) alert tcp $HOME_NET any -> [85.102.165.243] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235309; rev:1;) alert tcp $HOME_NET any -> [197.204.3.130] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235308; rev:1;) alert tcp $HOME_NET any -> [216.238.83.84] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235307; rev:1;) alert tcp $HOME_NET any -> [18.135.30.45] 4445 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235306; rev:1;) alert tcp $HOME_NET any -> [23.20.6.114] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235305; rev:1;) alert tcp $HOME_NET any -> [101.34.47.66] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235304; rev:1;) alert tcp $HOME_NET any -> [20.174.1.50] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235303; rev:1;) alert tcp $HOME_NET any -> [163.172.150.135] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235302; rev:1;) alert tcp $HOME_NET any -> [13.247.14.43] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235301; rev:1;) alert tcp $HOME_NET any -> [122.10.12.198] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235300; rev:1;) alert tcp $HOME_NET any -> [101.42.149.18] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235299; rev:1;) alert tcp $HOME_NET any -> [43.139.195.144] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235298; rev:1;) alert tcp $HOME_NET any -> [175.178.116.26] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235297; rev:1;) alert tcp $HOME_NET any -> [47.107.44.15] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235296; rev:1;) alert tcp $HOME_NET any -> [20.240.201.149] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235295; rev:1;) alert tcp $HOME_NET any -> [161.97.102.40] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235294; rev:1;) alert tcp $HOME_NET any -> [49.157.28.96] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235293; rev:1;) alert tcp $HOME_NET any -> [52.81.76.168] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235292; rev:1;) alert tcp $HOME_NET any -> [165.227.213.147] 7552 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235291; rev:1;) alert tcp $HOME_NET any -> [64.227.124.8] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235290; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 13832 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235289; rev:1;) alert tcp $HOME_NET any -> [94.23.89.139] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235288/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_29; classtype:trojan-activity; sid:91235288; rev:1;) alert tcp $HOME_NET any -> [109.117.91.172] 88 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235287; rev:1;) alert tcp $HOME_NET any -> [141.164.34.159] 2082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235285; rev:1;) alert tcp $HOME_NET any -> [8.130.101.106] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235286; rev:1;) alert tcp $HOME_NET any -> [64.227.174.159] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235284; rev:1;) alert tcp $HOME_NET any -> [1.12.254.234] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235283; rev:1;) alert tcp $HOME_NET any -> [91.92.243.186] 445 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235282; rev:1;) alert tcp $HOME_NET any -> [8.134.165.196] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235280; rev:1;) alert tcp $HOME_NET any -> [42.192.45.240] 4446 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235281; rev:1;) alert tcp $HOME_NET any -> [172.105.8.252] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235279; rev:1;) alert tcp $HOME_NET any -> [8.140.254.212] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235278; rev:1;) alert tcp $HOME_NET any -> [142.171.233.211] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235277; rev:1;) alert tcp $HOME_NET any -> [47.108.145.250] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"stachmentsuprimeresult.com"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1235274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0910130.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euunclaimedpymt.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ap.php"; depth:7; nocase; http.host; content:"euunclaimedpymt.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stachmentsuprimeresult.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235273; rev:1;) alert tcp $HOME_NET any -> [193.222.96.70] 59646 (msg:"ThreatFox WpBruteBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235270/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"ripnoticebook.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ewmrgqnaww.php"; depth:21; nocase; http.host; content:"ripnoticebook.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"ghostcitygames.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235269; rev:1;) alert tcp $HOME_NET any -> [193.233.132.37] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6cdvjjmfdowmbvw+3hrdrpttcvzkhu38mkim5i1ebnocvddqmkgb+i1vheoabuoujvud45ofvb3ebr2u0gug6p5ff/6dxxzmku4y+pgfeg=="; depth:109; nocase; http.host; content:"miner.eastestsite.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uuo0fipov381aa4kz3kynci+uwzzcbzmiy9xfjqpx0k7owtwiyvayjq4rnkjabg0ndhgesnodir9aey0a2hydccyrxezov1nmyvyncw="; depth:105; nocase; http.host; content:"miner.eastestsite.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rpmkpnw76c3ku7cwmkqmht3t79smo6jfwpjm3dt81cleu6ag3luwhsf9+n3w/f7hx/tlysfz8ntf+u2g0w=="; depth:85; nocase; http.host; content:"miner.eastestsite.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"miner.eastestsite.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235262; rev:1;) alert tcp $HOME_NET any -> [91.109.178.5] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235261/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235261; rev:1;) alert tcp $HOME_NET any -> [3.22.30.40] 14868 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235245/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235245; rev:1;) alert tcp $HOME_NET any -> [193.106.175.40] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235242; rev:1;) alert tcp $HOME_NET any -> [3.17.7.232] 14868 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235244/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235244; rev:1;) alert tcp $HOME_NET any -> [65.109.242.38] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235258; rev:1;) alert tcp $HOME_NET any -> [116.202.4.242] 2271 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.4.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tvrugrats"; depth:10; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199627279110"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235256; rev:1;) alert tcp $HOME_NET any -> [91.109.176.7] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"108.165.113.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235253; rev:1;) alert tcp $HOME_NET any -> [124.223.52.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bootstrap-5.3.1.min.js"; depth:23; nocase; http.host; content:"124.223.52.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235251; rev:1;) alert tcp $HOME_NET any -> [81.68.210.91] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"81.68.210.91"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linejsrequestdbdle.php"; depth:23; nocase; http.host; content:"194.36.209.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235248; rev:1;) alert tcp $HOME_NET any -> [164.92.187.144] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235247/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235247; rev:1;) alert tcp $HOME_NET any -> [41.111.218.206] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235246/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235246; rev:1;) alert tcp $HOME_NET any -> [47.92.246.30] 880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235243/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235243; rev:1;) alert tcp $HOME_NET any -> [3.77.102.212] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235241/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235241; rev:1;) alert tcp $HOME_NET any -> [123.249.114.61] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235240/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da341/index.php"; depth:16; nocase; http.host; content:"damel.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"139.155.0.238"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.108.137.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"20.2.223.43"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.108.137.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"175.178.73.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"ns.chrome-crash.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"kitfishstore.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235232/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"homemademagazine.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235231/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235231; rev:1;) alert tcp $HOME_NET any -> [185.248.163.250] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235230/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"193.233.255.60"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.73.131.73"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.232.142.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"92.246.136.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"94.228.168.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"85.192.63.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.141.215.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.208.106.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"141.98.83.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"91.103.253.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"85.192.63.57.sslip.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235127; rev:1;) alert tcp $HOME_NET any -> [103.215.221.168] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235190/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"abixmaly.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235194/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235194; rev:1;) alert tcp $HOME_NET any -> [103.92.235.29] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235195/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"skscarsrjn.in"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235196/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rocheholding.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235197/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.rnofinancial.com.au"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235201/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235201; rev:1;) alert tcp $HOME_NET any -> [3.19.130.43] 10093 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235213/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235213; rev:1;) alert tcp $HOME_NET any -> [185.91.127.235] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235210/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235210; rev:1;) alert tcp $HOME_NET any -> [3.142.167.54] 10093 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235212/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1zkzw2mq"; depth:9; nocase; http.host; content:"draggedline.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytw8d9xy"; depth:9; nocase; http.host; content:"climedballon.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bdrvdw9c"; depth:9; nocase; http.host; content:"waterlinesheet.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rz7kfbxj"; depth:9; nocase; http.host; content:"dailytickyclock.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"devquery.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cd5fkzwv"; depth:9; nocase; http.host; content:"lemonicecold.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mxlvy9nz"; depth:9; nocase; http.host; content:"throatpills.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zcqvjvq1"; depth:9; nocase; http.host; content:"surelytheme.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpw79r1k"; depth:9; nocase; http.host; content:"drilledgas.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bxz6bx5c"; depth:9; nocase; http.host; content:"windowlight.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oracle-panel.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tunel.oracle-panel.online"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"tunel.oracle-panel.online"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.208.103.177"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235101; rev:1;) alert tcp $HOME_NET any -> [89.208.103.177] 15666 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"bb2wexx2x2aa.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235093/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235093; rev:1;) alert tcp $HOME_NET any -> [78.153.139.198] 4000 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"wexx2x11x2aa.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235092/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"x2313xsdx2a.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235091/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"babawwe2aa.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235089/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"wexx2x2aa.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235090/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"xex2napggq.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235088/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"193.222.96.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235087/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235087; rev:1;) alert tcp $HOME_NET any -> [185.81.157.135] 8181 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235229/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235229; rev:1;) alert tcp $HOME_NET any -> [72.11.158.94] 1604 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235228/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235228; rev:1;) alert tcp $HOME_NET any -> [79.137.205.212] 8080 (msg:"ThreatFox SpyBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235081; rev:1;) alert tcp $HOME_NET any -> [192.252.183.20] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235227/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235227; rev:1;) alert tcp $HOME_NET any -> [192.252.183.17] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235226/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235226; rev:1;) alert tcp $HOME_NET any -> [192.252.183.18] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235225/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235225; rev:1;) alert tcp $HOME_NET any -> [192.252.183.19] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235224/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235224; rev:1;) alert tcp $HOME_NET any -> [86.122.235.152] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235223/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235223; rev:1;) alert tcp $HOME_NET any -> [31.190.83.230] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235222/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235222; rev:1;) alert tcp $HOME_NET any -> [5.163.239.151] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235221/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235221; rev:1;) alert tcp $HOME_NET any -> [91.140.64.57] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235220/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235220; rev:1;) alert tcp $HOME_NET any -> [94.98.74.63] 2087 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235219/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235219; rev:1;) alert tcp $HOME_NET any -> [59.20.162.22] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235218/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235218; rev:1;) alert tcp $HOME_NET any -> [34.244.129.215] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235217/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235217; rev:1;) alert tcp $HOME_NET any -> [45.90.218.248] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235216/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c3/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235215; rev:1;) alert tcp $HOME_NET any -> [43.129.169.102] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235214/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235214; rev:1;) alert tcp $HOME_NET any -> [111.230.103.176] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235211/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235211; rev:1;) alert tcp $HOME_NET any -> [43.230.202.77] 4568 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235209; rev:1;) alert tcp $HOME_NET any -> [87.98.177.182] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235208/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blb41/index.php"; depth:16; nocase; http.host; content:"blblz.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235207; rev:1;) alert tcp $HOME_NET any -> [149.102.231.75] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235206/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235206; rev:1;) alert tcp $HOME_NET any -> [124.71.9.23] 8055 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235205/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235205; rev:1;) alert tcp $HOME_NET any -> [23.155.8.220] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235204/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235204; rev:1;) alert tcp $HOME_NET any -> [23.95.60.87] 8823 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235203; rev:1;) alert tcp $HOME_NET any -> [64.227.174.159] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235189/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235189; rev:1;) alert tcp $HOME_NET any -> [206.189.149.16] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235188; rev:1;) alert tcp $HOME_NET any -> [20.11.73.26] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235187; rev:1;) alert tcp $HOME_NET any -> [62.210.28.119] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235186; rev:1;) alert tcp $HOME_NET any -> [65.20.76.49] 4488 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235185; rev:1;) alert tcp $HOME_NET any -> [165.227.185.39] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235184; rev:1;) alert tcp $HOME_NET any -> [195.133.13.135] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235183; rev:1;) alert tcp $HOME_NET any -> [3.83.43.12] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235182; rev:1;) alert tcp $HOME_NET any -> [181.32.129.119] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235181; rev:1;) alert tcp $HOME_NET any -> [143.198.20.119] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235180; rev:1;) alert tcp $HOME_NET any -> [34.143.218.4] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235179; rev:1;) alert tcp $HOME_NET any -> [203.161.46.188] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235178; rev:1;) alert tcp $HOME_NET any -> [52.128.230.170] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235177; rev:1;) alert tcp $HOME_NET any -> [118.25.109.108] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235176; rev:1;) alert tcp $HOME_NET any -> [52.128.230.174] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235175; rev:1;) alert tcp $HOME_NET any -> [180.112.128.157] 8008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235173; rev:1;) alert tcp $HOME_NET any -> [220.173.27.222] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235174; rev:1;) alert tcp $HOME_NET any -> [179.61.251.93] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235172; rev:1;) alert tcp $HOME_NET any -> [3.213.37.39] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235171; rev:1;) alert tcp $HOME_NET any -> [3.210.242.78] 443 (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235170; rev:1;) alert tcp $HOME_NET any -> [190.123.44.228] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235169; rev:1;) alert tcp $HOME_NET any -> [185.196.10.245] 4443 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235168; rev:1;) alert tcp $HOME_NET any -> [93.123.39.235] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235167; rev:1;) alert tcp $HOME_NET any -> [185.237.14.236] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235166; rev:1;) alert tcp $HOME_NET any -> [159.69.86.27] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235164; rev:1;) alert tcp $HOME_NET any -> [39.38.245.19] 8888 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235162; rev:1;) alert tcp $HOME_NET any -> [154.212.146.81] 6606 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235163; rev:1;) alert tcp $HOME_NET any -> [20.163.19.3] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235161; rev:1;) alert tcp $HOME_NET any -> [85.209.176.79] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235160; rev:1;) alert tcp $HOME_NET any -> [156.253.13.217] 4848 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235159; rev:1;) alert tcp $HOME_NET any -> [94.103.188.123] 1111 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235158; rev:1;) alert tcp $HOME_NET any -> [35.189.151.174] 5563 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235157; rev:1;) alert tcp $HOME_NET any -> [125.130.86.64] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235156; rev:1;) alert tcp $HOME_NET any -> [176.105.230.74] 2404 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235155; rev:1;) alert tcp $HOME_NET any -> [64.231.120.66] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235154; rev:1;) alert tcp $HOME_NET any -> [185.172.128.60] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235153; rev:1;) alert tcp $HOME_NET any -> [185.172.128.4] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235152; rev:1;) alert tcp $HOME_NET any -> [45.133.36.153] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235151; rev:1;) alert tcp $HOME_NET any -> [62.109.30.102] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235149; rev:1;) alert tcp $HOME_NET any -> [154.223.21.23] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235150; rev:1;) alert tcp $HOME_NET any -> [192.252.183.16] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235148; rev:1;) alert tcp $HOME_NET any -> [38.207.179.146] 48964 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235147/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_28; classtype:trojan-activity; sid:91235147; rev:1;) alert tcp $HOME_NET any -> [187.135.114.239] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235146; rev:1;) alert tcp $HOME_NET any -> [187.135.114.239] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235145; rev:1;) alert tcp $HOME_NET any -> [187.135.114.239] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235144; rev:1;) alert tcp $HOME_NET any -> [81.136.60.101] 1339 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235143; rev:1;) alert tcp $HOME_NET any -> [108.165.113.54] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235142; rev:1;) alert tcp $HOME_NET any -> [43.248.185.248] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235141; rev:1;) alert tcp $HOME_NET any -> [121.41.50.152] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235140; rev:1;) alert tcp $HOME_NET any -> [31.41.244.172] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235139; rev:1;) alert tcp $HOME_NET any -> [139.155.135.131] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235138; rev:1;) alert tcp $HOME_NET any -> [35.164.187.16] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235137; rev:1;) alert tcp $HOME_NET any -> [38.60.253.13] 6443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235135; rev:1;) alert tcp $HOME_NET any -> [104.244.72.123] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235136; rev:1;) alert tcp $HOME_NET any -> [139.162.134.160] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235134; rev:1;) alert tcp $HOME_NET any -> [82.97.251.102] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235132; rev:1;) alert tcp $HOME_NET any -> [8.130.123.25] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235133; rev:1;) alert tcp $HOME_NET any -> [139.196.226.108] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235131; rev:1;) alert tcp $HOME_NET any -> [206.189.80.59] 22614 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235130; rev:1;) alert tcp $HOME_NET any -> [192.169.69.26] 65517 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235129; rev:1;) alert tcp $HOME_NET any -> [147.78.241.56] 313 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"108.165.113.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.108.175.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receive.php"; depth:12; nocase; http.host; content:"190.123.44.240"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235100; rev:1;) alert tcp $HOME_NET any -> [183.131.83.145] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235097; rev:1;) alert tcp $HOME_NET any -> [154.246.34.250] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235096/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235096; rev:1;) alert tcp $HOME_NET any -> [190.133.134.78] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235095/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235095; rev:1;) alert tcp $HOME_NET any -> [38.62.236.182] 4567 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235094/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235094; rev:1;) alert tcp $HOME_NET any -> [103.86.131.87] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235086/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235086; rev:1;) alert tcp $HOME_NET any -> [82.115.223.244] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235085/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_28; classtype:trojan-activity; sid:91235085; rev:1;) alert tcp $HOME_NET any -> [47.108.89.235] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235084/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235084; rev:1;) alert tcp $HOME_NET any -> [91.92.254.14] 4412 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235083; rev:1;) alert tcp $HOME_NET any -> [91.92.254.47] 81 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235082; rev:1;) alert tcp $HOME_NET any -> [176.128.10.125] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235080/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235080; rev:1;) alert tcp $HOME_NET any -> [221.239.26.195] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235079/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235079; rev:1;) alert tcp $HOME_NET any -> [165.227.31.192] 22509 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235078; rev:1;) alert tcp $HOME_NET any -> [95.173.255.238] 4444 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235077; rev:1;) alert tcp $HOME_NET any -> [95.217.81.77] 35530 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235076; rev:1;) alert tcp $HOME_NET any -> [20.201.116.50] 1024 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235075; rev:1;) alert tcp $HOME_NET any -> [185.222.58.84] 8990 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235074; rev:1;) alert tcp $HOME_NET any -> [161.35.237.131] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235073/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cf43561.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"117.72.11.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"121.41.50.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235070; rev:1;) alert tcp $HOME_NET any -> [45.154.2.102] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"8.141.10.30"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.westus3.cloudapp.azure.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235059; rev:1;) alert tcp $HOME_NET any -> [20.171.192.244] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rxjh.online"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"js.rxjh.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.rxjh.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"121.41.50.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"104.143.47.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"caranthir.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"caranthir.zapto.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235064; rev:1;) alert tcp $HOME_NET any -> [103.86.130.67] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235058/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235058; rev:1;) alert tcp $HOME_NET any -> [103.86.130.68] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235057/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235057; rev:1;) alert tcp $HOME_NET any -> [185.196.8.220] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235056/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235056; rev:1;) alert tcp $HOME_NET any -> [111.230.103.176] 9443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235055/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235055; rev:1;) alert tcp $HOME_NET any -> [103.86.130.86] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235054/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235054; rev:1;) alert tcp $HOME_NET any -> [109.242.113.157] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235053; rev:1;) alert tcp $HOME_NET any -> [74.12.146.125] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235052; rev:1;) alert tcp $HOME_NET any -> [211.169.158.12] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235051; rev:1;) alert tcp $HOME_NET any -> [151.48.177.238] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235050; rev:1;) alert tcp $HOME_NET any -> [141.144.233.60] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235049; rev:1;) alert tcp $HOME_NET any -> [164.92.125.68] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235048/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nowordshere.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"greedyclowns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"getquery.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"climedballon.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowlight.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drilledgas.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"devcodejs.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lemonicecold.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dailytickyclock.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"devqeury.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slurpslimes.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deeptrickday.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"greenpapers.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cancelledfirestarter.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloudwebhub.pro"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biggerfun.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"treegreeny.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"surelytheme.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jqueryh.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neworderspath.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"draggedline.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"waterlinesheet.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigbricks.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"searchgear.pro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metallife.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emperorplan.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"catsndogz.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"greedyfines.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"libertader.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jsqur.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibedroom.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"codecruncher.pro"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biggreenlimes.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jqueryns.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cheatlab.tech"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234852; rev:1;) alert tcp $HOME_NET any -> [77.246.104.220] 3422 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkudndkwatnfevcaqeefytqnh.top"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w33s1.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whxzqkbbtzvdyxdeseoiyujzs.co"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uohhunkmnfhbimtagizqgwpmv.to"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-kboespoo-1317138495.gz.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serevto.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.serevto.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.uapa-edu.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dzxngxmlsim3.cloudfront.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"estagioonlineeseguro.ddns.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bing921.215436454.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234885; rev:1;) alert tcp $HOME_NET any -> [202.144.192.114] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbdb.addea.workers.dev"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nnpservices.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234883; rev:1;) alert tcp $HOME_NET any -> [189.18.237.245] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-70-254-144.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234890; rev:1;) alert tcp $HOME_NET any -> [142.67.130.172] 54999 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"divert64.hopto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234894; rev:1;) alert tcp $HOME_NET any -> [163.172.255.114] 9080 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234898; rev:1;) alert tcp $HOME_NET any -> [54.37.196.189] 80 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234899; rev:1;) alert tcp $HOME_NET any -> [37.252.188.127] 8080 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234900; rev:1;) alert tcp $HOME_NET any -> [164.90.185.9] 443 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234901; rev:1;) alert tcp $HOME_NET any -> [206.189.109.146] 80 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234902; rev:1;) alert tcp $HOME_NET any -> [94.156.71.237] 3999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wired-ethical-marten.ngrok-free.app"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.exe"; depth:8; nocase; http.host; content:"wired-ethical-marten.ngrok-free.app"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kinggru.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234989; rev:1;) alert tcp $HOME_NET any -> [90.15.154.112] 4899 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"victacking.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.20.16.155"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jqscr.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linedloop.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235042; rev:1;) alert tcp $HOME_NET any -> [93.123.85.151] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235045/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_28; classtype:trojan-activity; sid:91235045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bp.somersaultcloud.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235046/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_28; classtype:trojan-activity; sid:91235046; rev:1;) alert tcp $HOME_NET any -> [116.103.228.193] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235047/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235047; rev:1;) alert tcp $HOME_NET any -> [187.135.114.239] 1660 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235044/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235044; rev:1;) alert tcp $HOME_NET any -> [158.247.254.47] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235043/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235043; rev:1;) alert tcp $HOME_NET any -> [108.165.113.54] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91235005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"108.165.113.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91235004; rev:1;) alert tcp $HOME_NET any -> [94.156.64.124] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91235003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vlenath"; depth:8; nocase; http.host; content:"service.safaricom.workers.dev"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91235001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service.safaricom.workers.dev"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91235002; rev:1;) alert tcp $HOME_NET any -> [217.31.202.98] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235000/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91235000; rev:1;) alert tcp $HOME_NET any -> [44.211.174.103] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234997/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234997; rev:1;) alert tcp $HOME_NET any -> [51.81.35.61] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234996; rev:1;) alert tcp $HOME_NET any -> [143.110.192.8] 27978 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234995/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234995; rev:1;) alert tcp $HOME_NET any -> [141.255.159.227] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234994/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234994; rev:1;) alert tcp $HOME_NET any -> [103.86.131.46] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234993/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234993; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 16495 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e3e70db1.php"; depth:13; nocase; http.host; content:"a0894373.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234991; rev:1;) alert tcp $HOME_NET any -> [38.207.179.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234990/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234990; rev:1;) alert tcp $HOME_NET any -> [143.110.192.8] 10451 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234988; rev:1;) alert tcp $HOME_NET any -> [45.66.248.135] 7438 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234987; rev:1;) alert tcp $HOME_NET any -> [74.70.4.221] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234986/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_27; classtype:trojan-activity; sid:91234986; rev:1;) alert tcp $HOME_NET any -> [45.128.232.240] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234985/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_27; classtype:trojan-activity; sid:91234985; rev:1;) alert tcp $HOME_NET any -> [51.159.6.180] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234984; rev:1;) alert tcp $HOME_NET any -> [45.77.154.69] 30042 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234983; rev:1;) alert tcp $HOME_NET any -> [141.94.244.50] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234982; rev:1;) alert tcp $HOME_NET any -> [3.18.239.172] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234981; rev:1;) alert tcp $HOME_NET any -> [52.31.167.252] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234980; rev:1;) alert tcp $HOME_NET any -> [31.210.51.99] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234979; rev:1;) alert tcp $HOME_NET any -> [195.122.14.251] 7005 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234978; rev:1;) alert tcp $HOME_NET any -> [139.59.68.45] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234977; rev:1;) alert tcp $HOME_NET any -> [4.198.2.235] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234976; rev:1;) alert tcp $HOME_NET any -> [172.175.210.16] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234975; rev:1;) alert tcp $HOME_NET any -> [20.98.28.121] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234974; rev:1;) alert tcp $HOME_NET any -> [20.75.254.123] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234973; rev:1;) alert tcp $HOME_NET any -> [125.25.54.213] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234972; rev:1;) alert tcp $HOME_NET any -> [104.155.11.224] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234971; rev:1;) alert tcp $HOME_NET any -> [43.140.250.89] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234970; rev:1;) alert tcp $HOME_NET any -> [128.199.159.85] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234968; rev:1;) alert tcp $HOME_NET any -> [128.199.159.85] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234969; rev:1;) alert tcp $HOME_NET any -> [34.201.66.228] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234967; rev:1;) alert tcp $HOME_NET any -> [18.211.99.106] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234965; rev:1;) alert tcp $HOME_NET any -> [159.203.136.239] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234966; rev:1;) alert tcp $HOME_NET any -> [20.123.192.20] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234964; rev:1;) alert tcp $HOME_NET any -> [159.223.224.238] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234963; rev:1;) alert tcp $HOME_NET any -> [4.147.247.174] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234962; rev:1;) alert tcp $HOME_NET any -> [52.128.230.172] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234961; rev:1;) alert tcp $HOME_NET any -> [43.139.177.77] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234960; rev:1;) alert tcp $HOME_NET any -> [149.104.24.104] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234958; rev:1;) alert tcp $HOME_NET any -> [52.128.230.173] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234959; rev:1;) alert tcp $HOME_NET any -> [52.128.230.171] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234957; rev:1;) alert tcp $HOME_NET any -> [185.117.152.159] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234956; rev:1;) alert tcp $HOME_NET any -> [93.123.39.235] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234955; rev:1;) alert tcp $HOME_NET any -> [193.233.132.37] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234954; rev:1;) alert tcp $HOME_NET any -> [46.101.126.207] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234953; rev:1;) alert tcp $HOME_NET any -> [77.246.110.208] 8888 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234952; rev:1;) alert tcp $HOME_NET any -> [115.79.234.191] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234951; rev:1;) alert tcp $HOME_NET any -> [96.30.193.6] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234950; rev:1;) alert tcp $HOME_NET any -> [51.79.197.146] 23456 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234949; rev:1;) alert tcp $HOME_NET any -> [223.155.16.91] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234947; rev:1;) alert tcp $HOME_NET any -> [223.155.16.108] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234948; rev:1;) alert tcp $HOME_NET any -> [45.40.96.155] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234946; rev:1;) alert tcp $HOME_NET any -> [95.164.2.178] 50555 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234945; rev:1;) alert tcp $HOME_NET any -> [94.156.66.187] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234944; rev:1;) alert tcp $HOME_NET any -> [92.246.136.53] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234942; rev:1;) alert tcp $HOME_NET any -> [3.76.253.201] 81 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234943; rev:1;) alert tcp $HOME_NET any -> [88.218.60.150] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234941; rev:1;) alert tcp $HOME_NET any -> [45.55.70.10] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234940; rev:1;) alert tcp $HOME_NET any -> [64.23.149.139] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234939; rev:1;) alert tcp $HOME_NET any -> [45.134.26.33] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234938; rev:1;) alert tcp $HOME_NET any -> [20.77.15.101] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234937; rev:1;) alert tcp $HOME_NET any -> [185.81.157.150] 777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234936; rev:1;) alert tcp $HOME_NET any -> [94.46.246.95] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234935; rev:1;) alert tcp $HOME_NET any -> [103.28.89.112] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234934/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_27; classtype:trojan-activity; sid:91234934; rev:1;) alert tcp $HOME_NET any -> [34.162.51.179] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234933/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_27; classtype:trojan-activity; sid:91234933; rev:1;) alert tcp $HOME_NET any -> [80.78.22.159] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234932/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_27; classtype:trojan-activity; sid:91234932; rev:1;) alert tcp $HOME_NET any -> [188.166.9.214] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234931/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_27; classtype:trojan-activity; sid:91234931; rev:1;) alert tcp $HOME_NET any -> [79.36.28.36] 8080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234930; rev:1;) alert tcp $HOME_NET any -> [105.98.42.244] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234929; rev:1;) alert tcp $HOME_NET any -> [114.55.133.151] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234928; rev:1;) alert tcp $HOME_NET any -> [223.255.246.169] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234927; rev:1;) alert tcp $HOME_NET any -> [185.196.10.62] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234925; rev:1;) alert tcp $HOME_NET any -> [114.132.226.250] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234926; rev:1;) alert tcp $HOME_NET any -> [120.24.70.197] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234924; rev:1;) alert tcp $HOME_NET any -> [204.44.94.81] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234923; rev:1;) alert tcp $HOME_NET any -> [91.92.243.186] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234921; rev:1;) alert tcp $HOME_NET any -> [124.221.15.74] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234922; rev:1;) alert tcp $HOME_NET any -> [129.226.201.214] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234920; rev:1;) alert tcp $HOME_NET any -> [60.205.115.92] 8011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234918; rev:1;) alert tcp $HOME_NET any -> [31.41.244.172] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234919; rev:1;) alert tcp $HOME_NET any -> [69.165.74.218] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234917; rev:1;) alert tcp $HOME_NET any -> [192.3.98.47] 2000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234916; rev:1;) alert tcp $HOME_NET any -> [107.172.61.67] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234914; rev:1;) alert tcp $HOME_NET any -> [121.43.117.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234915; rev:1;) alert tcp $HOME_NET any -> [178.54.217.55] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234913; rev:1;) alert tcp $HOME_NET any -> [43.163.224.112] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234912; rev:1;) alert tcp $HOME_NET any -> [101.35.169.206] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234911; rev:1;) alert tcp $HOME_NET any -> [195.230.23.126] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234910; rev:1;) alert tcp $HOME_NET any -> [117.72.39.83] 30005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234909; rev:1;) alert tcp $HOME_NET any -> [104.143.47.87] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234908; rev:1;) alert tcp $HOME_NET any -> [155.138.231.45] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receive.php"; depth:12; nocase; http.host; content:"op.mrstealth.pagekite.me"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234897; rev:1;) alert tcp $HOME_NET any -> [91.109.186.13] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234896/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234896; rev:1;) alert tcp $HOME_NET any -> [194.33.191.53] 58001 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234895; rev:1;) alert tcp $HOME_NET any -> [8.141.10.30] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234892/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"43.139.128.212"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234891; rev:1;) alert tcp $HOME_NET any -> [92.63.178.58] 442 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234884; rev:1;) alert tcp $HOME_NET any -> [193.142.58.127] 80 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"success.165gov.icu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"success.165gov.icu"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.236.19.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"164.90.169.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/html.css"; depth:9; nocase; http.host; content:"101.43.165.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.236.19.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beacon.evilginx2.bio"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234874; rev:1;) alert tcp $HOME_NET any -> [64.23.174.74] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234875; rev:1;) alert tcp $HOME_NET any -> [20.172.163.134] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bec.security-ssl.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234872; rev:1;) alert tcp $HOME_NET any -> [95.179.177.89] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.modernbeem.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234870; rev:1;) alert tcp $HOME_NET any -> [45.77.193.76] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.investmenttech.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234868; rev:1;) alert tcp $HOME_NET any -> [95.179.142.153] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.currentbee.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234866; rev:1;) alert tcp $HOME_NET any -> [104.143.47.137] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cc.youku.zip"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/"; depth:18; nocase; http.host; content:"cc.youku.zip"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234855; rev:1;) alert tcp $HOME_NET any -> [43.130.60.49] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234853/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234853; rev:1;) alert tcp $HOME_NET any -> [193.233.254.78] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234850; rev:1;) alert tcp $HOME_NET any -> [116.203.143.98] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234848/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234848; rev:1;) alert tcp $HOME_NET any -> [109.107.182.26] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234849/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234849; rev:1;) alert tcp $HOME_NET any -> [94.98.179.7] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234847/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nntp.aspx"; depth:10; nocase; http.host; content:"fleury-dev-g8d5b7fhg8fghxcm.a03.azurefd.net"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wais.html"; depth:10; nocase; http.host; content:"fleury-dev-g8d5b7fhg8fghxcm.a03.azurefd.net"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fleury-dev-g8d5b7fhg8fghxcm.a03.azurefd.net"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234844; rev:1;) alert tcp $HOME_NET any -> [75.119.138.31] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234843/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234843; rev:1;) alert tcp $HOME_NET any -> [179.13.3.199] 8010 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234842; rev:1;) alert tcp $HOME_NET any -> [187.213.193.180] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234841/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234841; rev:1;) alert tcp $HOME_NET any -> [41.99.122.66] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234840; rev:1;) alert tcp $HOME_NET any -> [141.164.209.146] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234839; rev:1;) alert tcp $HOME_NET any -> [72.27.73.7] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234838; rev:1;) alert tcp $HOME_NET any -> [77.73.39.175] 1194 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234837; rev:1;) alert tcp $HOME_NET any -> [74.12.146.125] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234836; rev:1;) alert tcp $HOME_NET any -> [41.96.195.143] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234835/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234835; rev:1;) alert tcp $HOME_NET any -> [38.242.21.30] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234834/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234834; rev:1;) alert tcp $HOME_NET any -> [137.117.205.207] 4444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234832; rev:1;) alert tcp $HOME_NET any -> [4.205.75.12] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234833/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234833; rev:1;) alert tcp $HOME_NET any -> [137.117.205.207] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234831; rev:1;) alert tcp $HOME_NET any -> [89.245.139.188] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234830/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234830; rev:1;) alert tcp $HOME_NET any -> [89.245.139.188] 4444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234829/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234829; rev:1;) alert tcp $HOME_NET any -> [52.136.223.233] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234828/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234828; rev:1;) alert tcp $HOME_NET any -> [52.136.223.233] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234827/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234827; rev:1;) alert tcp $HOME_NET any -> [157.230.175.190] 7405 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234826/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234826; rev:1;) alert tcp $HOME_NET any -> [92.116.91.188] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234825/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234825; rev:1;) alert tcp $HOME_NET any -> [165.227.106.254] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234824/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234824; rev:1;) alert tcp $HOME_NET any -> [172.104.237.247] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234823/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234823; rev:1;) alert tcp $HOME_NET any -> [37.27.17.204] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234822/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234822; rev:1;) alert tcp $HOME_NET any -> [5.189.253.164] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234802; rev:1;) alert tcp $HOME_NET any -> [185.123.53.231] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234803; rev:1;) alert tcp $HOME_NET any -> [5.230.44.226] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234801; rev:1;) alert tcp $HOME_NET any -> [109.107.182.26] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234798; rev:1;) alert tcp $HOME_NET any -> [116.203.143.98] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234799; rev:1;) alert tcp $HOME_NET any -> [5.231.0.34] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234800; rev:1;) alert tcp $HOME_NET any -> [172.232.172.123] 80 (msg:"ThreatFox DBatLoader payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/400/isicentos.vbs"; depth:18; nocase; http.host; content:"172.232.172.123"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234778; rev:1;) alert tcp $HOME_NET any -> [128.254.207.87] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234804; rev:1;) alert tcp $HOME_NET any -> [178.236.247.167] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234805; rev:1;) alert tcp $HOME_NET any -> [23.146.184.71] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234806; rev:1;) alert tcp $HOME_NET any -> [66.135.17.87] 443 (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"places.creeksidehuntingpreserve.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"colors.usajicgu.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234809; rev:1;) alert tcp $HOME_NET any -> [178.20.43.58] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234811; rev:1;) alert tcp $HOME_NET any -> [5.252.177.220] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234812; rev:1;) alert tcp $HOME_NET any -> [104.194.157.23] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234813; rev:1;) alert tcp $HOME_NET any -> [190.123.44.228] 80 (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234821/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonjavascriptlowcpugameserverdb.php"; depth:39; nocase; http.host; content:"yedar2on.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234820; rev:1;) alert tcp $HOME_NET any -> [23.155.8.220] 1800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234819/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234819; rev:1;) alert tcp $HOME_NET any -> [77.246.110.208] 1337 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234818/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234818; rev:1;) alert tcp $HOME_NET any -> [45.79.207.53] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234817/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234817; rev:1;) alert tcp $HOME_NET any -> [20.125.88.113] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234816/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234816; rev:1;) alert tcp $HOME_NET any -> [46.17.46.226] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/nk6fekkvnwln1wrklks6hrb9moms13q4vdupalwm"; depth:45; nocase; http.host; content:"mirrors.office356.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234814; rev:1;) alert tcp $HOME_NET any -> [45.120.177.147] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234810/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234810; rev:1;) alert tcp $HOME_NET any -> [46.17.46.226] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirrors.office356.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/wshw-clk-lkpu0xzbc81nv0idqfwhff"; depth:36; nocase; http.host; content:"mirrors.office356.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234795; rev:1;) alert tcp $HOME_NET any -> [103.49.68.42] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234794/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/nem/index.php"; depth:17; nocase; http.host; content:"5desconcertais.sa.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234793/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_26; classtype:trojan-activity; sid:91234793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"ck52959.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234792; rev:1;) alert tcp $HOME_NET any -> [134.209.92.85] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234791/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234791; rev:1;) alert tcp $HOME_NET any -> [92.97.227.10] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234790/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234790; rev:1;) alert tcp $HOME_NET any -> [52.136.223.233] 4444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234789/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234789; rev:1;) alert tcp $HOME_NET any -> [116.203.129.118] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234788/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234788; rev:1;) alert tcp $HOME_NET any -> [188.166.153.84] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234787/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234787; rev:1;) alert tcp $HOME_NET any -> [164.90.210.111] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234786/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234786; rev:1;) alert tcp $HOME_NET any -> [165.22.6.34] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234785/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234785; rev:1;) alert tcp $HOME_NET any -> [165.22.6.34] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234784/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234784; rev:1;) alert tcp $HOME_NET any -> [5.75.172.21] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234783/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"roof.spencerstuartllc.top"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234782/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234782; rev:1;) alert tcp $HOME_NET any -> [140.143.167.90] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234781/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234781; rev:1;) alert tcp $HOME_NET any -> [45.142.215.92] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234780/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234780; rev:1;) alert tcp $HOME_NET any -> [129.146.237.85] 4876 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"lili19mainmasters.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1234774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lili19mainmasters.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234775; rev:1;) alert tcp $HOME_NET any -> [5.75.172.21] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"cw42035.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234776; rev:1;) alert tcp $HOME_NET any -> [124.71.184.96] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234773/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234773; rev:1;) alert tcp $HOME_NET any -> [64.23.149.255] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234772/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0909123.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4provider/serveruploadswpdatalife/6request5windows/5protectwordpress/python3db/processormultibetterjs/_httplongpoll6/7requestdatalifepublic/windowsprivatesqlcentral/windowsmariadbuniversal/eternallinepipephprequestlongpollsqltestcentral.php"; depth:241; nocase; http.host; content:"176.97.68.115"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234767; rev:1;) alert tcp $HOME_NET any -> [176.97.68.115] 80 (msg:"ThreatFox zgRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234768; rev:1;) alert tcp $HOME_NET any -> [185.51.173.2] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234769/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234769; rev:1;) alert tcp $HOME_NET any -> [34.88.68.0] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234766/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234766; rev:1;) alert tcp $HOME_NET any -> [146.70.161.85] 4217 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234765; rev:1;) alert tcp $HOME_NET any -> [107.173.4.16] 8787 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234764; rev:1;) alert tcp $HOME_NET any -> [81.213.221.223] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234763; rev:1;) alert tcp $HOME_NET any -> [34.118.150.123] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234762; rev:1;) alert tcp $HOME_NET any -> [54.159.80.53] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234761; rev:1;) alert tcp $HOME_NET any -> [46.101.187.69] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234760; rev:1;) alert tcp $HOME_NET any -> [88.92.231.93] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234759; rev:1;) alert tcp $HOME_NET any -> [4.184.116.222] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234758; rev:1;) alert tcp $HOME_NET any -> [89.223.122.247] 5555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234757; rev:1;) alert tcp $HOME_NET any -> [52.59.95.85] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234756; rev:1;) alert tcp $HOME_NET any -> [82.165.166.111] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234755; rev:1;) alert tcp $HOME_NET any -> [163.172.150.135] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234754; rev:1;) alert tcp $HOME_NET any -> [16.171.224.66] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234752; rev:1;) alert tcp $HOME_NET any -> [16.170.251.233] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234753; rev:1;) alert tcp $HOME_NET any -> [154.41.253.67] 2222 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234751; rev:1;) alert tcp $HOME_NET any -> [206.119.168.185] 50026 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234750; rev:1;) alert tcp $HOME_NET any -> [3.23.91.240] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234748; rev:1;) alert tcp $HOME_NET any -> [103.86.130.74] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234749/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234749; rev:1;) alert tcp $HOME_NET any -> [34.226.155.20] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234747; rev:1;) alert tcp $HOME_NET any -> [68.183.36.66] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234746; rev:1;) alert tcp $HOME_NET any -> [34.116.168.166] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234745; rev:1;) alert tcp $HOME_NET any -> [101.43.31.90] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"logon.100pingissues.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234743; rev:1;) alert tcp $HOME_NET any -> [143.244.170.153] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"37-72-168-178.static.hvvc.us"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234742; rev:1;) alert tcp $HOME_NET any -> [106.54.45.136] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234740; rev:1;) alert tcp $HOME_NET any -> [65.21.235.156] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234739/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_26; classtype:trojan-activity; sid:91234739; rev:1;) alert tcp $HOME_NET any -> [65.21.235.156] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234738/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_26; classtype:trojan-activity; sid:91234738; rev:1;) alert tcp $HOME_NET any -> [190.123.44.240] 80 (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beylikotomasyon.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mycontrolpanel29.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234735; rev:1;) alert tcp $HOME_NET any -> [45.128.232.4] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234734; rev:1;) alert tcp $HOME_NET any -> [147.78.103.103] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234733; rev:1;) alert tcp $HOME_NET any -> [93.123.85.90] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234732; rev:1;) alert tcp $HOME_NET any -> [52.3.173.99] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234731; rev:1;) alert tcp $HOME_NET any -> [44.196.101.127] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.infallible-lichterman.45-141-215-173.plesk.page"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234729; rev:1;) alert tcp $HOME_NET any -> [89.208.103.177] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234728; rev:1;) alert tcp $HOME_NET any -> [193.233.254.138] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234727; rev:1;) alert tcp $HOME_NET any -> [38.180.94.161] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234725; rev:1;) alert tcp $HOME_NET any -> [193.149.187.48] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234726; rev:1;) alert tcp $HOME_NET any -> [185.167.63.27] 4443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234724; rev:1;) alert tcp $HOME_NET any -> [197.119.141.49] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234723; rev:1;) alert tcp $HOME_NET any -> [156.254.126.133] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.139-84-137-249.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234721; rev:1;) alert tcp $HOME_NET any -> [223.155.16.23] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234719; rev:1;) alert tcp $HOME_NET any -> [223.155.16.37] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234720; rev:1;) alert tcp $HOME_NET any -> [181.161.3.56] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234718; rev:1;) alert tcp $HOME_NET any -> [94.156.67.156] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234717; rev:1;) alert tcp $HOME_NET any -> [193.106.175.43] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234715; rev:1;) alert tcp $HOME_NET any -> [86.38.204.153] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234716; rev:1;) alert tcp $HOME_NET any -> [3.72.85.14] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234714; rev:1;) alert tcp $HOME_NET any -> [52.222.96.153] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234713; rev:1;) alert tcp $HOME_NET any -> [213.195.118.64] 5003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234712; rev:1;) alert tcp $HOME_NET any -> [213.195.118.64] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234711; rev:1;) alert tcp $HOME_NET any -> [213.195.118.64] 4002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234709; rev:1;) alert tcp $HOME_NET any -> [213.195.118.64] 4003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234710; rev:1;) alert tcp $HOME_NET any -> [185.81.157.1] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234708; rev:1;) alert tcp $HOME_NET any -> [185.81.157.1] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234707; rev:1;) alert tcp $HOME_NET any -> [193.26.115.142] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234706; rev:1;) alert tcp $HOME_NET any -> [136.243.151.123] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234705; rev:1;) alert tcp $HOME_NET any -> [37.27.17.204] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234704/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_26; classtype:trojan-activity; sid:91234704; rev:1;) alert tcp $HOME_NET any -> [85.235.146.120] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234703/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_26; classtype:trojan-activity; sid:91234703; rev:1;) alert tcp $HOME_NET any -> [35.180.99.59] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234702/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_26; classtype:trojan-activity; sid:91234702; rev:1;) alert tcp $HOME_NET any -> [94.156.67.60] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234701/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_26; classtype:trojan-activity; sid:91234701; rev:1;) alert tcp $HOME_NET any -> [138.197.143.1] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234700/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_26; classtype:trojan-activity; sid:91234700; rev:1;) alert tcp $HOME_NET any -> [79.36.28.36] 9999 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234699; rev:1;) alert tcp $HOME_NET any -> [114.55.133.151] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234698; rev:1;) alert tcp $HOME_NET any -> [8.146.201.157] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234697; rev:1;) alert tcp $HOME_NET any -> [123.60.10.196] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234696; rev:1;) alert tcp $HOME_NET any -> [43.139.225.179] 3001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234695; rev:1;) alert tcp $HOME_NET any -> [1.117.93.65] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234694; rev:1;) alert tcp $HOME_NET any -> [43.139.177.77] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234692; rev:1;) alert tcp $HOME_NET any -> [120.24.70.197] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234693; rev:1;) alert tcp $HOME_NET any -> [204.44.94.81] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234691; rev:1;) alert tcp $HOME_NET any -> [116.62.130.96] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234690; rev:1;) alert tcp $HOME_NET any -> [43.143.209.185] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234689; rev:1;) alert tcp $HOME_NET any -> [107.174.228.79] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234688; rev:1;) alert tcp $HOME_NET any -> [172.233.147.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234687; rev:1;) alert tcp $HOME_NET any -> [43.136.122.227] 8084 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234686; rev:1;) alert tcp $HOME_NET any -> [116.202.110.87] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234684; rev:1;) alert tcp $HOME_NET any -> [77.73.39.175] 32103 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"andaluciabeach.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234679; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 15634 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234683; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 15634 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234682; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 15634 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alpha/five/fre.php"; depth:19; nocase; http.host; content:"roof.spencerstuartllc.top"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234678/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_26; classtype:trojan-activity; sid:91234678; rev:1;) alert tcp $HOME_NET any -> [176.40.9.170] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234677/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234677; rev:1;) alert tcp $HOME_NET any -> [5.255.113.67] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234676; rev:1;) alert tcp $HOME_NET any -> [43.136.71.208] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/methon/scan"; depth:16; nocase; http.host; content:"43.136.71.209"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234674; rev:1;) alert tcp $HOME_NET any -> [91.149.237.145] 2086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns.chrome-crash.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"ns.chrome-crash.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234671; rev:1;) alert tcp $HOME_NET any -> [103.86.131.55] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234670/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234670; rev:1;) alert tcp $HOME_NET any -> [34.88.42.175] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234669/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234669; rev:1;) alert tcp $HOME_NET any -> [103.167.90.225] 4251 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"fwjfiwmail.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234667; rev:1;) alert tcp $HOME_NET any -> [103.67.162.240] 2256 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"server1.updateservice.store"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234664; rev:1;) alert tcp $HOME_NET any -> [154.82.81.114] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/css/jp.css"; depth:11; nocase; http.host; content:"server1.updateservice.store"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"182.61.25.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"8.146.201.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"85.209.176.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"85.209.176.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.97.222.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/___utm.gif"; depth:11; nocase; http.host; content:"163.5.169.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.97.222.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"101.43.165.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"8.142.115.47"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"5.101.0.241"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234652; rev:1;) alert tcp $HOME_NET any -> [41.216.183.116] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234651/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"braidfadefriendklypk.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"conferenctdressingshrw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234650; rev:1;) alert tcp $HOME_NET any -> [212.224.93.193] 8080 (msg:"ThreatFox SpyBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234620; rev:1;) alert tcp $HOME_NET any -> [46.196.24.72] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234639; rev:1;) alert tcp $HOME_NET any -> [192.3.98.47] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234648/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234648; rev:1;) alert tcp $HOME_NET any -> [41.97.221.16] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234647/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234647; rev:1;) alert tcp $HOME_NET any -> [24.181.50.51] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234646/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234646; rev:1;) alert tcp $HOME_NET any -> [151.64.205.13] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234645; rev:1;) alert tcp $HOME_NET any -> [206.189.139.96] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234644; rev:1;) alert tcp $HOME_NET any -> [146.70.155.203] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234643; rev:1;) alert tcp $HOME_NET any -> [188.166.9.214] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234642; rev:1;) alert tcp $HOME_NET any -> [142.171.2.161] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234641; rev:1;) alert tcp $HOME_NET any -> [163.5.169.2] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234640/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234640; rev:1;) alert tcp $HOME_NET any -> [37.38.159.127] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234638/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234638; rev:1;) alert tcp $HOME_NET any -> [45.154.98.217] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234637/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234637; rev:1;) alert tcp $HOME_NET any -> [175.142.28.27] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234636/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234636; rev:1;) alert tcp $HOME_NET any -> [110.43.39.40] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234635/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/requestsecurepacketservermultidefaulttrackpublicuploads.php"; depth:60; nocase; http.host; content:"852377cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234634; rev:1;) alert tcp $HOME_NET any -> [178.33.57.153] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_25; classtype:trojan-activity; sid:91234633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c4/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_25; classtype:trojan-activity; sid:91234632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"3.75.178.44"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c4/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234630; rev:1;) alert tcp $HOME_NET any -> [5.75.211.197] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234629; rev:1;) alert tcp $HOME_NET any -> [38.255.40.137] 3451 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"1.117.232.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234627; rev:1;) alert tcp $HOME_NET any -> [107.173.118.95] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"107.173.118.95"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234625; rev:1;) alert tcp $HOME_NET any -> [146.70.158.28] 6882 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234623; rev:1;) alert tcp $HOME_NET any -> [185.117.90.142] 6882 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234624; rev:1;) alert tcp $HOME_NET any -> [94.156.67.158] 3392 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234622; rev:1;) alert tcp $HOME_NET any -> [43.136.71.209] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234621/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234621; rev:1;) alert tcp $HOME_NET any -> [94.156.67.230] 13781 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234619; rev:1;) alert tcp $HOME_NET any -> [173.211.106.128] 7785 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_25; classtype:trojan-activity; sid:91234618; rev:1;) alert tcp $HOME_NET any -> [198.46.203.245] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234617/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234617; rev:1;) alert tcp $HOME_NET any -> [41.99.250.66] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234616/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234616; rev:1;) alert tcp $HOME_NET any -> [154.246.208.179] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234615/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234615; rev:1;) alert tcp $HOME_NET any -> [5.163.116.174] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234614/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234614; rev:1;) alert tcp $HOME_NET any -> [38.147.189.149] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234613/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234613; rev:1;) alert tcp $HOME_NET any -> [193.42.25.233] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234612/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234612; rev:1;) alert tcp $HOME_NET any -> [79.132.128.47] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234611/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234611; rev:1;) alert tcp $HOME_NET any -> [18.201.215.198] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234610/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234610; rev:1;) alert tcp $HOME_NET any -> [158.160.124.3] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234609/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234609; rev:1;) alert tcp $HOME_NET any -> [89.245.139.188] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234608/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234608; rev:1;) alert tcp $HOME_NET any -> [137.117.205.207] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234607/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234607; rev:1;) alert tcp $HOME_NET any -> [154.118.230.140] 30098 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234606/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234606; rev:1;) alert tcp $HOME_NET any -> [52.222.96.153] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234605/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234605; rev:1;) alert tcp $HOME_NET any -> [156.245.11.46] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234604/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"124.221.184.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234603; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 12517 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234602; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 12517 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234600; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 12517 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234601; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 12517 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234599; rev:1;) alert tcp $HOME_NET any -> [34.140.232.110] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234598/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234598; rev:1;) alert tcp $HOME_NET any -> [213.226.112.58] 81 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"strongdomainsercgerhhost.com"; depth:28; nocase; reference:url, threatfox.abuse.ch/ioc/1234595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"strongdomainsercgerhhost.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234594; rev:1;) alert tcp $HOME_NET any -> [89.116.100.148] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234596/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234596; rev:1;) alert tcp $HOME_NET any -> [203.20.113.158] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234593/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_25; classtype:trojan-activity; sid:91234593; rev:1;) alert tcp $HOME_NET any -> [203.20.113.158] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234592/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_25; classtype:trojan-activity; sid:91234592; rev:1;) alert tcp $HOME_NET any -> [203.20.113.158] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f50a15cc.php"; depth:13; nocase; http.host; content:"a0910594.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cmytfvga.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"civilarys.store"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"corenavered.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cafung.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cedoras.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"btcstack.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"binavers.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bnlopdlc.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bolun.site"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bindeo.tech"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baconer.site"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"berysu.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aluces.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api-talks.cedoras.store"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aiaitu.store"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akites.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aderto.store"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"afixer.store"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahesus.store"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cutagor.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dacrorns.store"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"decasy.store"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"docloakc.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"docpoc.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emv1.akites.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fomhl.fun"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kololphcnv.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lcscorn.cedoras.store"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lfpa.website"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"locslf.website"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lopaswec.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lopdgv.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.naverservice.site"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailcorn.cedoras.store"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailcorp.tech"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malilsopx.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mclvhoc.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mlodkf.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moldoep.website"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"molgono.tech"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mollcocmd.tech"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mollsovop.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"molsycl.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"motivenaver.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"navecorps.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"navei.online"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naver-config.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naver-delivers.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naveralert.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naveralarm.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"navercafe.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naverpro.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naverservice.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"necxo.tech"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nhopess.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nicorps.website"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nid.cafung.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nid.civilarys.store"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nidcorp.fun"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nidcorn.cedoras.store"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nidcorp.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nidnaver.help"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nidnaver.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nidnavercorp.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nidpilk.cedoras.store"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nidpon.cedoras.store"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obmonspc.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"octos.store"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"olcocmsl.tech"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poskoca.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ploslacv.website"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proteco.fun"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"riavercorped.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sedlco.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"socrpa.store"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soduci.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"staticnidcorn.cedoras.store"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"solep.online"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sslcorn.cedoras.store"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"supwlmall.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wedwec.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wobsodm.tech"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xclosldp.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"acopfvy.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"acrob.shop"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234506; rev:1;) alert tcp $HOME_NET any -> [193.26.115.228] 19267 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234393; rev:1;) alert tcp $HOME_NET any -> [94.156.65.84] 55123 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234504; rev:1;) alert tcp $HOME_NET any -> [41.227.246.175] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"duckfoundation.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234502; rev:1;) alert tcp $HOME_NET any -> [13.49.65.162] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234501; rev:1;) alert tcp $HOME_NET any -> [3.92.62.149] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234500; rev:1;) alert tcp $HOME_NET any -> [18.194.27.80] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234499; rev:1;) alert tcp $HOME_NET any -> [47.128.181.113] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234498; rev:1;) alert tcp $HOME_NET any -> [31.210.51.99] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234497; rev:1;) alert tcp $HOME_NET any -> [34.128.84.233] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234496; rev:1;) alert tcp $HOME_NET any -> [15.161.144.188] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234495; rev:1;) alert tcp $HOME_NET any -> [37.32.21.150] 8085 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234494; rev:1;) alert tcp $HOME_NET any -> [16.170.251.233] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234493; rev:1;) alert tcp $HOME_NET any -> [20.193.44.167] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234492; rev:1;) alert tcp $HOME_NET any -> [20.240.184.16] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234491; rev:1;) alert tcp $HOME_NET any -> [43.139.38.66] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234490; rev:1;) alert tcp $HOME_NET any -> [124.71.184.96] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234489; rev:1;) alert tcp $HOME_NET any -> [38.46.30.207] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234488; rev:1;) alert tcp $HOME_NET any -> [49.235.182.24] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234487; rev:1;) alert tcp $HOME_NET any -> [119.3.231.104] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.pay-3ds.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234485; rev:1;) alert tcp $HOME_NET any -> [217.196.107.29] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r4dc3btbyzip0edkbykb1qteulwb.de"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234483; rev:1;) alert tcp $HOME_NET any -> [103.77.240.62] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234482; rev:1;) alert tcp $HOME_NET any -> [3.208.95.157] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"carte-vitale-assurance.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234480; rev:1;) alert tcp $HOME_NET any -> [194.163.178.229] 56325 (msg:"ThreatFox Ares botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234479/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_25; classtype:trojan-activity; sid:91234479; rev:1;) alert tcp $HOME_NET any -> [94.156.65.230] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234478; rev:1;) alert tcp $HOME_NET any -> [195.85.114.206] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234476; rev:1;) alert tcp $HOME_NET any -> [45.128.96.110] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234477; rev:1;) alert tcp $HOME_NET any -> [45.128.96.170] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234475; rev:1;) alert tcp $HOME_NET any -> [94.156.67.102] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234474; rev:1;) alert tcp $HOME_NET any -> [163.5.64.8] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234472; rev:1;) alert tcp $HOME_NET any -> [89.23.102.60] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234473; rev:1;) alert tcp $HOME_NET any -> [91.92.244.23] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234471; rev:1;) alert tcp $HOME_NET any -> [18.159.210.80] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234469; rev:1;) alert tcp $HOME_NET any -> [154.53.166.167] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234470; rev:1;) alert tcp $HOME_NET any -> [45.128.96.121] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234468; rev:1;) alert tcp $HOME_NET any -> [185.78.76.159] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234467; rev:1;) alert tcp $HOME_NET any -> [163.5.169.4] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234465; rev:1;) alert tcp $HOME_NET any -> [164.68.119.38] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234466; rev:1;) alert tcp $HOME_NET any -> [94.156.67.103] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234464; rev:1;) alert tcp $HOME_NET any -> [163.5.210.87] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234463; rev:1;) alert tcp $HOME_NET any -> [165.227.246.129] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234462; rev:1;) alert tcp $HOME_NET any -> [34.154.103.104] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.161-35-239-147.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234460; rev:1;) alert tcp $HOME_NET any -> [188.153.77.109] 4781 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234459; rev:1;) alert tcp $HOME_NET any -> [185.81.157.129] 8808 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234458; rev:1;) alert tcp $HOME_NET any -> [175.16.184.111] 8089 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234457; rev:1;) alert tcp $HOME_NET any -> [45.87.153.107] 443 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sleepyawn2.fvds.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234454; rev:1;) alert tcp $HOME_NET any -> [45.87.153.107] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234455; rev:1;) alert tcp $HOME_NET any -> [37.46.130.210] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"227.lan-vg1-1.static.rozabg.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234452; rev:1;) alert tcp $HOME_NET any -> [149.154.65.14] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karasergkaravaev3.fvds.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234451; rev:1;) alert tcp $HOME_NET any -> [185.172.128.91] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234449; rev:1;) alert tcp $HOME_NET any -> [54.255.57.58] 81 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234447; rev:1;) alert tcp $HOME_NET any -> [172.205.202.156] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234448; rev:1;) alert tcp $HOME_NET any -> [20.0.100.134] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servertgbotvds.fvds.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234445; rev:1;) alert tcp $HOME_NET any -> [185.209.29.72] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234444; rev:1;) alert tcp $HOME_NET any -> [94.156.66.227] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234443; rev:1;) alert tcp $HOME_NET any -> [185.187.169.34] 17443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234442; rev:1;) alert tcp $HOME_NET any -> [3.31.40.188] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234441; rev:1;) alert tcp $HOME_NET any -> [186.112.205.208] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234440; rev:1;) alert tcp $HOME_NET any -> [104.243.37.176] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234439; rev:1;) alert tcp $HOME_NET any -> [193.26.115.142] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234438; rev:1;) alert tcp $HOME_NET any -> [163.5.64.75] 7391 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234437; rev:1;) alert tcp $HOME_NET any -> [185.81.157.1] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"competent-elion.193-142-59-177.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234436; rev:1;) alert tcp $HOME_NET any -> [185.81.157.129] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234434; rev:1;) alert tcp $HOME_NET any -> [91.109.178.4] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234433; rev:1;) alert tcp $HOME_NET any -> [136.243.179.5] 82 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234432; rev:1;) alert tcp $HOME_NET any -> [46.4.37.212] 81 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234431; rev:1;) alert tcp $HOME_NET any -> [178.17.170.180] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234430/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_25; classtype:trojan-activity; sid:91234430; rev:1;) alert tcp $HOME_NET any -> [35.93.24.71] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234429/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_25; classtype:trojan-activity; sid:91234429; rev:1;) alert tcp $HOME_NET any -> [156.245.11.46] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234428/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_25; classtype:trojan-activity; sid:91234428; rev:1;) alert tcp $HOME_NET any -> [8.138.96.41] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234427/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_25; classtype:trojan-activity; sid:91234427; rev:1;) alert tcp $HOME_NET any -> [178.17.170.194] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234426/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_25; classtype:trojan-activity; sid:91234426; rev:1;) alert tcp $HOME_NET any -> [187.135.146.121] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234425; rev:1;) alert tcp $HOME_NET any -> [187.135.146.121] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234424; rev:1;) alert tcp $HOME_NET any -> [187.135.146.121] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234422; rev:1;) alert tcp $HOME_NET any -> [187.135.146.121] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234423; rev:1;) alert tcp $HOME_NET any -> [160.177.155.67] 6699 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234421; rev:1;) alert tcp $HOME_NET any -> [85.209.176.146] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234420; rev:1;) alert tcp $HOME_NET any -> [108.165.113.54] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234419; rev:1;) alert tcp $HOME_NET any -> [101.36.111.175] 2052 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234418; rev:1;) alert tcp $HOME_NET any -> [20.196.198.116] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234417; rev:1;) alert tcp $HOME_NET any -> [122.9.49.14] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234415; rev:1;) alert tcp $HOME_NET any -> [8.130.18.124] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234416; rev:1;) alert tcp $HOME_NET any -> [43.143.130.124] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234414; rev:1;) alert tcp $HOME_NET any -> [43.143.95.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234413; rev:1;) alert tcp $HOME_NET any -> [1.94.17.115] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234411; rev:1;) alert tcp $HOME_NET any -> [149.104.26.126] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234412; rev:1;) alert tcp $HOME_NET any -> [117.72.13.42] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234410; rev:1;) alert tcp $HOME_NET any -> [107.173.118.95] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234409; rev:1;) alert tcp $HOME_NET any -> [39.106.26.184] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234407; rev:1;) alert tcp $HOME_NET any -> [47.243.180.75] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234408; rev:1;) alert tcp $HOME_NET any -> [47.106.138.25] 30001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234406; rev:1;) alert tcp $HOME_NET any -> [154.82.81.114] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234405; rev:1;) alert tcp $HOME_NET any -> [120.79.88.89] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234404; rev:1;) alert tcp $HOME_NET any -> [84.45.122.150] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234403; rev:1;) alert tcp $HOME_NET any -> [123.60.60.29] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234402; rev:1;) alert tcp $HOME_NET any -> [158.247.233.195] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234401; rev:1;) alert tcp $HOME_NET any -> [47.116.115.242] 50001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1ea3a79a94605ef.php"; depth:21; nocase; http.host; content:"91.206.178.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gdf8jejdkd/index.php"; depth:21; nocase; http.host; content:"91.92.250.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.191.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.243.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234396; rev:1;) alert tcp $HOME_NET any -> [65.109.243.18] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234394; rev:1;) alert tcp $HOME_NET any -> [88.198.191.199] 2920 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; nocase; http.host; content:"onedrive.live.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"8.130.79.120"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.93.254.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234391; rev:1;) alert tcp $HOME_NET any -> [162.221.204.234] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"mcfupdservice.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.138.182.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"check.cloudupdateserver.cloudns.org"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"39.104.52.1"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.223.64.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.136.58.193"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"3.75.178.44"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234383; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 25505 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234381; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 25505 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234380; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 25505 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orjin.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234374; rev:1;) alert tcp $HOME_NET any -> [91.92.242.242] 6051 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234376; rev:1;) alert tcp $HOME_NET any -> [46.246.80.19] 8889 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234375/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234375; rev:1;) alert tcp $HOME_NET any -> [101.36.111.47] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234373; rev:1;) alert tcp $HOME_NET any -> [176.96.138.158] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmr.index-gpt.pro"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234371; rev:1;) alert tcp $HOME_NET any -> [13.211.149.176] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.inpex589.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234369; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 16495 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234368; rev:1;) alert tcp $HOME_NET any -> [3.127.253.86] 16495 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234367; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 16495 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234366; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 16495 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234365; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 16495 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"113.250.188.15"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"cdn-014.epsonupdate.uk"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"167.99.75.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"8.130.133.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"120.55.82.147"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/1.2/e4c954ae"; depth:17; nocase; http.host; content:"cs1.dbgblack.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234358; rev:1;) alert tcp $HOME_NET any -> [172.94.12.73] 1979 (msg:"ThreatFox Remcos payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ak"; depth:3; nocase; http.host; content:"52.70.254.144"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234356; rev:1;) alert tcp $HOME_NET any -> [91.109.180.10] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234355/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"newdomainfortesteenestle.com"; depth:28; nocase; reference:url, threatfox.abuse.ch/ioc/1234352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newdomainfortesteenestle.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ekurorem.duckdns.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234354; rev:1;) alert tcp $HOME_NET any -> [122.117.11.1] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234353/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234353; rev:1;) alert tcp $HOME_NET any -> [64.188.20.186] 5050 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234350/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_25; classtype:trojan-activity; sid:91234350; rev:1;) alert tcp $HOME_NET any -> [62.102.148.185] 9771 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234349/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_25; classtype:trojan-activity; sid:91234349; rev:1;) alert tcp $HOME_NET any -> [112.126.81.157] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234348/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234348; rev:1;) alert tcp $HOME_NET any -> [66.42.57.158] 18808 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234347/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234347; rev:1;) alert tcp $HOME_NET any -> [172.111.136.105] 2016 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234346/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234346; rev:1;) alert tcp $HOME_NET any -> [201.137.206.52] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234345/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234345; rev:1;) alert tcp $HOME_NET any -> [136.243.185.106] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234344/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234344; rev:1;) alert tcp $HOME_NET any -> [31.192.235.164] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234343/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234343; rev:1;) alert tcp $HOME_NET any -> [3.21.227.143] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234342/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234342; rev:1;) alert tcp $HOME_NET any -> [15.235.130.29] 10443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234341/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234341; rev:1;) alert tcp $HOME_NET any -> [94.103.87.88] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234340/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234340; rev:1;) alert tcp $HOME_NET any -> [85.13.119.42] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234339/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234339; rev:1;) alert tcp $HOME_NET any -> [154.118.230.141] 30098 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234338/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234338; rev:1;) alert tcp $HOME_NET any -> [13.251.49.40] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234337/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234337; rev:1;) alert tcp $HOME_NET any -> [156.245.11.62] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234336/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234336; rev:1;) alert tcp $HOME_NET any -> [156.245.11.62] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234335; rev:1;) alert tcp $HOME_NET any -> [156.245.11.10] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234334/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234334; rev:1;) alert tcp $HOME_NET any -> [156.245.11.10] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234333/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234333; rev:1;) alert tcp $HOME_NET any -> [93.123.39.164] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"visitclouds.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ac-analytics.js"; depth:16; nocase; http.host; content:"visitclouds.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"217.29.53.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234329; rev:1;) alert tcp $HOME_NET any -> [185.172.128.33] 8924 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"novlkyy.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234332/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234332; rev:1;) alert tcp $HOME_NET any -> [39.100.66.159] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234330/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234330; rev:1;) alert tcp $HOME_NET any -> [45.140.146.239] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234326/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234326; rev:1;) alert tcp $HOME_NET any -> [103.185.249.231] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234325/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234325; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 14937 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234324; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 14937 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234323; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 14937 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234322; rev:1;) alert tcp $HOME_NET any -> [109.116.169.17] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234321/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234321; rev:1;) alert tcp $HOME_NET any -> [157.230.233.178] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234320/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.137.5.20"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234319; rev:1;) alert tcp $HOME_NET any -> [23.155.8.220] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234318/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/php_multidblocal.php"; depth:21; nocase; http.host; content:"172969cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234317; rev:1;) alert tcp $HOME_NET any -> [20.2.219.165] 3389 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234315/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234315; rev:1;) alert tcp $HOME_NET any -> [8.130.79.120] 8002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234314/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/trefald.zip"; depth:22; nocase; http.host; content:"5.181.159.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/callerboost.zip"; depth:26; nocase; http.host; content:"5.181.159.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/prtyhguafelif.zip"; depth:28; nocase; http.host; content:"5.181.159.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234294; rev:1;) alert tcp $HOME_NET any -> [181.131.217.74] 1998 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234298; rev:1;) alert tcp $HOME_NET any -> [78.47.233.121] 443 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234313/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234313; rev:1;) alert tcp $HOME_NET any -> [101.133.226.75] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234312/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234312; rev:1;) alert tcp $HOME_NET any -> [2.88.192.215] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234311/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234311; rev:1;) alert tcp $HOME_NET any -> [108.173.85.144] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234310/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234310; rev:1;) alert tcp $HOME_NET any -> [2.50.44.179] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234309/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234309; rev:1;) alert tcp $HOME_NET any -> [31.117.179.232] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234308/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234308; rev:1;) alert tcp $HOME_NET any -> [74.12.146.31] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234307/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234307; rev:1;) alert tcp $HOME_NET any -> [70.27.15.149] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234306/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234306; rev:1;) alert tcp $HOME_NET any -> [5.188.228.224] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234305/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234305; rev:1;) alert tcp $HOME_NET any -> [38.147.189.199] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234304/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234304; rev:1;) alert tcp $HOME_NET any -> [38.147.189.173] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234303/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234303; rev:1;) alert tcp $HOME_NET any -> [15.206.164.202] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234302/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234302; rev:1;) alert tcp $HOME_NET any -> [34.123.166.220] 6667 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234301/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234301; rev:1;) alert tcp $HOME_NET any -> [40.113.134.142] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234300/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234300; rev:1;) alert tcp $HOME_NET any -> [35.72.81.251] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234299/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234299; rev:1;) alert tcp $HOME_NET any -> [147.50.253.9] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234297/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234297; rev:1;) alert tcp $HOME_NET any -> [124.221.17.198] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234296/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234296; rev:1;) alert tcp $HOME_NET any -> [34.88.16.45] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234295/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/8gmgv5a1fslkxv.zip/"; depth:30; nocase; http.host; content:"5.181.159.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234290; rev:1;) alert tcp $HOME_NET any -> [5.181.159.64] 80 (msg:"ThreatFox DarkGate payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"groannysoapblockedstiw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"copyrightspareddcitwew.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"paperambiguonusphoterew.site"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"expenditureddisumilarwo.site"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"weedpairfolkloredheryw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"combinethemepiggerygoj.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"qualifiedbehaviorrykej.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"dragonporterloudjettyw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"groannysoapblockedstiw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"copyrightspareddcitwew.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paperambiguonusphoterew.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"expenditureddisumilarwo.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"combinethemepiggerygoj.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weedpairfolkloredheryw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qualifiedbehaviorrykej.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dragonporterloudjettyw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234289; rev:1;) alert tcp $HOME_NET any -> [212.118.52.86] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234273/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_24; classtype:trojan-activity; sid:91234273; rev:1;) alert tcp $HOME_NET any -> [213.196.40.4] 1792 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234272; rev:1;) alert tcp $HOME_NET any -> [38.242.151.1] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234271/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/async4/request/flower/to/2universal_/public46async/requestgame/update4/pollflower6/secureuniversalsql/temp88/flowerpythonmulti/process0/trackexternaltrack/protectgeneratorline9/wp/4/betterbigloadflowerauth/lineupdatedefaultbasecdndownloadstemporary.php"; depth:253; nocase; http.host; content:"185.185.68.156"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234270; rev:1;) alert tcp $HOME_NET any -> [2.50.16.143] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234269; rev:1;) alert tcp $HOME_NET any -> [88.229.78.112] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234267; rev:1;) alert tcp $HOME_NET any -> [62.15.129.5] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234268; rev:1;) alert tcp $HOME_NET any -> [43.143.22.238] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234266; rev:1;) alert tcp $HOME_NET any -> [164.92.206.133] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234265; rev:1;) alert tcp $HOME_NET any -> [43.205.22.198] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234264; rev:1;) alert tcp $HOME_NET any -> [34.172.43.190] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234263; rev:1;) alert tcp $HOME_NET any -> [15.206.174.2] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234262; rev:1;) alert tcp $HOME_NET any -> [8.218.137.213] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234260; rev:1;) alert tcp $HOME_NET any -> [86.246.194.49] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234261; rev:1;) alert tcp $HOME_NET any -> [110.42.249.150] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234259; rev:1;) alert tcp $HOME_NET any -> [103.234.72.216] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234258; rev:1;) alert tcp $HOME_NET any -> [91.194.135.254] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fanklubziuta.pl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234257; rev:1;) alert tcp $HOME_NET any -> [172.233.24.59] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234255; rev:1;) alert tcp $HOME_NET any -> [93.123.39.87] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234254; rev:1;) alert tcp $HOME_NET any -> [87.98.185.14] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234253; rev:1;) alert tcp $HOME_NET any -> [5.42.92.98] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234252; rev:1;) alert tcp $HOME_NET any -> [20.199.14.181] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234251; rev:1;) alert tcp $HOME_NET any -> [185.98.61.220] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234250; rev:1;) alert tcp $HOME_NET any -> [89.23.101.149] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234249; rev:1;) alert tcp $HOME_NET any -> [149.100.138.254] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234248; rev:1;) alert tcp $HOME_NET any -> [79.143.182.133] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234247; rev:1;) alert tcp $HOME_NET any -> [185.221.198.98] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234246; rev:1;) alert tcp $HOME_NET any -> [87.229.6.192] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234245; rev:1;) alert tcp $HOME_NET any -> [93.123.39.140] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234244; rev:1;) alert tcp $HOME_NET any -> [93.123.39.164] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234243; rev:1;) alert tcp $HOME_NET any -> [58.187.115.100] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234242; rev:1;) alert tcp $HOME_NET any -> [188.27.189.141] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234241; rev:1;) alert tcp $HOME_NET any -> [91.222.236.50] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karasergkaravaev2.fvds.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234239; rev:1;) alert tcp $HOME_NET any -> [104.131.162.146] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234238; rev:1;) alert tcp $HOME_NET any -> [186.112.204.173] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234237; rev:1;) alert tcp $HOME_NET any -> [45.32.106.247] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234236/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_24; classtype:trojan-activity; sid:91234236; rev:1;) alert tcp $HOME_NET any -> [5.252.178.189] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234235/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_24; classtype:trojan-activity; sid:91234235; rev:1;) alert tcp $HOME_NET any -> [27.44.204.233] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234234/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_24; classtype:trojan-activity; sid:91234234; rev:1;) alert tcp $HOME_NET any -> [101.36.111.175] 123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234233; rev:1;) alert tcp $HOME_NET any -> [23.224.61.122] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234232; rev:1;) alert tcp $HOME_NET any -> [45.32.252.8] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234231; rev:1;) alert tcp $HOME_NET any -> [185.196.10.62] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234230; rev:1;) alert tcp $HOME_NET any -> [47.115.212.213] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234229; rev:1;) alert tcp $HOME_NET any -> [62.234.41.101] 6001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234228; rev:1;) alert tcp $HOME_NET any -> [5.78.40.0] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234227; rev:1;) alert tcp $HOME_NET any -> [45.62.123.165] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234226; rev:1;) alert tcp $HOME_NET any -> [8.137.39.212] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234225; rev:1;) alert tcp $HOME_NET any -> [39.107.79.21] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234223; rev:1;) alert tcp $HOME_NET any -> [8.137.39.212] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234224; rev:1;) alert tcp $HOME_NET any -> [45.207.49.251] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234222; rev:1;) alert tcp $HOME_NET any -> [206.237.23.185] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234221; rev:1;) alert tcp $HOME_NET any -> [120.26.216.200] 3541 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234220; rev:1;) alert tcp $HOME_NET any -> [124.221.30.83] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234219; rev:1;) alert tcp $HOME_NET any -> [39.106.26.184] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234218; rev:1;) alert tcp $HOME_NET any -> [47.108.84.84] 4441 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234217; rev:1;) alert tcp $HOME_NET any -> [149.28.105.251] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.trackgroup.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"8.140.147.149"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234213; rev:1;) alert tcp $HOME_NET any -> [81.70.43.159] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.96.70.41"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"81.70.43.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"175.178.103.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"123.249.114.61"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234209; rev:1;) alert tcp $HOME_NET any -> [176.49.126.178] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234208/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234208; rev:1;) alert tcp $HOME_NET any -> [101.132.182.180] 5110 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"novlkyy.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234206/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_24; classtype:trojan-activity; sid:91234206; rev:1;) alert tcp $HOME_NET any -> [101.132.182.180] 59990 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"novlkyy.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234205; rev:1;) alert tcp $HOME_NET any -> [43.134.183.43] 30001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loja5.seugrupotodimo.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev.dunedincasino.co.nz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234201; rev:1;) alert tcp $HOME_NET any -> [159.65.13.239] 55680 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234202; rev:1;) alert tcp $HOME_NET any -> [156.253.12.10] 8123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234199/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234199; rev:1;) alert tcp $HOME_NET any -> [3.67.15.169] 14434 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234198; rev:1;) alert tcp $HOME_NET any -> [3.68.56.232] 14434 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.veriernano.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234196; rev:1;) alert tcp $HOME_NET any -> [45.204.13.45] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234195; rev:1;) alert tcp $HOME_NET any -> [163.172.35.224] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dev/console/c0u481xgp"; depth:22; nocase; http.host; content:"163.172.35.224"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"156.253.12.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234191; rev:1;) alert tcp $HOME_NET any -> [45.204.13.45] 8234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234192; rev:1;) alert tcp $HOME_NET any -> [77.105.166.121] 81 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"101.43.12.111"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234189; rev:1;) alert tcp $HOME_NET any -> [94.156.65.121] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234188/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"federalstudentaid-usdepartmentofeducation.tandemcyberops.co"; depth:59; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234187; rev:1;) alert tcp $HOME_NET any -> [35.240.61.64] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234186/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234186; rev:1;) alert tcp $HOME_NET any -> [124.223.64.107] 9443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234185/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"194.32.149.227"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234184; rev:1;) alert tcp $HOME_NET any -> [85.192.41.74] 7771 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234183/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_24; classtype:trojan-activity; sid:91234183; rev:1;) alert tcp $HOME_NET any -> [209.145.58.236] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234117; rev:1;) alert tcp $HOME_NET any -> [195.20.16.207] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234116; rev:1;) alert tcp $HOME_NET any -> [193.233.132.116] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234115; rev:1;) alert tcp $HOME_NET any -> [193.233.132.88] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234114; rev:1;) alert tcp $HOME_NET any -> [193.233.132.61] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234113; rev:1;) alert tcp $HOME_NET any -> [193.233.132.49] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234112; rev:1;) alert tcp $HOME_NET any -> [193.163.170.166] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234111; rev:1;) alert tcp $HOME_NET any -> [92.246.138.90] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234110; rev:1;) alert tcp $HOME_NET any -> [91.212.166.206] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234109; rev:1;) alert tcp $HOME_NET any -> [87.121.87.59] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234108; rev:1;) alert tcp $HOME_NET any -> [45.153.242.202] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234107; rev:1;) alert tcp $HOME_NET any -> [5.101.1.60] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234106; rev:1;) alert tcp $HOME_NET any -> [5.101.0.60] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234105; rev:1;) alert tcp $HOME_NET any -> [168.119.242.255] 7742 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234090; rev:1;) alert tcp $HOME_NET any -> [191.88.251.13] 7770 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"5.101.0.245"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234182; rev:1;) alert tcp $HOME_NET any -> [23.155.8.220] 14344 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234181/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234181; rev:1;) alert tcp $HOME_NET any -> [34.92.57.130] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234180/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234180; rev:1;) alert tcp $HOME_NET any -> [147.78.103.10] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234179/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234173; rev:1;) alert tcp $HOME_NET any -> [47.108.220.47] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234172; rev:1;) alert tcp $HOME_NET any -> [94.130.49.62] 6214 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234171/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234171; rev:1;) alert tcp $HOME_NET any -> [74.12.146.80] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234170/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234170; rev:1;) alert tcp $HOME_NET any -> [74.12.146.80] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234169/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234169; rev:1;) alert tcp $HOME_NET any -> [41.96.48.146] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234168/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234168; rev:1;) alert tcp $HOME_NET any -> [35.209.123.246] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234167/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234167; rev:1;) alert tcp $HOME_NET any -> [34.171.56.109] 6667 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234166/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234166; rev:1;) alert tcp $HOME_NET any -> [34.123.166.220] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234164/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234164; rev:1;) alert tcp $HOME_NET any -> [34.123.166.220] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234165/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234165; rev:1;) alert tcp $HOME_NET any -> [157.230.175.190] 6595 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234163/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234163; rev:1;) alert tcp $HOME_NET any -> [89.247.50.125] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234162/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234162; rev:1;) alert tcp $HOME_NET any -> [8.130.82.167] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234161/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234161; rev:1;) alert tcp $HOME_NET any -> [45.66.248.135] 4308 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yop918kiss.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"736632.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.1319556.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234157; rev:1;) alert tcp $HOME_NET any -> [34.34.149.44] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234155; rev:1;) alert tcp $HOME_NET any -> [89.223.124.74] 5555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234156; rev:1;) alert tcp $HOME_NET any -> [38.147.170.29] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234154; rev:1;) alert tcp $HOME_NET any -> [117.85.8.12] 8008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234153; rev:1;) alert tcp $HOME_NET any -> [154.12.28.198] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stupefied-wing.37-220-86-100.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234151/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_24; classtype:trojan-activity; sid:91234151; rev:1;) alert tcp $HOME_NET any -> [195.242.218.22] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alexs404.fvds.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234149; rev:1;) alert tcp $HOME_NET any -> [94.156.65.230] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234148; rev:1;) alert tcp $HOME_NET any -> [193.233.255.253] 8080 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234147; rev:1;) alert tcp $HOME_NET any -> [185.224.81.252] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234146; rev:1;) alert tcp $HOME_NET any -> [193.233.254.6] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234145; rev:1;) alert tcp $HOME_NET any -> [49.13.130.129] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234143; rev:1;) alert tcp $HOME_NET any -> [93.123.39.88] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234144; rev:1;) alert tcp $HOME_NET any -> [89.23.100.205] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234142; rev:1;) alert tcp $HOME_NET any -> [87.98.185.175] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234141; rev:1;) alert tcp $HOME_NET any -> [197.119.135.90] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234140; rev:1;) alert tcp $HOME_NET any -> [154.244.175.192] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234139; rev:1;) alert tcp $HOME_NET any -> [161.97.102.40] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234138; rev:1;) alert tcp $HOME_NET any -> [45.77.112.196] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nickbaseev5.fvds.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234136; rev:1;) alert tcp $HOME_NET any -> [93.123.39.169] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234135; rev:1;) alert tcp $HOME_NET any -> [179.13.3.199] 8020 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234134; rev:1;) alert tcp $HOME_NET any -> [103.234.72.213] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234132; rev:1;) alert tcp $HOME_NET any -> [47.108.228.241] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234133; rev:1;) alert tcp $HOME_NET any -> [27.44.204.219] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234131/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_24; classtype:trojan-activity; sid:91234131; rev:1;) alert tcp $HOME_NET any -> [27.44.204.161] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234130/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_24; classtype:trojan-activity; sid:91234130; rev:1;) alert tcp $HOME_NET any -> [20.237.111.240] 8444 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234129/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_24; classtype:trojan-activity; sid:91234129; rev:1;) alert tcp $HOME_NET any -> [64.23.154.205] 30099 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234128/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_24; classtype:trojan-activity; sid:91234128; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234127; rev:1;) alert tcp $HOME_NET any -> [175.178.103.238] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234126; rev:1;) alert tcp $HOME_NET any -> [43.248.188.73] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234125; rev:1;) alert tcp $HOME_NET any -> [192.227.165.82] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.w33s1.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234123; rev:1;) alert tcp $HOME_NET any -> [52.74.58.193] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234122/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234122; rev:1;) alert tcp $HOME_NET any -> [41.216.183.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234121; rev:1;) alert tcp $HOME_NET any -> [18.229.248.167] 18912 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234120; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 1926 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234119; rev:1;) alert tcp $HOME_NET any -> [3.75.178.44] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234118; rev:1;) alert tcp $HOME_NET any -> [219.92.90.51] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234104/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234104; rev:1;) alert tcp $HOME_NET any -> [5.188.86.23] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zx.reg32.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/remove"; depth:7; nocase; http.host; content:"zx.reg32.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profile"; depth:8; nocase; http.host; content:"as.reg32.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"as.reg32.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qw.reg32.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profile"; depth:8; nocase; http.host; content:"qw.reg32.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234096; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 19378 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234095; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 19378 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234094; rev:1;) alert tcp $HOME_NET any -> [3.127.253.86] 19378 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234093; rev:1;) alert tcp $HOME_NET any -> [45.77.43.90] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234092/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234092; rev:1;) alert tcp $HOME_NET any -> [209.127.186.233] 9443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234091/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234091; rev:1;) alert tcp $HOME_NET any -> [176.96.138.158] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234089/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234089; rev:1;) alert tcp $HOME_NET any -> [47.154.165.193] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234088/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234088; rev:1;) alert tcp $HOME_NET any -> [85.54.165.23] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234087/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234087; rev:1;) alert tcp $HOME_NET any -> [2.6.248.148] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234086/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234086; rev:1;) alert tcp $HOME_NET any -> [69.156.55.183] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234085/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234085; rev:1;) alert tcp $HOME_NET any -> [201.137.233.225] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234084/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234084; rev:1;) alert tcp $HOME_NET any -> [175.110.196.163] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234083/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234083; rev:1;) alert tcp $HOME_NET any -> [90.4.191.148] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234082/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234082; rev:1;) alert tcp $HOME_NET any -> [45.150.198.25] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234081/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234081; rev:1;) alert tcp $HOME_NET any -> [154.118.230.142] 30098 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234080/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234080; rev:1;) alert tcp $HOME_NET any -> [64.23.170.203] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234079/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234079; rev:1;) alert tcp $HOME_NET any -> [64.23.170.203] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234078/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.233.132.152"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234077; rev:1;) alert tcp $HOME_NET any -> [107.174.142.70] 10090 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234076/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_23; classtype:trojan-activity; sid:91234076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ba91ff2f6a996325.php"; depth:21; nocase; http.host; content:"185.17.40.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234075; rev:1;) alert tcp $HOME_NET any -> [43.136.58.193] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234074/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234074; rev:1;) alert tcp $HOME_NET any -> [5.42.66.0] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234073/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloud-dnssync.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"www.xiongge.space"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"114.115.220.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtbiytaymtk0nzjj/"; depth:18; nocase; http.host; content:"zcasscasszcasz.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234060/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtbiytaymtk0nzjj/"; depth:18; nocase; http.host; content:"cascsasacsacascasca.pics"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234061/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtbiytaymtk0nzjj/"; depth:18; nocase; http.host; content:"qweqweqweqweqweq.tech"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234062/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtbiytaymtk0nzjj/"; depth:18; nocase; http.host; content:"asdasdasdasdasad.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234063/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtbiytaymtk0nzjj/"; depth:18; nocase; http.host; content:"aysgduyasgduyas.store"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234064/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtbiytaymtk0nzjj/"; depth:18; nocase; http.host; content:"aksjdhsakdhakjshd.online"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234065/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtbiytaymtk0nzjj/"; depth:18; nocase; http.host; content:"cascacascascascascas.hk"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234066/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtbiytaymtk0nzjj/"; depth:18; nocase; http.host; content:"qweqweqweqweqwewww.hk"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234067/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234067; rev:1;) alert tcp $HOME_NET any -> [94.156.67.176] 13781 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234059; rev:1;) alert tcp $HOME_NET any -> [5.101.0.245] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/check"; depth:6; nocase; http.host; content:"secure-cama.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234057; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 14834 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234056; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 14834 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234055; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 14834 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234054; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 14834 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234053; rev:1;) alert tcp $HOME_NET any -> [178.128.122.83] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234052; rev:1;) alert tcp $HOME_NET any -> [88.94.183.108] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234051; rev:1;) alert tcp $HOME_NET any -> [18.194.27.80] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234050; rev:1;) alert tcp $HOME_NET any -> [119.91.26.109] 31220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234049; rev:1;) alert tcp $HOME_NET any -> [193.35.204.6] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234048; rev:1;) alert tcp $HOME_NET any -> [139.60.151.21] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234047; rev:1;) alert tcp $HOME_NET any -> [139.60.151.21] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234046; rev:1;) alert tcp $HOME_NET any -> [98.66.153.140] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234045; rev:1;) alert tcp $HOME_NET any -> [111.229.206.244] 9000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234044; rev:1;) alert tcp $HOME_NET any -> [79.137.36.193] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234043; rev:1;) alert tcp $HOME_NET any -> [121.41.118.76] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234042; rev:1;) alert tcp $HOME_NET any -> [152.53.34.44] 3334 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234041; rev:1;) alert tcp $HOME_NET any -> [104.238.214.68] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234040; rev:1;) alert tcp $HOME_NET any -> [34.34.149.44] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234039; rev:1;) alert tcp $HOME_NET any -> [172.177.39.31] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234038; rev:1;) alert tcp $HOME_NET any -> [188.166.156.32] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234037; rev:1;) alert tcp $HOME_NET any -> [170.64.210.158] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234036; rev:1;) alert tcp $HOME_NET any -> [85.215.180.148] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"expedia-realtime.expeida.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcontacts.dnl-l.ooguy.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"account.deenpel.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.deenpel.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onboarding.expeida.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234031; rev:1;) alert tcp $HOME_NET any -> [180.178.44.236] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234029; rev:1;) alert tcp $HOME_NET any -> [180.178.44.238] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234028; rev:1;) alert tcp $HOME_NET any -> [180.178.44.234] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234027; rev:1;) alert tcp $HOME_NET any -> [180.178.44.235] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234025; rev:1;) alert tcp $HOME_NET any -> [8.219.171.176] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234026; rev:1;) alert tcp $HOME_NET any -> [180.178.44.237] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234024; rev:1;) alert tcp $HOME_NET any -> [61.171.80.71] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234023; rev:1;) alert tcp $HOME_NET any -> [37.220.86.100] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234022/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_23; classtype:trojan-activity; sid:91234022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2-58-113-172.cprapid.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234021; rev:1;) alert tcp $HOME_NET any -> [102.50.247.129] 84 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f0867029.xsph.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234019; rev:1;) alert tcp $HOME_NET any -> [18.206.73.190] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234018; rev:1;) alert tcp $HOME_NET any -> [91.92.255.42] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234017; rev:1;) alert tcp $HOME_NET any -> [193.233.132.116] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234015; rev:1;) alert tcp $HOME_NET any -> [91.212.166.206] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234016; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 56323 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234014; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 51783 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234013; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 51091 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234012; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 2080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234010; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 9205 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234011; rev:1;) alert tcp $HOME_NET any -> [105.75.30.83] 62491 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234009; rev:1;) alert tcp $HOME_NET any -> [105.75.30.83] 48106 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234008; rev:1;) alert tcp $HOME_NET any -> [105.75.30.83] 25050 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234007; rev:1;) alert tcp $HOME_NET any -> [105.75.30.83] 6362 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234005; rev:1;) alert tcp $HOME_NET any -> [105.75.30.83] 18029 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234006; rev:1;) alert tcp $HOME_NET any -> [105.75.30.83] 1080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234004; rev:1;) alert tcp $HOME_NET any -> [105.75.30.83] 63889 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234002; rev:1;) alert tcp $HOME_NET any -> [105.75.30.83] 502 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234003; rev:1;) alert tcp $HOME_NET any -> [103.97.177.62] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234001; rev:1;) alert tcp $HOME_NET any -> [103.164.62.9] 6666 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234000; rev:1;) alert tcp $HOME_NET any -> [45.88.9.100] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233999; rev:1;) alert tcp $HOME_NET any -> [98.71.223.72] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lmanage.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233997; rev:1;) alert tcp $HOME_NET any -> [4.246.234.87] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233996; rev:1;) alert tcp $HOME_NET any -> [92.118.235.253] 4545 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233995; rev:1;) alert tcp $HOME_NET any -> [187.101.166.245] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233994; rev:1;) alert tcp $HOME_NET any -> [194.147.140.134] 8081 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233993; rev:1;) alert tcp $HOME_NET any -> [45.147.231.88] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233992; rev:1;) alert tcp $HOME_NET any -> [59.14.118.202] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233991; rev:1;) alert tcp $HOME_NET any -> [181.162.155.84] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karasergkaravaev6.fvds.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233989; rev:1;) alert tcp $HOME_NET any -> [91.107.125.148] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233988; rev:1;) alert tcp $HOME_NET any -> [185.250.243.209] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233987; rev:1;) alert tcp $HOME_NET any -> [78.111.89.2] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233986; rev:1;) alert tcp $HOME_NET any -> [54.255.57.58] 82 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233985; rev:1;) alert tcp $HOME_NET any -> [94.250.253.1] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233984; rev:1;) alert tcp $HOME_NET any -> [193.201.126.69] 45632 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233983; rev:1;) alert tcp $HOME_NET any -> [4.198.112.20] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"snf-893982.vm.okeanos.grnet.gr"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"159.89.8.28.sslip.io"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233980; rev:1;) alert tcp $HOME_NET any -> [142.67.130.172] 31415 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233979; rev:1;) alert tcp $HOME_NET any -> [104.243.37.176] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233978; rev:1;) alert tcp $HOME_NET any -> [8.222.130.235] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233977; rev:1;) alert tcp $HOME_NET any -> [119.45.17.224] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233976; rev:1;) alert tcp $HOME_NET any -> [27.44.204.219] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233975/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233975; rev:1;) alert tcp $HOME_NET any -> [27.44.204.219] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233974/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233974; rev:1;) alert tcp $HOME_NET any -> [27.44.204.219] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233973/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233973; rev:1;) alert tcp $HOME_NET any -> [27.44.204.219] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233972/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233972; rev:1;) alert tcp $HOME_NET any -> [27.44.204.161] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233970/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233970; rev:1;) alert tcp $HOME_NET any -> [27.44.204.161] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233971/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233971; rev:1;) alert tcp $HOME_NET any -> [27.44.204.161] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233969/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233969; rev:1;) alert tcp $HOME_NET any -> [27.44.204.161] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233967/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233967; rev:1;) alert tcp $HOME_NET any -> [27.44.204.161] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233968/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233968; rev:1;) alert tcp $HOME_NET any -> [27.44.204.161] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233966/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233966; rev:1;) alert tcp $HOME_NET any -> [27.44.204.161] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233965/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233965; rev:1;) alert tcp $HOME_NET any -> [27.44.204.144] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233964/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233964; rev:1;) alert tcp $HOME_NET any -> [27.44.204.144] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233963/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233963; rev:1;) alert tcp $HOME_NET any -> [27.44.204.144] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233962/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233962; rev:1;) alert tcp $HOME_NET any -> [27.44.204.144] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233961/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233961; rev:1;) alert tcp $HOME_NET any -> [27.44.204.144] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233960/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 90%)"; dns_query; content:"ip-89-38-131-70-98573.vps.hosted-by-mvps.net"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233959/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233959; rev:1;) alert tcp $HOME_NET any -> [27.44.204.229] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233958/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233958; rev:1;) alert tcp $HOME_NET any -> [46.101.202.59] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233957/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233957; rev:1;) alert tcp $HOME_NET any -> [95.164.69.179] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233956/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233956; rev:1;) alert tcp $HOME_NET any -> [185.196.9.214] 53 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233955/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233955; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233953; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 2211 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233954; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233951; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 1633 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233952; rev:1;) alert tcp $HOME_NET any -> [93.67.167.104] 88 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233950; rev:1;) alert tcp $HOME_NET any -> [105.98.159.141] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233949; rev:1;) alert tcp $HOME_NET any -> [103.165.81.82] 10086 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233948/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_23; classtype:trojan-activity; sid:91233948; rev:1;) alert tcp $HOME_NET any -> [46.101.82.184] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233946; rev:1;) alert tcp $HOME_NET any -> [8.130.81.128] 8787 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233947; rev:1;) alert tcp $HOME_NET any -> [82.157.255.112] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233945; rev:1;) alert tcp $HOME_NET any -> [47.243.207.204] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233944; rev:1;) alert tcp $HOME_NET any -> [94.156.66.233] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233943; rev:1;) alert tcp $HOME_NET any -> [5.35.88.39] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233942; rev:1;) alert tcp $HOME_NET any -> [119.3.190.89] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233941; rev:1;) alert tcp $HOME_NET any -> [39.98.174.154] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233940; rev:1;) alert tcp $HOME_NET any -> [103.251.89.93] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233939; rev:1;) alert tcp $HOME_NET any -> [43.138.182.25] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233938; rev:1;) alert tcp $HOME_NET any -> [47.92.153.72] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233937; rev:1;) alert tcp $HOME_NET any -> [166.1.190.118] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233936; rev:1;) alert tcp $HOME_NET any -> [49.232.149.43] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233934; rev:1;) alert tcp $HOME_NET any -> [49.232.149.43] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233935; rev:1;) alert tcp $HOME_NET any -> [43.138.148.85] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233933; rev:1;) alert tcp $HOME_NET any -> [43.138.62.36] 7001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233932; rev:1;) alert tcp $HOME_NET any -> [107.172.89.198] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233931; rev:1;) alert tcp $HOME_NET any -> [148.135.67.51] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233930; rev:1;) alert tcp $HOME_NET any -> [152.136.116.44] 8096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233929; rev:1;) alert tcp $HOME_NET any -> [85.195.79.163] 9854 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233927; rev:1;) alert tcp $HOME_NET any -> [103.158.36.16] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233928; rev:1;) alert tcp $HOME_NET any -> [47.104.232.113] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233926; rev:1;) alert tcp $HOME_NET any -> [148.135.99.106] 58000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233925; rev:1;) alert tcp $HOME_NET any -> [103.56.17.198] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233924; rev:1;) alert tcp $HOME_NET any -> [39.100.78.58] 9823 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233923; rev:1;) alert tcp $HOME_NET any -> [115.159.204.229] 10786 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233922; rev:1;) alert tcp $HOME_NET any -> [98.66.155.68] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"107-172-89-198.nip.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.idn15r69vh3fwhzclfoeuaoy.today"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233919; rev:1;) alert tcp $HOME_NET any -> [139.84.229.159] 2017 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233918/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_23; classtype:trojan-activity; sid:91233918; rev:1;) alert tcp $HOME_NET any -> [91.92.243.16] 6269 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"macgains.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u6vhsc3ppq/index.php"; depth:21; nocase; http.host; content:"185.172.128.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f7vkbh7x/index.php"; depth:19; nocase; http.host; content:"5.42.66.0"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jd9dd3vw/index.php"; depth:19; nocase; http.host; content:"second.amadgood.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f5dkvdsbc/index.php"; depth:20; nocase; http.host; content:"dot.tipinfolist.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.109.58.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"120.55.12.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"dig.fuli-oa.cn"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buy-dnd.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"service-2o2bxyq2-1308102940.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-2o2bxyq2-1308102940.gz.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233912; rev:1;) alert tcp $HOME_NET any -> [72.11.158.94] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233908; rev:1;) alert tcp $HOME_NET any -> [118.195.236.44] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233907/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233907; rev:1;) alert tcp $HOME_NET any -> [3.75.178.44] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233906/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233906; rev:1;) alert tcp $HOME_NET any -> [175.178.225.71] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"175.178.225.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233900; rev:1;) alert tcp $HOME_NET any -> [103.251.89.93] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoftwindows.one"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"microsoftwindows.one"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233897; rev:1;) alert tcp $HOME_NET any -> [212.231.198.234] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"124.222.82.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"122.51.68.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233894; rev:1;) alert tcp $HOME_NET any -> [54.218.66.207] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233893/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jogard.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233892; rev:1;) alert tcp $HOME_NET any -> [91.92.255.54] 6513 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233891; rev:1;) alert tcp $HOME_NET any -> [139.99.153.82] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233890/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233890; rev:1;) alert tcp $HOME_NET any -> [65.109.242.152] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233887; rev:1;) alert tcp $HOME_NET any -> [49.12.118.185] 2920 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.118.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bogotatg"; depth:9; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199621829149"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233884; rev:1;) alert tcp $HOME_NET any -> [89.230.242.214] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233883/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233883; rev:1;) alert tcp $HOME_NET any -> [80.92.204.239] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233882/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pp/fre.php"; depth:11; nocase; http.host; content:"139.99.153.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.220.164.254"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233879; rev:1;) alert tcp $HOME_NET any -> [124.220.164.254] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"124.220.164.254"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233878; rev:1;) alert tcp $HOME_NET any -> [8.140.147.149] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233877/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233877; rev:1;) alert tcp $HOME_NET any -> [94.156.65.121] 65517 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233860; rev:1;) alert tcp $HOME_NET any -> [212.116.121.37] 24092 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"de.zephyr.herominers.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-cs/cache.php"; depth:17; nocase; http.host; content:"suezey.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"appboltonik.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233564; rev:1;) alert tcp $HOME_NET any -> [176.124.32.39] 51033 (msg:"ThreatFox SpyBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233772; rev:1;) alert tcp $HOME_NET any -> [176.124.32.39] 51144 (msg:"ThreatFox SpyBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233773; rev:1;) alert tcp $HOME_NET any -> [176.124.32.39] 52997 (msg:"ThreatFox SpyBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"suezey.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233562; rev:1;) alert tcp $HOME_NET any -> [5.181.156.45] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"appboltonik.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ewmrgqnaww.php"; depth:21; nocase; http.host; content:"suezey.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"suezey.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.85.191"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233557/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233557; rev:1;) alert tcp $HOME_NET any -> [20.113.35.45] 38357 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233504; rev:1;) alert tcp $HOME_NET any -> [77.91.124.92] 3989 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"duorhytm.fun"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"epsilon-spaceworld.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233484; rev:1;) alert tcp $HOME_NET any -> [45.74.7.87] 8898 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233876/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233876; rev:1;) alert tcp $HOME_NET any -> [87.223.83.229] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233875; rev:1;) alert tcp $HOME_NET any -> [193.92.197.7] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233874; rev:1;) alert tcp $HOME_NET any -> [2.88.137.97] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233873; rev:1;) alert tcp $HOME_NET any -> [2.50.16.175] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233872/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233872; rev:1;) alert tcp $HOME_NET any -> [190.28.106.88] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233871; rev:1;) alert tcp $HOME_NET any -> [13.235.247.85] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233870; rev:1;) alert tcp $HOME_NET any -> [83.97.20.211] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233869; rev:1;) alert tcp $HOME_NET any -> [137.184.9.46] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233868; rev:1;) alert tcp $HOME_NET any -> [164.92.159.114] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233867; rev:1;) alert tcp $HOME_NET any -> [5.255.97.126] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233865; rev:1;) alert tcp $HOME_NET any -> [5.255.97.126] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233866; rev:1;) alert tcp $HOME_NET any -> [5.255.97.126] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233864; rev:1;) alert tcp $HOME_NET any -> [5.255.97.126] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233863; rev:1;) alert tcp $HOME_NET any -> [38.87.196.74] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233862/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233862; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 2121 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233861/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233861; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 1741 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233858/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233858; rev:1;) alert tcp $HOME_NET any -> [124.222.149.52] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.222.149.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233856; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 1935 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233855/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233855; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 2067 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233854/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233854; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 2233 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233853/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233853; rev:1;) alert tcp $HOME_NET any -> [62.234.13.73] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233852/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233852; rev:1;) alert tcp $HOME_NET any -> [64.23.170.241] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233851/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233851; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 1925 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233850/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233850; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233849/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233849; rev:1;) alert tcp $HOME_NET any -> [94.131.102.241] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233848/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233848; rev:1;) alert tcp $HOME_NET any -> [45.129.14.102] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233847/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233847; rev:1;) alert tcp $HOME_NET any -> [125.141.136.172] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233846/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233846; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233845/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233845; rev:1;) alert tcp $HOME_NET any -> [120.55.12.41] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233843/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233843; rev:1;) alert tcp $HOME_NET any -> [212.113.116.110] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233842; rev:1;) alert tcp $HOME_NET any -> [138.201.125.92] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233841; rev:1;) alert tcp $HOME_NET any -> [103.214.141.206] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"156.253.12.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233839; rev:1;) alert tcp $HOME_NET any -> [163.5.169.23] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"163.5.169.23"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233837; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233836/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233836; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233835/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233835; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 12954 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/security.jsp"; depth:13; nocase; http.host; content:"162.14.77.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"121.89.212.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"113.250.188.15"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"1.116.74.174"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233830; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"172.67.158.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.su57.fun"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"104.21.41.14"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"api.su57.fun"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233826; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"service-8cdlt0mn-1310256589.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"124.222.149.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.108.175.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"88.214.27.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233822; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233821/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233821; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 2081 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233820/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233820; rev:1;) alert tcp $HOME_NET any -> [123.249.114.61] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233818/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2b6ff67.php"; depth:13; nocase; http.host; content:"a0907744.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233817; rev:1;) alert tcp $HOME_NET any -> [167.71.214.56] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233816/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233816; rev:1;) alert tcp $HOME_NET any -> [2.88.193.91] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233815; rev:1;) alert tcp $HOME_NET any -> [151.30.60.232] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233814/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233814; rev:1;) alert tcp $HOME_NET any -> [37.210.138.173] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233813/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233813; rev:1;) alert tcp $HOME_NET any -> [72.27.66.189] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233812/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233812; rev:1;) alert tcp $HOME_NET any -> [74.12.146.79] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233811/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233811; rev:1;) alert tcp $HOME_NET any -> [39.51.167.185] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233810/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233810; rev:1;) alert tcp $HOME_NET any -> [188.116.26.246] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233809/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233809; rev:1;) alert tcp $HOME_NET any -> [75.173.35.32] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233808/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233808; rev:1;) alert tcp $HOME_NET any -> [31.117.79.172] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233807/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233807; rev:1;) alert tcp $HOME_NET any -> [92.97.118.181] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233806/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233806; rev:1;) alert tcp $HOME_NET any -> [78.17.205.246] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233805/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233805; rev:1;) alert tcp $HOME_NET any -> [45.150.198.36] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233804/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233804; rev:1;) alert tcp $HOME_NET any -> [5.188.228.15] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233803/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233803; rev:1;) alert tcp $HOME_NET any -> [168.119.225.154] 1194 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233802/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233802; rev:1;) alert tcp $HOME_NET any -> [5.255.97.126] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233801/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233801; rev:1;) alert tcp $HOME_NET any -> [154.223.20.226] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233800/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233800; rev:1;) alert tcp $HOME_NET any -> [65.153.151.130] 8855 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233799/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233799; rev:1;) alert tcp $HOME_NET any -> [18.223.156.30] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.jsp"; depth:10; nocase; http.host; content:"service-8rv78e5d-1319481525.sh.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-8rv78e5d-1319481525.sh.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233797; rev:1;) alert tcp $HOME_NET any -> [62.234.13.73] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"dig.fuli-oa.cn"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dig.fuli-oa.cn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb341/index.php"; depth:16; nocase; http.host; content:"lbxl.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233792; rev:1;) alert tcp $HOME_NET any -> [18.229.146.63] 14744 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233770; rev:1;) alert tcp $HOME_NET any -> [54.94.248.37] 14744 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233769; rev:1;) alert tcp $HOME_NET any -> [18.229.248.167] 14744 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233768; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 14744 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233767; rev:1;) alert tcp $HOME_NET any -> [18.229.146.63] 17000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233765; rev:1;) alert tcp $HOME_NET any -> [18.228.115.60] 17000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233766; rev:1;) alert tcp $HOME_NET any -> [54.94.248.37] 17000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233764; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 17000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233763; rev:1;) alert tcp $HOME_NET any -> [79.107.138.125] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.imoneymy.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.1319559.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.2280678.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shangri3.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ritestowritemyword.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233757; rev:1;) alert tcp $HOME_NET any -> [18.135.30.45] 4160 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233755; rev:1;) alert tcp $HOME_NET any -> [104.198.39.197] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233756; rev:1;) alert tcp $HOME_NET any -> [138.197.116.212] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233754; rev:1;) alert tcp $HOME_NET any -> [89.90.226.9] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233753; rev:1;) alert tcp $HOME_NET any -> [34.102.111.222] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233751; rev:1;) alert tcp $HOME_NET any -> [96.255.55.18] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233752; rev:1;) alert tcp $HOME_NET any -> [167.0.190.97] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233750; rev:1;) alert tcp $HOME_NET any -> [3.92.62.149] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233749; rev:1;) alert tcp $HOME_NET any -> [195.35.25.208] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233748; rev:1;) alert tcp $HOME_NET any -> [3.20.29.236] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233747; rev:1;) alert tcp $HOME_NET any -> [15.237.194.170] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233746; rev:1;) alert tcp $HOME_NET any -> [151.106.113.5] 37889 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233745; rev:1;) alert tcp $HOME_NET any -> [3.137.113.77] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233743; rev:1;) alert tcp $HOME_NET any -> [34.16.187.219] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233744; rev:1;) alert tcp $HOME_NET any -> [87.106.120.198] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233742; rev:1;) alert tcp $HOME_NET any -> [128.199.30.19] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233741; rev:1;) alert tcp $HOME_NET any -> [141.94.206.75] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233740; rev:1;) alert tcp $HOME_NET any -> [198.46.199.103] 2052 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233739; rev:1;) alert tcp $HOME_NET any -> [59.13.157.16] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233738; rev:1;) alert tcp $HOME_NET any -> [18.215.223.59] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233737; rev:1;) alert tcp $HOME_NET any -> [52.58.182.211] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233735; rev:1;) alert tcp $HOME_NET any -> [52.58.182.211] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233736; rev:1;) alert tcp $HOME_NET any -> [101.35.44.164] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233734; rev:1;) alert tcp $HOME_NET any -> [44.194.64.43] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233733; rev:1;) alert tcp $HOME_NET any -> [157.230.46.205] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233732; rev:1;) alert tcp $HOME_NET any -> [134.122.36.184] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.dnl-l.ooguy.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mediaim.expeida.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcalendars.dnl-l.ooguy.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"expedia-rest.expeida.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oms.expeida.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"outlook.deenpel.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vap.expeida.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233725; rev:1;) alert tcp $HOME_NET any -> [192.119.110.233] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnl-l.ooguy.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233721; rev:1;) alert tcp $HOME_NET any -> [192.119.110.233] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-15-207-223-179.ap-south-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.dnl-l.ooguy.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.expeida.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dnl-l.ooguy.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redirect-r1.pay.expeida.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.pay.expeida.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233715; rev:1;) alert tcp $HOME_NET any -> [143.198.64.151] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hwsrv-1125909.hostwindsdns.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233714; rev:1;) alert tcp $HOME_NET any -> [15.207.223.179] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233712; rev:1;) alert tcp $HOME_NET any -> [188.166.209.186] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233711; rev:1;) alert tcp $HOME_NET any -> [154.9.26.245] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233710; rev:1;) alert tcp $HOME_NET any -> [58.59.222.18] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233709; rev:1;) alert tcp $HOME_NET any -> [23.95.41.74] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"downhimse.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cdnupdateservice.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"intro.su"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shikkiy.fvds.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gptchatpro.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233704; rev:1;) alert tcp $HOME_NET any -> [188.120.232.53] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.r4dc3btbyzip0edkbykb1qteulwb.de"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233701; rev:1;) alert tcp $HOME_NET any -> [103.74.100.192] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233700; rev:1;) alert tcp $HOME_NET any -> [54.242.198.244] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233699; rev:1;) alert tcp $HOME_NET any -> [18.213.145.76] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kharej.goldelya.tech"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233697; rev:1;) alert tcp $HOME_NET any -> [20.25.180.188] 8889 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233696; rev:1;) alert tcp $HOME_NET any -> [193.233.254.64] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233695; rev:1;) alert tcp $HOME_NET any -> [45.131.108.123] 22 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233694; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 63523 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233693; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 44861 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233692; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 44467 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233691; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 20201 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233689; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 37262 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233690; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 7375 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233688; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 60845 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233686; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 1231 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233687; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 51178 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233685; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 28389 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233683; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 44369 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233684; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 22081 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cooltk.asia"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.jamesdesign.blog"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"longkey.02561854.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ha.redethics.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233678; rev:1;) alert tcp $HOME_NET any -> [103.149.91.138] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lucarne-films.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233677; rev:1;) alert tcp $HOME_NET any -> [192.46.228.106] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233675; rev:1;) alert tcp $HOME_NET any -> [98.71.223.72] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233674; rev:1;) alert tcp $HOME_NET any -> [118.195.235.103] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233672; rev:1;) alert tcp $HOME_NET any -> [139.159.221.73] 8443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233673; rev:1;) alert tcp $HOME_NET any -> [154.12.30.94] 8880 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233671; rev:1;) alert tcp $HOME_NET any -> [191.82.193.90] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233670; rev:1;) alert tcp $HOME_NET any -> [181.162.142.77] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233668; rev:1;) alert tcp $HOME_NET any -> [107.172.76.140] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233669; rev:1;) alert tcp $HOME_NET any -> [185.81.157.103] 9090 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233667; rev:1;) alert tcp $HOME_NET any -> [73.72.200.242] 8081 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcontacts.94-156-66-187.cprapid.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reksiaeksinov5.fvds.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beta.to-kgb.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233664; rev:1;) alert tcp $HOME_NET any -> [94.250.254.234] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233662; rev:1;) alert tcp $HOME_NET any -> [46.29.239.26] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karasergkaravaev5.fvds.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.spacestar.su"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"matthiasellison.autos"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reksiaeksinov2.fvds.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kasenmeyer.autos"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.jakobtaylor.autos"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nickbaseev.fvds.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whm.94-156-66-187.cprapid.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emileewang.autos"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jakobtaylor.autos"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233652; rev:1;) alert tcp $HOME_NET any -> [159.100.22.120] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233650; rev:1;) alert tcp $HOME_NET any -> [91.92.255.52] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233649; rev:1;) alert tcp $HOME_NET any -> [93.123.39.4] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233647; rev:1;) alert tcp $HOME_NET any -> [93.123.39.77] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233648; rev:1;) alert tcp $HOME_NET any -> [143.244.191.193] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233646; rev:1;) alert tcp $HOME_NET any -> [185.172.128.82] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233645; rev:1;) alert tcp $HOME_NET any -> [45.87.80.164] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233644; rev:1;) alert tcp $HOME_NET any -> [93.123.39.107] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233643; rev:1;) alert tcp $HOME_NET any -> [86.110.194.125] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233642; rev:1;) alert tcp $HOME_NET any -> [5.189.132.250] 3000 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233641; rev:1;) alert tcp $HOME_NET any -> [91.92.244.124] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"practical-hawking.159-89-8-28.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233639; rev:1;) alert tcp $HOME_NET any -> [45.74.34.32] 1994 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233638; rev:1;) alert tcp $HOME_NET any -> [45.80.158.60] 2003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233637; rev:1;) alert tcp $HOME_NET any -> [45.80.158.60] 2004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233636; rev:1;) alert tcp $HOME_NET any -> [1.14.206.144] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233634; rev:1;) alert tcp $HOME_NET any -> [193.142.59.177] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elofizetesitearea.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233633; rev:1;) alert tcp $HOME_NET any -> [141.255.156.121] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233632; rev:1;) alert tcp $HOME_NET any -> [91.92.240.159] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233631; rev:1;) alert tcp $HOME_NET any -> [51.195.94.209] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233630; rev:1;) alert tcp $HOME_NET any -> [51.195.94.209] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233629; rev:1;) alert tcp $HOME_NET any -> [207.32.219.78] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233628; rev:1;) alert tcp $HOME_NET any -> [193.26.115.51] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233626; rev:1;) alert tcp $HOME_NET any -> [193.26.115.51] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233627; rev:1;) alert tcp $HOME_NET any -> [181.235.94.107] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233625; rev:1;) alert tcp $HOME_NET any -> [91.109.186.6] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233623; rev:1;) alert tcp $HOME_NET any -> [181.235.94.107] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233624; rev:1;) alert tcp $HOME_NET any -> [187.24.65.44] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233622; rev:1;) alert tcp $HOME_NET any -> [91.109.182.12] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233620; rev:1;) alert tcp $HOME_NET any -> [141.255.156.150] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233621; rev:1;) alert tcp $HOME_NET any -> [154.91.255.136] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233619; rev:1;) alert tcp $HOME_NET any -> [155.138.154.203] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233618/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_22; classtype:trojan-activity; sid:91233618; rev:1;) alert tcp $HOME_NET any -> [27.44.204.144] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233617/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_22; classtype:trojan-activity; sid:91233617; rev:1;) alert tcp $HOME_NET any -> [27.44.204.233] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233616/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_22; classtype:trojan-activity; sid:91233616; rev:1;) alert tcp $HOME_NET any -> [141.98.7.18] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233615/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_22; classtype:trojan-activity; sid:91233615; rev:1;) alert tcp $HOME_NET any -> [143.110.252.207] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233614/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_22; classtype:trojan-activity; sid:91233614; rev:1;) alert tcp $HOME_NET any -> [103.45.128.143] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233613/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_22; classtype:trojan-activity; sid:91233613; rev:1;) alert tcp $HOME_NET any -> [43.136.78.18] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233612/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_22; classtype:trojan-activity; sid:91233612; rev:1;) alert tcp $HOME_NET any -> [121.36.198.30] 8010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233611; rev:1;) alert tcp $HOME_NET any -> [122.51.232.227] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233610; rev:1;) alert tcp $HOME_NET any -> [154.31.26.97] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233609; rev:1;) alert tcp $HOME_NET any -> [147.182.234.229] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233608; rev:1;) alert tcp $HOME_NET any -> [47.96.70.41] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233606; rev:1;) alert tcp $HOME_NET any -> [52.148.136.164] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233607; rev:1;) alert tcp $HOME_NET any -> [118.195.247.92] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233605; rev:1;) alert tcp $HOME_NET any -> [207.148.88.228] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233604; rev:1;) alert tcp $HOME_NET any -> [124.220.6.158] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233602; rev:1;) alert tcp $HOME_NET any -> [118.24.128.204] 8021 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233603; rev:1;) alert tcp $HOME_NET any -> [148.135.74.234] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233601; rev:1;) alert tcp $HOME_NET any -> [43.139.60.87] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233600; rev:1;) alert tcp $HOME_NET any -> [116.204.88.137] 40000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233599; rev:1;) alert tcp $HOME_NET any -> [149.104.25.66] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233597; rev:1;) alert tcp $HOME_NET any -> [81.70.43.159] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233598; rev:1;) alert tcp $HOME_NET any -> [149.104.25.66] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233596; rev:1;) alert tcp $HOME_NET any -> [101.36.111.175] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233595; rev:1;) alert tcp $HOME_NET any -> [64.23.174.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233594; rev:1;) alert tcp $HOME_NET any -> [124.70.140.36] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233593; rev:1;) alert tcp $HOME_NET any -> [60.204.134.21] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233592; rev:1;) alert tcp $HOME_NET any -> [43.136.58.193] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233591; rev:1;) alert tcp $HOME_NET any -> [157.230.44.125] 42340 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233590; rev:1;) alert tcp $HOME_NET any -> [91.92.255.230] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233588; rev:1;) alert tcp $HOME_NET any -> [45.144.29.29] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233589; rev:1;) alert tcp $HOME_NET any -> [206.237.23.96] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233587; rev:1;) alert tcp $HOME_NET any -> [206.237.23.96] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233586; rev:1;) alert tcp $HOME_NET any -> [47.109.70.49] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233585; rev:1;) alert tcp $HOME_NET any -> [82.146.63.17] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233584; rev:1;) alert tcp $HOME_NET any -> [172.96.185.119] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233583; rev:1;) alert tcp $HOME_NET any -> [1.94.17.115] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233582; rev:1;) alert tcp $HOME_NET any -> [139.84.137.249] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233581; rev:1;) alert tcp $HOME_NET any -> [47.108.115.174] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233579; rev:1;) alert tcp $HOME_NET any -> [8.130.12.76] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233580; rev:1;) alert tcp $HOME_NET any -> [116.62.123.217] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233578; rev:1;) alert tcp $HOME_NET any -> [47.99.171.179] 7000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233577; rev:1;) alert tcp $HOME_NET any -> [123.253.108.131] 8999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233576; rev:1;) alert tcp $HOME_NET any -> [81.70.163.17] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233575; rev:1;) alert tcp $HOME_NET any -> [134.122.164.213] 5566 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233574; rev:1;) alert tcp $HOME_NET any -> [148.135.4.219] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233572; rev:1;) alert tcp $HOME_NET any -> [123.60.93.251] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233573; rev:1;) alert tcp $HOME_NET any -> [140.143.142.93] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233571; rev:1;) alert tcp $HOME_NET any -> [47.92.31.53] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233570; rev:1;) alert tcp $HOME_NET any -> [120.26.50.160] 9647 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233568; rev:1;) alert tcp $HOME_NET any -> [134.122.164.221] 5566 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233569; rev:1;) alert tcp $HOME_NET any -> [142.171.228.19] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.ciscointernship.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonsecurepacketauthgameservertemptemporary.php"; depth:50; nocase; http.host; content:"647249cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233565; rev:1;) alert tcp $HOME_NET any -> [94.156.66.203] 13781 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233556; rev:1;) alert tcp $HOME_NET any -> [18.220.59.241] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233555; rev:1;) alert tcp $HOME_NET any -> [20.104.172.62] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.tgu-future.cn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233552; rev:1;) alert tcp $HOME_NET any -> [119.91.214.104] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233553; rev:1;) alert tcp $HOME_NET any -> [45.32.94.53] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnsb.checkinfomation.tk"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnsa.checkinfomation.tk"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233549; rev:1;) alert tcp $HOME_NET any -> [178.79.130.174] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"network-checkin.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233547; rev:1;) alert tcp $HOME_NET any -> [108.61.165.29] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.azurewinservice.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233545; rev:1;) alert tcp $HOME_NET any -> [139.59.239.123] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.triumphp.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.triumphp.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"114.115.210.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"123.56.217.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"45.152.67.162"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"xgcs.ceshi897.cn"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"139.9.134.28"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heiyejiang.tpddns.cn"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233535; rev:1;) alert tcp $HOME_NET any -> [125.70.238.155] 8123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"heiyejiang.tpddns.cn"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/methon/scan"; depth:16; nocase; http.host; content:"43.136.71.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"110.42.248.7"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"194.32.149.227"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233531; rev:1;) alert tcp $HOME_NET any -> [103.186.67.227] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233530/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233530; rev:1;) alert tcp $HOME_NET any -> [101.37.117.0] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233529/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233529; rev:1;) alert tcp $HOME_NET any -> [47.120.47.43] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233528/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"111.229.163.225"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"8.219.229.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233526; rev:1;) alert tcp $HOME_NET any -> [49.12.86.61] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233525/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_22; classtype:trojan-activity; sid:91233525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233524; rev:1;) alert tcp $HOME_NET any -> [122.176.133.66] 2667 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233523/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_22; classtype:trojan-activity; sid:91233523; rev:1;) alert tcp $HOME_NET any -> [122.176.133.66] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233522/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_22; classtype:trojan-activity; sid:91233522; rev:1;) alert tcp $HOME_NET any -> [193.222.96.21] 29871 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233521; rev:1;) alert tcp $HOME_NET any -> [121.40.175.169] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233520/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233520; rev:1;) alert tcp $HOME_NET any -> [154.36.187.54] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233519/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233519; rev:1;) alert tcp $HOME_NET any -> [212.70.106.243] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233518/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233518; rev:1;) alert tcp $HOME_NET any -> [85.110.187.176] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233517/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233517; rev:1;) alert tcp $HOME_NET any -> [72.27.133.57] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233516/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233516; rev:1;) alert tcp $HOME_NET any -> [45.150.198.47] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233515/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233515; rev:1;) alert tcp $HOME_NET any -> [195.90.223.120] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233514/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233514; rev:1;) alert tcp $HOME_NET any -> [34.142.44.93] 10443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233513; rev:1;) alert tcp $HOME_NET any -> [185.16.43.59] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.166.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.131.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233510; rev:1;) alert tcp $HOME_NET any -> [49.13.131.64] 7575 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233508; rev:1;) alert tcp $HOME_NET any -> [95.217.166.29] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233509; rev:1;) alert tcp $HOME_NET any -> [23.106.121.172] 2026 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233507; rev:1;) alert tcp $HOME_NET any -> [175.178.161.139] 6668 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233506/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233506; rev:1;) alert tcp $HOME_NET any -> [18.193.68.253] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233505/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233505; rev:1;) alert tcp $HOME_NET any -> [172.96.185.119] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233503/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233503; rev:1;) alert tcp $HOME_NET any -> [3.125.188.168] 10369 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233502; rev:1;) alert tcp $HOME_NET any -> [3.67.15.169] 10369 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233501; rev:1;) alert tcp $HOME_NET any -> [3.126.224.214] 10369 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233500; rev:1;) alert tcp $HOME_NET any -> [3.124.67.191] 10369 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233499; rev:1;) alert tcp $HOME_NET any -> [45.152.209.234] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233498/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233498; rev:1;) alert tcp $HOME_NET any -> [91.208.127.168] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233497; rev:1;) alert tcp $HOME_NET any -> [91.208.127.168] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233496; rev:1;) alert tcp $HOME_NET any -> [109.116.169.17] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233495/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/panel/gate.php"; depth:21; nocase; http.host; content:"www.ventriocorp.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91233493; rev:1;) alert tcp $HOME_NET any -> [91.92.254.204] 80 (msg:"ThreatFox Mars Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91233492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpprocessorlinuxwindowsflowertemptemporary.php"; depth:48; nocase; http.host; content:"691908cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91233491; rev:1;) alert tcp $HOME_NET any -> [91.92.250.190] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91233489; rev:1;) alert tcp $HOME_NET any -> [91.92.255.136] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91233490; rev:1;) alert tcp $HOME_NET any -> [91.92.251.172] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91233488; rev:1;) alert tcp $HOME_NET any -> [38.181.15.1] 28294 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91233486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e42a6515.php"; depth:13; nocase; http.host; content:"a0908021.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91233485; rev:1;) alert tcp $HOME_NET any -> [112.74.184.37] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233483/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91233483; rev:1;) alert tcp $HOME_NET any -> [106.55.179.199] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232740/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"fygbib44.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232551; rev:1;) alert tcp $HOME_NET any -> [141.255.159.169] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpsqlauth/trackdatalife/datalifecdn/videotemp6/processorauth8/better3/3/2auth3/low/testwp4_/protonapiwordpresspoll/proton/javascriptrequestprotectuniversalpubliccentraluploads.php"; depth:181; nocase; http.host; content:"185.221.198.108"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232544; rev:1;) alert tcp $HOME_NET any -> [173.249.202.75] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"8.219.229.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"124.222.82.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"175.178.161.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"91.92.249.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"150.158.181.243"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232538; rev:1;) alert tcp $HOME_NET any -> [192.121.82.119] 5553 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232536; rev:1;) alert tcp $HOME_NET any -> [138.124.180.159] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sys.tcc-internal.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232534; rev:1;) alert tcp $HOME_NET any -> [5.188.88.54] 81 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.104.179.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232532; rev:1;) alert tcp $HOME_NET any -> [20.234.71.164] 1021 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232531; rev:1;) alert tcp $HOME_NET any -> [163.5.64.15] 57844 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232530; rev:1;) alert tcp $HOME_NET any -> [54.242.225.0] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232529/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232529; rev:1;) alert tcp $HOME_NET any -> [201.230.41.34] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232528/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"185.103.101.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"185.103.101.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232524; rev:1;) alert tcp $HOME_NET any -> [185.103.101.163] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232525; rev:1;) alert tcp $HOME_NET any -> [213.248.43.103] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232526; rev:1;) alert tcp $HOME_NET any -> [213.248.43.105] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/js/xml.php"; depth:18; nocase; http.host; content:"www.miltonhouse.nl"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pub/opt/processor.php"; depth:22; nocase; http.host; content:"www.miltonhouse.nl"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"evil-pinky.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232518/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91232518; rev:1;) alert tcp $HOME_NET any -> [94.130.130.51] 55 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232517; rev:1;) alert tcp $HOME_NET any -> [37.186.127.9] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232515/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232515; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232513/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232513; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232512/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232512; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232511/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232511; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232510/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232510; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232509/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232509; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232508/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232508; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232507/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232507; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232506/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232506; rev:1;) alert tcp $HOME_NET any -> [62.68.55.25] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232505/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232505; rev:1;) alert tcp $HOME_NET any -> [54.173.139.166] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232503/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"109.107.178.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"175.178.14.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232501; rev:1;) alert tcp $HOME_NET any -> [146.70.158.220] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcfupdservice.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-modp-gov-pk.ntc-telecomcorporation.workers.dev"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232498; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 13957 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232500; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 13957 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"81.19.141.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232495; rev:1;) alert tcp $HOME_NET any -> [212.98.224.58] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232494; rev:1;) alert tcp $HOME_NET any -> [94.228.162.140] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232493; rev:1;) alert tcp $HOME_NET any -> [2.59.119.102] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232492/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232492; rev:1;) alert tcp $HOME_NET any -> [93.123.39.86] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232491/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232491; rev:1;) alert tcp $HOME_NET any -> [93.123.39.85] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232490/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232490; rev:1;) alert tcp $HOME_NET any -> [91.92.248.67] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232489/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_21; classtype:trojan-activity; sid:91232489; rev:1;) alert tcp $HOME_NET any -> [91.92.241.54] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232488/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_21; classtype:trojan-activity; sid:91232488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fl0ating.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.tianchengshengshi.cn"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tianchengshengshi.cn"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.firefox.wang"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.autohome.com.cn.firefox.wang"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"google.firefox.wang"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.firefox.wang"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tz.firefox.wang"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232484; rev:1;) alert tcp $HOME_NET any -> [91.92.248.67] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232486; rev:1;) alert tcp $HOME_NET any -> [91.92.248.67] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.jibril.cn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.jibril.cn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s81141-tjqy.shzbkj.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d0fe709e41.windows-defender.services"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medstar.azureedge.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.221.198.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232474; rev:1;) alert tcp $HOME_NET any -> [124.221.198.68] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232475; rev:1;) alert tcp $HOME_NET any -> [123.60.57.13] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232470/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232470; rev:1;) alert tcp $HOME_NET any -> [185.222.58.67] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b18/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232468/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_21; classtype:trojan-activity; sid:91232468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b18/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xgcs.ceshi897.cn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceshi897.cn"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ceshi897.cn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.upm8p8ooh1klfdfmgroup.top"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232460; rev:1;) alert tcp $HOME_NET any -> [121.43.43.161] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-8cdlt0mn-1310256589.bj.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232462; rev:1;) alert tcp $HOME_NET any -> [123.207.56.214] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232464; rev:1;) alert tcp $HOME_NET any -> [47.113.205.124] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232465; rev:1;) alert tcp $HOME_NET any -> [14.225.210.97] 12024 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glock.monster"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232331; rev:1;) alert tcp $HOME_NET any -> [24.137.215.159] 6677 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232334; rev:1;) alert tcp $HOME_NET any -> [72.142.102.158] 6677 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs1-tulalip.azureedge.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs1.dbgblack.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panlinlin.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.panlinlin.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.wishunter1.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"track.gocasio.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grpc.nm.192-3-255-42.nip.io"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.nm.192-3-255-42.nip.io"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dsm-sea.softether.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dashboard.nm.192-3-255-42.nip.io"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"192-3-255-42.nip.io"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"make-hex-32332e39352e39302e3633-rr.1u.ms"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jjronaldo.club"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mygooddream.cn"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kstz5.cn"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn637782190.softether.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232358; rev:1;) alert tcp $HOME_NET any -> [45.93.20.242] 445 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232365; rev:1;) alert tcp $HOME_NET any -> [101.32.115.220] 3389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/async/longpollsecure/7async5/wpcpulocalcpu/7geoprovider/5universal/cdntempdbjs/2requestsecureprotect/central/cdnmulti/generatorbetter2universal/6flowerapitrack/default/20/7api/updategenerator3geo/private/imagevmphpjs_sqlbaselocalcentraltemporary.php"; depth:250; nocase; http.host; content:"3.79.245.165"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232456; rev:1;) alert tcp $HOME_NET any -> [123.254.107.235] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232455/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91232455; rev:1;) alert tcp $HOME_NET any -> [167.56.198.104] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91232454; rev:1;) alert tcp $HOME_NET any -> [70.107.200.247] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91232453; rev:1;) alert tcp $HOME_NET any -> [209.94.57.221] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91232452; rev:1;) alert tcp $HOME_NET any -> [52.76.234.184] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91232451; rev:1;) alert tcp $HOME_NET any -> [85.239.52.71] 7940 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91232450; rev:1;) alert tcp $HOME_NET any -> [18.183.137.140] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91232449; rev:1;) alert tcp $HOME_NET any -> [70.39.90.80] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91232448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"j6yla0n2hm.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232447; rev:1;) alert tcp $HOME_NET any -> [162.0.225.166] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232446/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232446; rev:1;) alert tcp $HOME_NET any -> [45.152.67.162] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232445/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externaleternalphpupdatetesttemporary.php"; depth:42; nocase; http.host; content:"192565cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232444; rev:1;) alert tcp $HOME_NET any -> [154.26.134.64] 25261 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232443; rev:1;) alert tcp $HOME_NET any -> [191.233.27.50] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232442; rev:1;) alert tcp $HOME_NET any -> [193.163.170.166] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232441/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232441; rev:1;) alert tcp $HOME_NET any -> [185.217.197.175] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232440/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232440; rev:1;) alert tcp $HOME_NET any -> [185.196.10.34] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232439; rev:1;) alert tcp $HOME_NET any -> [93.123.39.68] 1334 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232438; rev:1;) alert tcp $HOME_NET any -> [93.123.39.68] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232437/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_20; classtype:trojan-activity; sid:91232437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"47.106.230.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232436; rev:1;) alert tcp $HOME_NET any -> [162.19.192.193] 1555 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232435/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232435; rev:1;) alert tcp $HOME_NET any -> [43.138.41.32] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232434/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232434; rev:1;) alert tcp $HOME_NET any -> [3.127.253.86] 10929 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232433; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 10929 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232432; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 10929 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232431; rev:1;) alert tcp $HOME_NET any -> [92.246.138.90] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232430/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232430; rev:1;) alert tcp $HOME_NET any -> [154.245.115.235] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232429/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232429; rev:1;) alert tcp $HOME_NET any -> [77.105.166.247] 443 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232428/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232428; rev:1;) alert tcp $HOME_NET any -> [92.118.112.216] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232427/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232427; rev:1;) alert tcp $HOME_NET any -> [94.228.169.161] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232426/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232426; rev:1;) alert tcp $HOME_NET any -> [193.233.132.71] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232425/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232425; rev:1;) alert tcp $HOME_NET any -> [193.233.132.63] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232424/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232424; rev:1;) alert tcp $HOME_NET any -> [62.113.114.93] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232423/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232423; rev:1;) alert tcp $HOME_NET any -> [77.105.166.247] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232422/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232422; rev:1;) alert tcp $HOME_NET any -> [37.49.230.219] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232421/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232421; rev:1;) alert tcp $HOME_NET any -> [146.70.106.73] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232420/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232420; rev:1;) alert tcp $HOME_NET any -> [139.99.236.139] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232419/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232419; rev:1;) alert tcp $HOME_NET any -> [195.20.16.155] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232418/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232418; rev:1;) alert tcp $HOME_NET any -> [167.235.154.243] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232417/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232417; rev:1;) alert tcp $HOME_NET any -> [89.44.9.86] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232416/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232416; rev:1;) alert tcp $HOME_NET any -> [91.92.251.118] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232415/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232415; rev:1;) alert tcp $HOME_NET any -> [109.107.178.133] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232414/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232414; rev:1;) alert tcp $HOME_NET any -> [78.153.130.188] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232413/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232413; rev:1;) alert tcp $HOME_NET any -> [91.92.136.236] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232412/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232412; rev:1;) alert tcp $HOME_NET any -> [159.100.29.45] 80 (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232411/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232411; rev:1;) alert tcp $HOME_NET any -> [159.69.102.168] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232410/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232410; rev:1;) alert tcp $HOME_NET any -> [159.69.102.168] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232409/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232409; rev:1;) alert tcp $HOME_NET any -> [65.109.240.203] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232408/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232408; rev:1;) alert tcp $HOME_NET any -> [49.13.6.118] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232407/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232407; rev:1;) alert tcp $HOME_NET any -> [49.13.6.118] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232406/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232406; rev:1;) alert tcp $HOME_NET any -> [5.75.215.163] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232405/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232405; rev:1;) alert tcp $HOME_NET any -> [5.75.215.163] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232404/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232404; rev:1;) alert tcp $HOME_NET any -> [95.216.183.138] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232403/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232403; rev:1;) alert tcp $HOME_NET any -> [95.216.183.138] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232402/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232402; rev:1;) alert tcp $HOME_NET any -> [95.217.240.143] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232401/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232401; rev:1;) alert tcp $HOME_NET any -> [95.217.243.230] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232400/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232400; rev:1;) alert tcp $HOME_NET any -> [65.21.187.53] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232399/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newfolder/index.php"; depth:20; nocase; http.host; content:"51.15.226.0"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b8sdjsdks/index.php"; depth:20; nocase; http.host; content:"185.196.10.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232397; rev:1;) alert tcp $HOME_NET any -> [185.16.39.245] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232396/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/traffic/apijavascriptprivatewindows/apitodb/asyncdb/secure3/central/low/processor/longpoll/trafficsql/privatevoiddbgenerator/updateline/javascriptsecuredatalife/linuxdb2/betterpacket/eternalimagevideopacketlinux.php"; depth:216; nocase; http.host; content:"46.29.237.220"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232395; rev:1;) alert tcp $HOME_NET any -> [138.197.36.226] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232394/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pub/fon/index.php"; depth:18; nocase; http.host; content:"cafirepacks.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cpuexternalphp/9update7private/579/securelongpollmultiwpuploads.php"; depth:68; nocase; http.host; content:"94.156.65.94"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232392; rev:1;) alert tcp $HOME_NET any -> [191.242.28.210] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232391; rev:1;) alert tcp $HOME_NET any -> [74.12.146.79] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232390; rev:1;) alert tcp $HOME_NET any -> [210.245.86.148] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232389/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232389; rev:1;) alert tcp $HOME_NET any -> [64.23.154.205] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232388/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232388; rev:1;) alert tcp $HOME_NET any -> [49.51.68.151] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232387/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232387; rev:1;) alert tcp $HOME_NET any -> [42.190.107.115] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232386/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"185.196.9.231"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"116.198.46.64"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"15.207.223.7"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"43.138.179.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"43.138.179.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"43.138.179.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"150.158.181.243"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/51350824_"; depth:45; nocase; http.host; content:"163.5.169.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"176.32.38.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"45.128.96.186"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232373; rev:1;) alert tcp $HOME_NET any -> [74.48.162.145] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"74.48.162.145"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"92.118.36.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232370; rev:1;) alert tcp $HOME_NET any -> [216.83.51.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"216.83.51.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232368; rev:1;) alert tcp $HOME_NET any -> [5.75.209.145] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/937b6157.php"; depth:13; nocase; http.host; content:"edsfeejsdbfelefaubdiaslfedafd.000webhostapp.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232364; rev:1;) alert tcp $HOME_NET any -> [101.43.149.199] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232363/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232363; rev:1;) alert tcp $HOME_NET any -> [1.92.100.211] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232362/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"185.217.197.175"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232361; rev:1;) alert tcp $HOME_NET any -> [149.104.25.66] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232360/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232360; rev:1;) alert tcp $HOME_NET any -> [138.128.223.220] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232359/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232359; rev:1;) alert tcp $HOME_NET any -> [149.56.240.44] 2409 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232354/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_20; classtype:trojan-activity; sid:91232354; rev:1;) alert tcp $HOME_NET any -> [178.236.247.90] 4050 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232353; rev:1;) alert tcp $HOME_NET any -> [13.211.68.91] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232352/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232352; rev:1;) alert tcp $HOME_NET any -> [91.92.248.211] 12798 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232351; rev:1;) alert tcp $HOME_NET any -> [113.4.19.3] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232333/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v1nh"; depth:5; nocase; http.host; content:"121.4.67.78"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232332/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_20; classtype:trojan-activity; sid:91232332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"91.92.249.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232330; rev:1;) alert tcp $HOME_NET any -> [38.180.29.146] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/devise/v7.13/dbe4ydcy84f"; depth:25; nocase; http.host; content:"cloudflairly.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloudflairly.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232328; rev:1;) alert tcp $HOME_NET any -> [89.163.148.48] 28842 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232326; rev:1;) alert tcp $HOME_NET any -> [110.42.248.7] 87 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232325/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232325; rev:1;) alert tcp $HOME_NET any -> [43.154.51.250] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232324/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test2/get.php"; depth:14; nocase; http.host; content:"habrafa.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"1.116.74.174"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"20.2.223.43"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.46.48.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"101.46.48.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"182.43.71.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232318; rev:1;) alert tcp $HOME_NET any -> [18.167.180.192] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"8.130.48.46"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"162.14.109.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"111.230.42.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232314; rev:1;) alert tcp $HOME_NET any -> [93.242.10.67] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232313/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232313; rev:1;) alert tcp $HOME_NET any -> [107.175.0.167] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232312/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232312; rev:1;) alert tcp $HOME_NET any -> [78.17.151.18] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232311/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232311; rev:1;) alert tcp $HOME_NET any -> [41.99.222.68] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232310/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232310; rev:1;) alert tcp $HOME_NET any -> [142.154.126.174] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232309/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232309; rev:1;) alert tcp $HOME_NET any -> [209.127.186.195] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232308/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232308; rev:1;) alert tcp $HOME_NET any -> [162.252.175.240] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232307/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232307; rev:1;) alert tcp $HOME_NET any -> [162.252.175.240] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232305/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232305; rev:1;) alert tcp $HOME_NET any -> [162.252.175.240] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232306/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232306; rev:1;) alert tcp $HOME_NET any -> [162.252.175.240] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232304/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232304; rev:1;) alert tcp $HOME_NET any -> [162.252.175.240] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232303/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232303; rev:1;) alert tcp $HOME_NET any -> [185.198.140.179] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232302/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232302; rev:1;) alert tcp $HOME_NET any -> [58.27.188.30] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232301/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.d-n-s.name"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcgems.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232295; rev:1;) alert tcp $HOME_NET any -> [146.0.228.66] 1080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232291; rev:1;) alert tcp $HOME_NET any -> [146.0.228.66] 8111 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232292; rev:1;) alert tcp $HOME_NET any -> [152.32.128.64] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/error.jpg"; depth:10; nocase; http.host; content:"185.161.248.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bart.jpg"; depth:9; nocase; http.host; content:"185.161.248.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.netbar.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232274; rev:1;) alert tcp $HOME_NET any -> [67.205.154.243] 3399 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232259; rev:1;) alert tcp $HOME_NET any -> [67.205.154.243] 56785 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232260; rev:1;) alert tcp $HOME_NET any -> [80.85.143.7] 5533 (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jaitrikuta.portmap.host"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nyc1.portmap.io"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iredelltx.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232252; rev:1;) alert tcp $HOME_NET any -> [146.70.169.166] 2227 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232255; rev:1;) alert tcp $HOME_NET any -> [142.11.237.239] 32029 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232253; rev:1;) alert tcp $HOME_NET any -> [170.130.55.151] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"binder-sa.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"assay.porchlightcommunity.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pluralism.themancav.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/digital.js"; depth:11; nocase; http.host; content:"acuiplast.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232265; rev:1;) alert tcp $HOME_NET any -> [173.44.141.200] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232267; rev:1;) alert tcp $HOME_NET any -> [37.228.129.15] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232268; rev:1;) alert tcp $HOME_NET any -> [91.208.197.30] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232269; rev:1;) alert tcp $HOME_NET any -> [45.81.232.176] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232300/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232300; rev:1;) alert tcp $HOME_NET any -> [18.228.115.60] 19025 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232299; rev:1;) alert tcp $HOME_NET any -> [187.135.91.206] 2154 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232298/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232298; rev:1;) alert tcp $HOME_NET any -> [120.79.154.38] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232297/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232297; rev:1;) alert tcp $HOME_NET any -> [18.198.241.136] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232296/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232296; rev:1;) alert tcp $HOME_NET any -> [45.88.186.20] 61188 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232285; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 1445 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.153.130.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b20/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232271/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_19; classtype:trojan-activity; sid:91232271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b20/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232270; rev:1;) alert tcp $HOME_NET any -> [104.129.182.226] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232256/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"searchgear.pro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232251; rev:1;) alert tcp $HOME_NET any -> [45.15.156.60] 12050 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232235; rev:1;) alert tcp $HOME_NET any -> [82.146.40.165] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232237; rev:1;) alert tcp $HOME_NET any -> [78.128.112.205] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232238; rev:1;) alert tcp $HOME_NET any -> [91.238.181.237] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232239; rev:1;) alert tcp $HOME_NET any -> [207.244.251.87] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232241; rev:1;) alert tcp $HOME_NET any -> [209.145.55.141] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"blamefade.com.br"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phppacket/low/generatordatalifepython/8flower/8/protect/betterlinelow/phpcdn/3/pythonpacket/baseexternal2video/downloads4/testprivate/mariadb/trafficimagecentraltemporary/8/javascripthttp80/javascriptprovidermulti/asyncjavascripttestpython/tocpuapiservergeneratordownloads.php"; depth:277; nocase; http.host; content:"80.66.89.148"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232250; rev:1;) alert tcp $HOME_NET any -> [41.103.252.193] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232249/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232249; rev:1;) alert tcp $HOME_NET any -> [72.27.169.183] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232248/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232248; rev:1;) alert tcp $HOME_NET any -> [217.165.232.250] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232247/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232247; rev:1;) alert tcp $HOME_NET any -> [209.127.186.233] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232246/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232246; rev:1;) alert tcp $HOME_NET any -> [62.216.92.151] 8443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232245/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232245; rev:1;) alert tcp $HOME_NET any -> [91.92.240.39] 39001 (msg:"ThreatFox X-Files Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232240; rev:1;) alert tcp $HOME_NET any -> [64.74.160.148] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232236/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232236; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 12706 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232234; rev:1;) alert tcp $HOME_NET any -> [35.230.156.200] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232233/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232233; rev:1;) alert tcp $HOME_NET any -> [45.76.156.95] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232232/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"federalstudentaid-usdepartmentofeducation.tandemcyberops.co"; depth:59; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subns.oss-ttech.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232111; rev:1;) alert tcp $HOME_NET any -> [46.149.76.101] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232231; rev:1;) alert tcp $HOME_NET any -> [185.243.112.245] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232230; rev:1;) alert tcp $HOME_NET any -> [209.127.186.233] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232229; rev:1;) alert tcp $HOME_NET any -> [34.125.99.229] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232228; rev:1;) alert tcp $HOME_NET any -> [18.117.74.179] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232226; rev:1;) alert tcp $HOME_NET any -> [43.142.84.53] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232227; rev:1;) alert tcp $HOME_NET any -> [69.28.84.142] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232225; rev:1;) alert tcp $HOME_NET any -> [51.75.206.78] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232224; rev:1;) alert tcp $HOME_NET any -> [15.206.205.20] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232223; rev:1;) alert tcp $HOME_NET any -> [194.206.234.235] 1443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232222; rev:1;) alert tcp $HOME_NET any -> [35.157.46.237] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232221; rev:1;) alert tcp $HOME_NET any -> [160.119.252.122] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232220; rev:1;) alert tcp $HOME_NET any -> [138.68.102.105] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232219; rev:1;) alert tcp $HOME_NET any -> [52.91.141.176] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232218; rev:1;) alert tcp $HOME_NET any -> [123.63.101.94] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232217; rev:1;) alert tcp $HOME_NET any -> [23.254.202.48] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232216; rev:1;) alert tcp $HOME_NET any -> [43.138.223.60] 31220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232215; rev:1;) alert tcp $HOME_NET any -> [117.84.78.203] 8008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232214; rev:1;) alert tcp $HOME_NET any -> [124.71.208.237] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232213; rev:1;) alert tcp $HOME_NET any -> [103.54.57.251] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232212; rev:1;) alert tcp $HOME_NET any -> [103.54.57.251] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232211; rev:1;) alert tcp $HOME_NET any -> [93.123.85.43] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232210; rev:1;) alert tcp $HOME_NET any -> [175.24.197.196] 808 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3psil0n.fr"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232208; rev:1;) alert tcp $HOME_NET any -> [77.73.131.73] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232206; rev:1;) alert tcp $HOME_NET any -> [193.233.255.60] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232207; rev:1;) alert tcp $HOME_NET any -> [91.92.241.73] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232205; rev:1;) alert tcp $HOME_NET any -> [34.173.15.174] 5986 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232204; rev:1;) alert tcp $HOME_NET any -> [45.153.242.202] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232203; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 21 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232202; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 44886 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232201; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 2079 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232199; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 4087 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232200; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 54252 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232198; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 1883 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232197; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 2375 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232195; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 52435 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232196; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232194; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 2376 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232193; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 25 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232191; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 1080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232192; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 36401 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232190; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 30617 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232189; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 57287 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232188; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 60000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232186; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 49502 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232187; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 27017 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232185; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 14120 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232184; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 62577 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232183; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 8085 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232182; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 6006 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232180; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 6918 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232181; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 6001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232179; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 23630 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232177; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 2222 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232178; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 11933 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232176; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 60402 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232175; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 6697 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232173; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 33913 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232174; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 6003 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232172; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 28080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232170; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 81 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232171; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 8010 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232169; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 1200 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232168; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 179 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232167; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 9543 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232166; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 2761 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232165; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 2004 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232164; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 587 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232163; rev:1;) alert tcp $HOME_NET any -> [18.117.107.132] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-235-247-85.ap-south-1.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232161; rev:1;) alert tcp $HOME_NET any -> [20.197.230.164] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232160; rev:1;) alert tcp $HOME_NET any -> [209.97.131.69] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232159; rev:1;) alert tcp $HOME_NET any -> [192.99.168.172] 8082 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232158; rev:1;) alert tcp $HOME_NET any -> [141.98.112.145] 1604 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obsidia.fun"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232157; rev:1;) alert tcp $HOME_NET any -> [45.154.98.240] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232155; rev:1;) alert tcp $HOME_NET any -> [91.92.244.195] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ff.africankido.design"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232153; rev:1;) alert tcp $HOME_NET any -> [45.141.85.216] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232151; rev:1;) alert tcp $HOME_NET any -> [20.75.90.103] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232152; rev:1;) alert tcp $HOME_NET any -> [194.87.31.137] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232150; rev:1;) alert tcp $HOME_NET any -> [185.186.25.92] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232149; rev:1;) alert tcp $HOME_NET any -> [149.154.69.190] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232148; rev:1;) alert tcp $HOME_NET any -> [193.201.126.69] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232147; rev:1;) alert tcp $HOME_NET any -> [20.56.52.211] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232146; rev:1;) alert tcp $HOME_NET any -> [94.156.68.120] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232144; rev:1;) alert tcp $HOME_NET any -> [158.247.235.51] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232145; rev:1;) alert tcp $HOME_NET any -> [51.195.94.209] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232143; rev:1;) alert tcp $HOME_NET any -> [193.26.115.51] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232142; rev:1;) alert tcp $HOME_NET any -> [118.123.1.178] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232141; rev:1;) alert tcp $HOME_NET any -> [5.252.178.189] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232140/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_19; classtype:trojan-activity; sid:91232140; rev:1;) alert tcp $HOME_NET any -> [94.131.112.139] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232138/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_19; classtype:trojan-activity; sid:91232138; rev:1;) alert tcp $HOME_NET any -> [64.176.58.13] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232139/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_19; classtype:trojan-activity; sid:91232139; rev:1;) alert tcp $HOME_NET any -> [82.64.15.197] 51100 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232136; rev:1;) alert tcp $HOME_NET any -> [82.64.15.197] 51101 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232137; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 16890 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232135; rev:1;) alert tcp $HOME_NET any -> [175.178.14.59] 10081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232134; rev:1;) alert tcp $HOME_NET any -> [121.36.198.30] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232133; rev:1;) alert tcp $HOME_NET any -> [123.57.85.206] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232132; rev:1;) alert tcp $HOME_NET any -> [43.153.34.124] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232131; rev:1;) alert tcp $HOME_NET any -> [129.226.83.129] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232130; rev:1;) alert tcp $HOME_NET any -> [45.128.96.186] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232128; rev:1;) alert tcp $HOME_NET any -> [45.128.96.186] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232129; rev:1;) alert tcp $HOME_NET any -> [101.133.148.66] 802 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232127; rev:1;) alert tcp $HOME_NET any -> [45.63.121.30] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232126; rev:1;) alert tcp $HOME_NET any -> [43.156.80.158] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232125; rev:1;) alert tcp $HOME_NET any -> [49.235.191.182] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232124; rev:1;) alert tcp $HOME_NET any -> [80.78.22.159] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232123; rev:1;) alert tcp $HOME_NET any -> [116.205.226.86] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232121; rev:1;) alert tcp $HOME_NET any -> [182.202.176.6] 60202 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232122; rev:1;) alert tcp $HOME_NET any -> [121.199.72.190] 4587 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232120; rev:1;) alert tcp $HOME_NET any -> [198.251.88.196] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232119; rev:1;) alert tcp $HOME_NET any -> [47.115.230.159] 5000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232118; rev:1;) alert tcp $HOME_NET any -> [114.132.91.182] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232117; rev:1;) alert tcp $HOME_NET any -> [20.255.63.126] 8086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232116; rev:1;) alert tcp $HOME_NET any -> [38.180.10.123] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232115; rev:1;) alert tcp $HOME_NET any -> [1.94.11.154] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232114; rev:1;) alert tcp $HOME_NET any -> [8.134.207.214] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-139-9-196-215.compute.hwclouds-dns.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232112; rev:1;) alert tcp $HOME_NET any -> [38.132.103.114] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232109/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232109; rev:1;) alert tcp $HOME_NET any -> [45.59.70.99] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232108/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232108; rev:1;) alert tcp $HOME_NET any -> [80.79.4.61] 18236 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232107; rev:1;) alert tcp $HOME_NET any -> [94.156.65.198] 13781 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"852287cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232105; rev:1;) alert tcp $HOME_NET any -> [185.149.146.75] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232103/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232103; rev:1;) alert tcp $HOME_NET any -> [5.42.65.44] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232102/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232102; rev:1;) alert tcp $HOME_NET any -> [132.145.194.134] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232101/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tan.kalnet.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/oplugmanzx.exe"; depth:27; nocase; http.host; content:"tan.kalnet.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kalnet.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232099; rev:1;) alert tcp $HOME_NET any -> [47.106.171.201] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232100/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"85.209.176.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.236.28.58"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"85.209.176.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"15.207.223.7"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"www.xiongge.space"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.xiongge.space"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"82.157.64.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"172.67.130.131"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"82.157.64.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232088; rev:1;) alert tcp $HOME_NET any -> [185.215.113.68] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232087/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"120.26.196.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"121.40.175.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"45.128.96.186"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaaaaaaaa"; depth:10; nocase; http.host; content:"129.226.83.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232082; rev:1;) alert tcp $HOME_NET any -> [129.226.83.129] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"85.209.176.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"82.157.64.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"3.10.251.35"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"45.128.96.186"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232078; rev:1;) alert tcp $HOME_NET any -> [45.159.50.128] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.dnsdnsdns.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.dnsdnsdns.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232075; rev:1;) alert tcp $HOME_NET any -> [185.149.146.75] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232074; rev:1;) alert tcp $HOME_NET any -> [139.99.23.9] 12024 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"federalstudentaid-usdepartmentofeducation.tandemcyberops.co"; depth:59; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"175.178.161.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/messages/oqnyvw6pwzmn2lhng4lggu9g-opkgdoenlw"; depth:45; nocase; http.host; content:"citrix-update.centralus.cloudapp.azure.com"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.130.133.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"ck70571.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cloud.huawel.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloud.huawel.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/46636ed2.php"; depth:13; nocase; http.host; content:"cj23497.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagevideoline_requestgeoauthdbtraffictest.php"; depth:47; nocase; http.host; content:"45.32.153.79"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232063; rev:1;) alert tcp $HOME_NET any -> [167.235.64.195] 31839 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232062; rev:1;) alert tcp $HOME_NET any -> [122.176.133.66] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232061/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/look/gate.php"; depth:14; nocase; http.host; content:"nsslawcollege.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232060; rev:1;) alert tcp $HOME_NET any -> [8.130.82.167] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232059/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"85.209.176.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232057; rev:1;) alert tcp $HOME_NET any -> [85.209.176.146] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232058; rev:1;) alert tcp $HOME_NET any -> [45.128.96.186] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"45.128.96.186"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5d4f090c730016b1.php"; depth:21; nocase; http.host; content:"45.87.153.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232054; rev:1;) alert tcp $HOME_NET any -> [91.92.250.136] 80 (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"abode-dashboard-media.s3.ap-south-1.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"archivevalley-media.s3.amazonaws.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blooming.s3.amazonaws.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shapefiles.fews.net.s3.amazonaws.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232052; rev:1;) alert tcp $HOME_NET any -> [192.252.183.116] 8089 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232048/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_19; classtype:trojan-activity; sid:91232048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u/123/100123/202401/sshd"; depth:25; nocase; http.host; content:"192.252.183.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u/123/100123/202401/d9a10f4568b649acae7bc2fe51fb5a98.sh"; depth:56; nocase; http.host; content:"192.252.183.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u/123/100123/202401/31a5f4ceae1e45e1a3cd30f5d7604d89.json"; depth:58; nocase; http.host; content:"192.252.183.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g6cygaxht4jc1"; depth:14; nocase; http.host; content:"shapefiles.fews.net.s3.amazonaws.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bbu5yn3yayttv"; depth:14; nocase; http.host; content:"archivevalley-media.s3.amazonaws.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ea7fbw98cym5o"; depth:14; nocase; http.host; content:"blooming.s3.amazonaws.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaffmm40rntkg"; depth:14; nocase; http.host; content:"abode-dashboard-media.s3.ap-south-1.amazonaws.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232041; rev:1;) alert tcp $HOME_NET any -> [82.157.64.227] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232023/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cz17350.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232022; rev:1;) alert tcp $HOME_NET any -> [173.24.8.121] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232021/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232021; rev:1;) alert tcp $HOME_NET any -> [87.223.83.1] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232020/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232020; rev:1;) alert tcp $HOME_NET any -> [189.140.33.134] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232019/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232019; rev:1;) alert tcp $HOME_NET any -> [24.181.50.151] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232018/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232018; rev:1;) alert tcp $HOME_NET any -> [151.30.46.168] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232017/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232017; rev:1;) alert tcp $HOME_NET any -> [142.247.101.201] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232016/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232016; rev:1;) alert tcp $HOME_NET any -> [190.28.110.115] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232015/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232015; rev:1;) alert tcp $HOME_NET any -> [157.245.29.228] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232014/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232014; rev:1;) alert tcp $HOME_NET any -> [23.26.55.9] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232013/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232013; rev:1;) alert tcp $HOME_NET any -> [209.127.186.195] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232012/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232012; rev:1;) alert tcp $HOME_NET any -> [45.55.132.52] 5060 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232011/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232011; rev:1;) alert tcp $HOME_NET any -> [45.55.132.52] 587 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232010/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232010; rev:1;) alert tcp $HOME_NET any -> [93.123.85.133] 65500 (msg:"ThreatFox botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91231998; rev:1;) alert tcp $HOME_NET any -> [5.161.112.212] 29606 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232003; rev:1;) alert tcp $HOME_NET any -> [13.248.204.3] 10007 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232009/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232009; rev:1;) alert tcp $HOME_NET any -> [43.198.187.66] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232008/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232008; rev:1;) alert tcp $HOME_NET any -> [40.67.215.229] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232007/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/harmless/inc/2c6d40d7cc1ad3.php"; depth:32; nocase; http.host; content:"91.92.250.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232006; rev:1;) alert tcp $HOME_NET any -> [62.109.22.162] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232005/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232005; rev:1;) alert tcp $HOME_NET any -> [101.133.172.90] 8787 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232004/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232004; rev:1;) alert tcp $HOME_NET any -> [147.50.253.167] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232002/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232002; rev:1;) alert tcp $HOME_NET any -> [91.92.252.40] 61715 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232001; rev:1;) alert tcp $HOME_NET any -> [8.130.48.46] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232000/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232000; rev:1;) alert tcp $HOME_NET any -> [209.127.186.233] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231999/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91231999; rev:1;) alert tcp $HOME_NET any -> [212.227.26.128] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231997/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231997; rev:1;) alert tcp $HOME_NET any -> [1.116.74.174] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231996/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1210776429.php"; depth:15; nocase; http.host; content:"gigaload.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231995; rev:1;) alert tcp $HOME_NET any -> [103.151.5.233] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/devise/v7.13/dbe4ydcy84f"; depth:25; nocase; http.host; content:"103.151.5.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231993; rev:1;) alert tcp $HOME_NET any -> [105.99.46.148] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231992/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231992; rev:1;) alert tcp $HOME_NET any -> [154.26.136.227] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231991/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231991; rev:1;) alert tcp $HOME_NET any -> [64.188.20.177] 1053 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231990/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_18; classtype:trojan-activity; sid:91231990; rev:1;) alert tcp $HOME_NET any -> [82.157.64.227] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231989/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs1-tulalip.azureedge.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ms-api-cs1.azureedge.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"make-hex-32332e39352e39302e3633-rr.1u.ms"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"45-56-105-235.ip.linodeusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d3l4l87i1ykapf.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.maixunkeji.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-bauue492-1309306755.gz.tencentapigw.cn"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.wuxiaoyun.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231966; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 15184 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231988; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 15184 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231987; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 15184 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231986; rev:1;) alert tcp $HOME_NET any -> [209.127.186.195] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231985/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231985; rev:1;) alert tcp $HOME_NET any -> [178.62.214.55] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231984/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231984; rev:1;) alert tcp $HOME_NET any -> [185.70.104.90] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231983/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_18; classtype:trojan-activity; sid:91231983; rev:1;) alert tcp $HOME_NET any -> [185.70.104.90] 465 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231982/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_18; classtype:trojan-activity; sid:91231982; rev:1;) alert tcp $HOME_NET any -> [185.70.104.90] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231981/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_18; classtype:trojan-activity; sid:91231981; rev:1;) alert tcp $HOME_NET any -> [44.31.248.7] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231980/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231980; rev:1;) alert tcp $HOME_NET any -> [77.8.38.235] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231979/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231979; rev:1;) alert tcp $HOME_NET any -> [41.111.0.243] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231978; rev:1;) alert tcp $HOME_NET any -> [37.56.101.159] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231977; rev:1;) alert tcp $HOME_NET any -> [90.4.242.46] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231976/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231976; rev:1;) alert tcp $HOME_NET any -> [79.130.54.8] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231975/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231975; rev:1;) alert tcp $HOME_NET any -> [74.12.146.19] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231974/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231974; rev:1;) alert tcp $HOME_NET any -> [99.153.7.177] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231973/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231973; rev:1;) alert tcp $HOME_NET any -> [209.127.186.233] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231972; rev:1;) alert tcp $HOME_NET any -> [2.58.15.126] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231971/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231971; rev:1;) alert tcp $HOME_NET any -> [43.198.203.238] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231970; rev:1;) alert tcp $HOME_NET any -> [74.208.172.242] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231969/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231969; rev:1;) alert tcp $HOME_NET any -> [74.208.172.242] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231968; rev:1;) alert tcp $HOME_NET any -> [185.245.182.209] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.222.54.66"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"40.124.87.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231957; rev:1;) alert tcp $HOME_NET any -> [45.246.210.193] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231956; rev:1;) alert tcp $HOME_NET any -> [197.14.170.144] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231955; rev:1;) alert tcp $HOME_NET any -> [34.70.180.79] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231954; rev:1;) alert tcp $HOME_NET any -> [34.173.15.174] 3389 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231953; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 20000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231952; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 631 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231951; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 60143 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231950; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 27585 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231948; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 5903 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231949; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 6379 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231947; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231946; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 33416 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231945; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 10070 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231943; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 15825 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231944; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 48742 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231942; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 26589 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231941; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 24233 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231940; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 1433 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231939; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 61105 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231938; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 26808 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231937; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 12445 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231936; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 833 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibrant-proskuriakova.185-228-234-171.plesk.page"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231934; rev:1;) alert tcp $HOME_NET any -> [38.54.93.184] 9999 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231933; rev:1;) alert tcp $HOME_NET any -> [77.21.10.243] 29041 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231932; rev:1;) alert tcp $HOME_NET any -> [47.245.114.11] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231931; rev:1;) alert tcp $HOME_NET any -> [85.209.176.146] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231930; rev:1;) alert tcp $HOME_NET any -> [27.102.130.160] 8889 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231929; rev:1;) alert tcp $HOME_NET any -> [95.68.152.232] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231928/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231928; rev:1;) alert tcp $HOME_NET any -> [91.92.252.249] 1334 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"education.mccoe.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231925; rev:1;) alert tcp $HOME_NET any -> [40.124.87.200] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"set.urlz.ws"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231923; rev:1;) alert tcp $HOME_NET any -> [38.54.86.90] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"su.urlz.ws"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ad.urlz.ws"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231921; rev:1;) alert tcp $HOME_NET any -> [80.78.22.159] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.stoneco.network"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0903703.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231918; rev:1;) alert tcp $HOME_NET any -> [209.127.186.195] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231917; rev:1;) alert tcp $HOME_NET any -> [209.127.186.195] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231916; rev:1;) alert tcp $HOME_NET any -> [209.127.186.233] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2280678.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"team-speak.r2283.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231913; rev:1;) alert tcp $HOME_NET any -> [168.99.76.43] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231912; rev:1;) alert tcp $HOME_NET any -> [116.232.52.79] 8090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231911; rev:1;) alert tcp $HOME_NET any -> [37.9.8.115] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231910; rev:1;) alert tcp $HOME_NET any -> [35.205.188.96] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231909; rev:1;) alert tcp $HOME_NET any -> [35.187.249.232] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231908; rev:1;) alert tcp $HOME_NET any -> [84.247.136.19] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231907; rev:1;) alert tcp $HOME_NET any -> [101.32.220.131] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231906; rev:1;) alert tcp $HOME_NET any -> [43.135.5.121] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231905; rev:1;) alert tcp $HOME_NET any -> [64.176.47.131] 9205 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231904; rev:1;) alert tcp $HOME_NET any -> [3.81.113.118] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231903; rev:1;) alert tcp $HOME_NET any -> [20.54.148.239] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231902; rev:1;) alert tcp $HOME_NET any -> [54.210.110.31] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231901; rev:1;) alert tcp $HOME_NET any -> [154.144.246.8] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231900; rev:1;) alert tcp $HOME_NET any -> [223.167.229.112] 8200 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231898; rev:1;) alert tcp $HOME_NET any -> [34.168.202.236] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231899; rev:1;) alert tcp $HOME_NET any -> [149.28.199.177] 6286 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231897; rev:1;) alert tcp $HOME_NET any -> [35.157.46.237] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231896; rev:1;) alert tcp $HOME_NET any -> [43.136.27.224] 31220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231895; rev:1;) alert tcp $HOME_NET any -> [87.251.66.41] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_18; classtype:trojan-activity; sid:91231894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"78.lan-so2-1.static.rozabg.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanasuuakiaa.host"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doobiefly.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231891; rev:1;) alert tcp $HOME_NET any -> [210.211.117.205] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-23-33-245.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231888; rev:1;) alert tcp $HOME_NET any -> [89.208.105.191] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231887; rev:1;) alert tcp $HOME_NET any -> [94.228.162.3] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231886; rev:1;) alert tcp $HOME_NET any -> [39.170.62.143] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231885; rev:1;) alert tcp $HOME_NET any -> [193.233.132.88] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231884; rev:1;) alert tcp $HOME_NET any -> [209.145.58.236] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231883; rev:1;) alert tcp $HOME_NET any -> [3.79.229.48] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231882; rev:1;) alert tcp $HOME_NET any -> [42.114.153.12] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231881; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 23803 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231880; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 57002 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231878; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 1026 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231879; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 53782 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231877; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 33742 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231875; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 53346 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231876; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 33389 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231874; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 46571 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231873; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 11778 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231871; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 23515 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231872; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 1311 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231870; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231868; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231869; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 3306 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231867; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 110 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231866; rev:1;) alert tcp $HOME_NET any -> [118.107.41.120] 30360 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231865; rev:1;) alert tcp $HOME_NET any -> [206.166.251.107] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"primalbrainhacks.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231863; rev:1;) alert tcp $HOME_NET any -> [187.59.65.160] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231862; rev:1;) alert tcp $HOME_NET any -> [91.224.92.194] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231861; rev:1;) alert tcp $HOME_NET any -> [45.141.85.181] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1561484.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipmotinov.fvds.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"artre3.fvds.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"polina.to-kgb.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231857; rev:1;) alert tcp $HOME_NET any -> [91.92.246.195] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-26-24-38.ap-southeast-2.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231853; rev:1;) alert tcp $HOME_NET any -> [160.1.6.79] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231854; rev:1;) alert tcp $HOME_NET any -> [3.27.149.232] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231852; rev:1;) alert tcp $HOME_NET any -> [164.90.209.184] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231851; rev:1;) alert tcp $HOME_NET any -> [186.168.66.85] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231850; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 42358 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231848; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 50126 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231849; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 40249 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231847; rev:1;) alert tcp $HOME_NET any -> [176.40.9.245] 62822 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231846; rev:1;) alert tcp $HOME_NET any -> [194.213.3.123] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231845; rev:1;) alert tcp $HOME_NET any -> [194.213.3.123] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231844; rev:1;) alert tcp $HOME_NET any -> [207.32.217.14] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231843; rev:1;) alert tcp $HOME_NET any -> [107.150.23.137] 8020 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231842; rev:1;) alert tcp $HOME_NET any -> [39.105.231.94] 2096 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231841; rev:1;) alert tcp $HOME_NET any -> [159.223.130.150] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231840/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_18; classtype:trojan-activity; sid:91231840; rev:1;) alert tcp $HOME_NET any -> [172.96.137.224] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231839/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_18; classtype:trojan-activity; sid:91231839; rev:1;) alert tcp $HOME_NET any -> [187.135.85.233] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231837; rev:1;) alert tcp $HOME_NET any -> [187.135.85.233] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231838; rev:1;) alert tcp $HOME_NET any -> [187.135.85.233] 1701 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231836; rev:1;) alert tcp $HOME_NET any -> [187.135.85.233] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231835; rev:1;) alert tcp $HOME_NET any -> [187.135.85.233] 2167 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231833; rev:1;) alert tcp $HOME_NET any -> [187.135.85.233] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231834; rev:1;) alert tcp $HOME_NET any -> [187.135.85.233] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231832; rev:1;) alert tcp $HOME_NET any -> [187.135.85.233] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231831; rev:1;) alert tcp $HOME_NET any -> [105.98.169.29] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231830; rev:1;) alert tcp $HOME_NET any -> [124.220.6.158] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231829; rev:1;) alert tcp $HOME_NET any -> [123.57.85.206] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231828; rev:1;) alert tcp $HOME_NET any -> [47.245.82.226] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231827; rev:1;) alert tcp $HOME_NET any -> [121.43.33.41] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231826; rev:1;) alert tcp $HOME_NET any -> [157.230.44.125] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231825; rev:1;) alert tcp $HOME_NET any -> [47.93.254.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231824; rev:1;) alert tcp $HOME_NET any -> [139.196.10.154] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231823; rev:1;) alert tcp $HOME_NET any -> [154.90.62.92] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231822; rev:1;) alert tcp $HOME_NET any -> [43.137.6.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231820; rev:1;) alert tcp $HOME_NET any -> [121.43.97.52] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231821; rev:1;) alert tcp $HOME_NET any -> [124.222.54.66] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231819; rev:1;) alert tcp $HOME_NET any -> [47.96.67.231] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231818; rev:1;) alert tcp $HOME_NET any -> [139.224.33.120] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231817; rev:1;) alert tcp $HOME_NET any -> [147.78.47.185] 5347 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231816; rev:1;) alert tcp $HOME_NET any -> [47.99.171.179] 5000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231815; rev:1;) alert tcp $HOME_NET any -> [139.9.134.28] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231814; rev:1;) alert tcp $HOME_NET any -> [175.178.103.194] 40000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231813; rev:1;) alert tcp $HOME_NET any -> [123.57.135.228] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231811; rev:1;) alert tcp $HOME_NET any -> [8.219.121.245] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231812; rev:1;) alert tcp $HOME_NET any -> [82.157.64.227] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231810; rev:1;) alert tcp $HOME_NET any -> [8.137.115.200] 3390 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231808; rev:1;) alert tcp $HOME_NET any -> [139.159.221.73] 8085 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ad.ttss66.co"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231807; rev:1;) alert tcp $HOME_NET any -> [212.254.178.181] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231806; rev:1;) alert tcp $HOME_NET any -> [91.92.249.112] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-15-207-223-7.ap-south-1.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app.ttss66.co"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"164-90-169-184.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hahaha/yomobing"; depth:16; nocase; http.host; content:"42.193.1.241"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.120.47.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.220.164.254"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"175.178.103.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"118.195.236.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pingjs/ext2020/configf2017/5d09e4c5.js"; depth:39; nocase; http.host; content:"47.57.12.167"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dc"; depth:3; nocase; http.host; content:"103.1.40.217"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.99.171.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231794; rev:1;) alert tcp $HOME_NET any -> [172.67.130.131] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231793/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231793; rev:1;) alert tcp $HOME_NET any -> [3.127.181.115] 15617 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231792; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 15617 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231791; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 15617 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231790; rev:1;) alert tcp $HOME_NET any -> [3.67.62.142] 15617 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"42.81.86.62"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-9cs9xxk6-1259711277.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-9cs9xxk6-1259711277.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"101.42.172.78"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"111.231.21.83"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.222.54.66"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"111.229.163.225"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"110.43.34.176"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"106.52.244.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"88.214.27.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231779; rev:1;) alert tcp $HOME_NET any -> [62.234.54.38] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.baidusec.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.baidusec.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.baidusec.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.228.169.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231774; rev:1;) alert tcp $HOME_NET any -> [111.230.1.229] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231773; rev:1;) alert tcp $HOME_NET any -> [47.97.63.211] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231772/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231772; rev:1;) alert tcp $HOME_NET any -> [185.189.112.27] 2529 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231771/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_18; classtype:trojan-activity; sid:91231771; rev:1;) alert tcp $HOME_NET any -> [54.151.129.213] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231770/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231770; rev:1;) alert tcp $HOME_NET any -> [162.218.122.24] 5707 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231769/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_18; classtype:trojan-activity; sid:91231769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"175.178.161.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231768; rev:1;) alert tcp $HOME_NET any -> [5.75.215.163] 7575 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.215.163"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231765; rev:1;) alert tcp $HOME_NET any -> [95.217.240.143] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231764; rev:1;) alert tcp $HOME_NET any -> [45.153.230.56] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231763/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231763; rev:1;) alert tcp $HOME_NET any -> [182.43.81.4] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231762/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231762; rev:1;) alert tcp $HOME_NET any -> [101.43.175.148] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231761/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231761; rev:1;) alert tcp $HOME_NET any -> [64.176.35.5] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231760/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231760; rev:1;) alert tcp $HOME_NET any -> [38.60.200.88] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231759/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231759; rev:1;) alert tcp $HOME_NET any -> [45.131.108.123] 2003 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231758/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231758; rev:1;) alert tcp $HOME_NET any -> [107.150.23.137] 8010 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231757/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231757; rev:1;) alert tcp $HOME_NET any -> [40.112.134.176] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231756/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231756; rev:1;) alert tcp $HOME_NET any -> [31.117.111.217] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231755/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231755; rev:1;) alert tcp $HOME_NET any -> [74.12.146.19] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231754/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231754; rev:1;) alert tcp $HOME_NET any -> [70.107.200.6] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231753/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231753; rev:1;) alert tcp $HOME_NET any -> [209.163.151.210] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231752; rev:1;) alert tcp $HOME_NET any -> [34.135.30.146] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231751; rev:1;) alert tcp $HOME_NET any -> [206.237.1.36] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231749; rev:1;) alert tcp $HOME_NET any -> [206.237.1.36] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231750; rev:1;) alert tcp $HOME_NET any -> [43.138.25.26] 4431 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231748; rev:1;) alert tcp $HOME_NET any -> [51.81.110.44] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231747; rev:1;) alert tcp $HOME_NET any -> [209.127.186.46] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231746/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231746; rev:1;) alert tcp $HOME_NET any -> [103.11.1.147] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231745/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231745; rev:1;) alert tcp $HOME_NET any -> [103.83.31.209] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231744; rev:1;) alert tcp $HOME_NET any -> [43.230.161.37] 5432 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"984794727cm.whiteproducts.ru"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"broler.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yadongrec.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.broler.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231735; rev:1;) alert tcp $HOME_NET any -> [3.10.251.35] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231741/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amje"; depth:5; nocase; http.host; content:"121.40.63.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231740/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_18; classtype:trojan-activity; sid:91231740; rev:1;) alert tcp $HOME_NET any -> [121.40.63.121] 58431 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231739; rev:1;) alert tcp $HOME_NET any -> [94.96.102.52] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231738/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231738; rev:1;) alert tcp $HOME_NET any -> [160.1.6.79] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231737/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231737; rev:1;) alert tcp $HOME_NET any -> [18.219.185.11] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231736/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231736; rev:1;) alert tcp $HOME_NET any -> [90.156.226.218] 81 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231732; rev:1;) alert tcp $HOME_NET any -> [124.222.145.84] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcloud/main/scripts/release"; depth:28; nocase; http.host; content:"124.222.145.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"120.55.12.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcloud/main/scripts/release"; depth:28; nocase; http.host; content:"124.222.145.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231727; rev:1;) alert tcp $HOME_NET any -> [124.222.145.84] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231728; rev:1;) alert tcp $HOME_NET any -> [44.206.79.79] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231726; rev:1;) alert tcp $HOME_NET any -> [139.180.217.19] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231725; rev:1;) alert tcp $HOME_NET any -> [31.220.107.19] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231724; rev:1;) alert tcp $HOME_NET any -> [170.64.163.53] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231722; rev:1;) alert tcp $HOME_NET any -> [46.36.40.36] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231723; rev:1;) alert tcp $HOME_NET any -> [3.91.122.253] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231721; rev:1;) alert tcp $HOME_NET any -> [186.114.35.34] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231720; rev:1;) alert tcp $HOME_NET any -> [94.200.31.94] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231719; rev:1;) alert tcp $HOME_NET any -> [44.204.34.117] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231718; rev:1;) alert tcp $HOME_NET any -> [104.192.83.105] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231717; rev:1;) alert tcp $HOME_NET any -> [101.200.36.30] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231716; rev:1;) alert tcp $HOME_NET any -> [47.116.65.124] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"practical-goldwasser.2-58-113-220.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231714; rev:1;) alert tcp $HOME_NET any -> [77.105.146.199] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231713; rev:1;) alert tcp $HOME_NET any -> [190.123.44.233] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tradeplayz.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231711; rev:1;) alert tcp $HOME_NET any -> [84.247.161.111] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.spacestar.su"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231709; rev:1;) alert tcp $HOME_NET any -> [24.199.72.221] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231708; rev:1;) alert tcp $HOME_NET any -> [120.55.12.41] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231707; rev:1;) alert tcp $HOME_NET any -> [47.106.230.109] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231706; rev:1;) alert tcp $HOME_NET any -> [47.106.230.109] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231705; rev:1;) alert tcp $HOME_NET any -> [47.245.82.226] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231704; rev:1;) alert tcp $HOME_NET any -> [27.102.130.160] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231703; rev:1;) alert tcp $HOME_NET any -> [103.97.176.112] 5588 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231702; rev:1;) alert tcp $HOME_NET any -> [49.12.98.191] 14499 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231701; rev:1;) alert tcp $HOME_NET any -> [43.139.94.117] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231699; rev:1;) alert tcp $HOME_NET any -> [121.43.62.136] 5000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231700; rev:1;) alert tcp $HOME_NET any -> [42.192.45.240] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hei.ttss66.co"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sacacaa.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.ttss66.co"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231695; rev:1;) alert tcp $HOME_NET any -> [188.17.46.163] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231694/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231694; rev:1;) alert tcp $HOME_NET any -> [85.206.169.88] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231693; rev:1;) alert tcp $HOME_NET any -> [159.69.179.151] 12807 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231692; rev:1;) alert tcp $HOME_NET any -> [44.31.248.7] 1800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231691/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231691; rev:1;) alert tcp $HOME_NET any -> [94.156.66.169] 1334 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231690; rev:1;) alert tcp $HOME_NET any -> [94.156.66.169] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231689/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_17; classtype:trojan-activity; sid:91231689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"worrystitchsounddywuwp.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"copyrightspareddcitwew.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"groannysoapblockedstiw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"paperambiguonusphoterew.site"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"expenditureddisumilarwo.site"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"weedpairfolkloredheryw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"combinethemepiggerygoj.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"qualifiedbehaviorrykej.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"transparenteunlawfullyp.site"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231661; rev:1;) alert tcp $HOME_NET any -> [20.2.223.147] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231688/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231688; rev:1;) alert tcp $HOME_NET any -> [31.117.127.145] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231687/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231687; rev:1;) alert tcp $HOME_NET any -> [74.124.191.6] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231686/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231686; rev:1;) alert tcp $HOME_NET any -> [41.99.28.89] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231685/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231685; rev:1;) alert tcp $HOME_NET any -> [187.211.85.9] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231684/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231684; rev:1;) alert tcp $HOME_NET any -> [185.198.121.148] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231683/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231683; rev:1;) alert tcp $HOME_NET any -> [74.12.146.183] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231682/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231682; rev:1;) alert tcp $HOME_NET any -> [108.173.84.82] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231681/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231681; rev:1;) alert tcp $HOME_NET any -> [95.215.108.41] 1194 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231680/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231680; rev:1;) alert tcp $HOME_NET any -> [31.46.55.159] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231679/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231679; rev:1;) alert tcp $HOME_NET any -> [79.131.125.119] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231678/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231678; rev:1;) alert tcp $HOME_NET any -> [39.40.158.169] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231677/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231677; rev:1;) alert tcp $HOME_NET any -> [75.134.202.126] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231676/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231676; rev:1;) alert tcp $HOME_NET any -> [185.117.90.142] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231675/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231675; rev:1;) alert tcp $HOME_NET any -> [24.45.151.251] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231674/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231674; rev:1;) alert tcp $HOME_NET any -> [2.82.9.245] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231673/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231673; rev:1;) alert tcp $HOME_NET any -> [64.23.165.240] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231672/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231672; rev:1;) alert tcp $HOME_NET any -> [54.205.140.17] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231671; rev:1;) alert tcp $HOME_NET any -> [136.40.23.25] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231670; rev:1;) alert tcp $HOME_NET any -> [20.84.6.140] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231669/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231669; rev:1;) alert tcp $HOME_NET any -> [172.172.163.9] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231668/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231668; rev:1;) alert tcp $HOME_NET any -> [172.172.163.9] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231667; rev:1;) alert tcp $HOME_NET any -> [167.172.80.227] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231666; rev:1;) alert tcp $HOME_NET any -> [103.11.3.170] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231665; rev:1;) alert tcp $HOME_NET any -> [209.105.242.245] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231664; rev:1;) alert tcp $HOME_NET any -> [103.15.105.29] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231663; rev:1;) alert tcp $HOME_NET any -> [103.85.110.13] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bigloadmultidefaultuploadsdownloads.php"; depth:40; nocase; http.host; content:"977789cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b8sdjsdks/index.php"; depth:20; nocase; http.host; content:"5.42.65.44"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231651; rev:1;) alert tcp $HOME_NET any -> [8.130.82.167] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231650/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231650; rev:1;) alert tcp $HOME_NET any -> [193.233.50.13] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231648; rev:1;) alert tcp $HOME_NET any -> [193.233.50.13] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231649; rev:1;) alert tcp $HOME_NET any -> [81.19.140.50] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231647; rev:1;) alert tcp $HOME_NET any -> [95.216.37.49] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231645; rev:1;) alert tcp $HOME_NET any -> [81.19.140.50] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231646; rev:1;) alert tcp $HOME_NET any -> [95.216.37.49] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloud5.5-systems.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hel.syscare.sk"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231643; rev:1;) alert tcp $HOME_NET any -> [116.202.214.113] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"node103.5-systems.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.49.37.216.95.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev.5-systems.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vault.5-systems.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231638; rev:1;) alert tcp $HOME_NET any -> [85.239.34.8] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn3-kit1.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231636; rev:1;) alert tcp $HOME_NET any -> [194.110.247.198] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231634; rev:1;) alert tcp $HOME_NET any -> [88.151.192.34] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231632; rev:1;) alert tcp $HOME_NET any -> [193.233.203.153] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231633; rev:1;) alert tcp $HOME_NET any -> [213.232.235.210] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231631; rev:1;) alert tcp $HOME_NET any -> [193.233.18.169] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231630; rev:1;) alert tcp $HOME_NET any -> [37.220.86.73] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231629; rev:1;) alert tcp $HOME_NET any -> [176.123.2.55] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231627; rev:1;) alert tcp $HOME_NET any -> [81.19.140.204] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231628; rev:1;) alert tcp $HOME_NET any -> [185.84.163.105] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bl3mder3d.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.113.214.202.116.clients.your-server.de"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"free-cdn.tech"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn3.ru"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231622; rev:1;) alert tcp $HOME_NET any -> [85.98.101.67] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231621; rev:1;) alert tcp $HOME_NET any -> [2.50.16.38] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231620; rev:1;) alert tcp $HOME_NET any -> [168.149.58.6] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231619; rev:1;) alert tcp $HOME_NET any -> [2.58.15.111] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231617; rev:1;) alert tcp $HOME_NET any -> [62.84.103.154] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231618; rev:1;) alert tcp $HOME_NET any -> [2.58.15.111] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231616; rev:1;) alert tcp $HOME_NET any -> [2.58.15.111] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231615; rev:1;) alert tcp $HOME_NET any -> [156.236.76.243] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231613; rev:1;) alert tcp $HOME_NET any -> [2.58.15.111] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231614; rev:1;) alert tcp $HOME_NET any -> [156.236.76.243] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231612; rev:1;) alert tcp $HOME_NET any -> [156.236.76.243] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231610; rev:1;) alert tcp $HOME_NET any -> [156.236.76.243] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231611; rev:1;) alert tcp $HOME_NET any -> [156.236.76.243] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231609; rev:1;) alert tcp $HOME_NET any -> [151.236.16.27] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231607; rev:1;) alert tcp $HOME_NET any -> [151.236.16.27] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231608; rev:1;) alert tcp $HOME_NET any -> [151.236.16.27] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231606; rev:1;) alert tcp $HOME_NET any -> [151.236.16.27] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231604; rev:1;) alert tcp $HOME_NET any -> [151.236.16.27] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231605; rev:1;) alert tcp $HOME_NET any -> [209.127.186.46] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231603; rev:1;) alert tcp $HOME_NET any -> [209.127.186.46] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231601; rev:1;) alert tcp $HOME_NET any -> [209.127.186.46] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231602; rev:1;) alert tcp $HOME_NET any -> [209.127.186.46] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231600; rev:1;) alert tcp $HOME_NET any -> [61.247.164.51] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231599/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231599; rev:1;) alert tcp $HOME_NET any -> [3.80.241.115] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231597; rev:1;) alert tcp $HOME_NET any -> [3.230.14.10] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231598; rev:1;) alert tcp $HOME_NET any -> [4.196.203.141] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231596; rev:1;) alert tcp $HOME_NET any -> [137.184.204.254] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231595; rev:1;) alert tcp $HOME_NET any -> [52.76.13.113] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231593; rev:1;) alert tcp $HOME_NET any -> [149.28.59.118] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231594; rev:1;) alert tcp $HOME_NET any -> [24.105.180.18] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231592; rev:1;) alert tcp $HOME_NET any -> [142.171.108.61] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231591; rev:1;) alert tcp $HOME_NET any -> [203.154.83.164] 5555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231590; rev:1;) alert tcp $HOME_NET any -> [157.245.108.22] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231589; rev:1;) alert tcp $HOME_NET any -> [103.149.177.182] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231587; rev:1;) alert tcp $HOME_NET any -> [34.232.20.132] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231588; rev:1;) alert tcp $HOME_NET any -> [68.183.94.232] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231586; rev:1;) alert tcp $HOME_NET any -> [3.27.165.207] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231585; rev:1;) alert tcp $HOME_NET any -> [120.48.29.38] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231584; rev:1;) alert tcp $HOME_NET any -> [44.218.238.214] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231583; rev:1;) alert tcp $HOME_NET any -> [3.131.98.200] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231581; rev:1;) alert tcp $HOME_NET any -> [13.64.102.17] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231582; rev:1;) alert tcp $HOME_NET any -> [84.201.173.129] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231579; rev:1;) alert tcp $HOME_NET any -> [44.196.151.67] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231580; rev:1;) alert tcp $HOME_NET any -> [8.210.51.165] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231578; rev:1;) alert tcp $HOME_NET any -> [175.178.221.124] 31220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231577; rev:1;) alert tcp $HOME_NET any -> [52.59.142.201] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231576; rev:1;) alert tcp $HOME_NET any -> [52.59.142.201] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231575; rev:1;) alert tcp $HOME_NET any -> [34.207.241.211] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231574; rev:1;) alert tcp $HOME_NET any -> [66.135.26.24] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231572; rev:1;) alert tcp $HOME_NET any -> [200.69.21.128] 8000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231573; rev:1;) alert tcp $HOME_NET any -> [191.104.11.30] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231571; rev:1;) alert tcp $HOME_NET any -> [101.226.173.195] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231570; rev:1;) alert tcp $HOME_NET any -> [89.104.70.253] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231569; rev:1;) alert tcp $HOME_NET any -> [120.133.50.182] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231568; rev:1;) alert tcp $HOME_NET any -> [43.138.172.15] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231567; rev:1;) alert tcp $HOME_NET any -> [8.140.123.165] 10000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231565; rev:1;) alert tcp $HOME_NET any -> [103.149.177.198] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231566; rev:1;) alert tcp $HOME_NET any -> [159.223.69.141] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231564; rev:1;) alert tcp $HOME_NET any -> [43.228.89.248] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231563; rev:1;) alert tcp $HOME_NET any -> [43.228.89.246] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231561; rev:1;) alert tcp $HOME_NET any -> [43.228.89.245] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231562; rev:1;) alert tcp $HOME_NET any -> [149.28.222.242] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231560; rev:1;) alert tcp $HOME_NET any -> [124.221.183.95] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231559; rev:1;) alert tcp $HOME_NET any -> [154.8.205.2] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231558; rev:1;) alert tcp $HOME_NET any -> [115.126.107.244] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231556; rev:1;) alert tcp $HOME_NET any -> [116.212.120.32] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231557; rev:1;) alert tcp $HOME_NET any -> [47.108.144.205] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231555; rev:1;) alert tcp $HOME_NET any -> [163.53.216.157] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231553; rev:1;) alert tcp $HOME_NET any -> [43.228.89.247] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231554; rev:1;) alert tcp $HOME_NET any -> [117.84.38.82] 8008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231552; rev:1;) alert tcp $HOME_NET any -> [120.26.168.94] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231551; rev:1;) alert tcp $HOME_NET any -> [8.218.155.228] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231550; rev:1;) alert tcp $HOME_NET any -> [91.92.243.55] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231549; rev:1;) alert tcp $HOME_NET any -> [94.156.71.78] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231548; rev:1;) alert tcp $HOME_NET any -> [45.95.169.14] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231547; rev:1;) alert tcp $HOME_NET any -> [103.189.203.36] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231546; rev:1;) alert tcp $HOME_NET any -> [94.228.162.149] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231544; rev:1;) alert tcp $HOME_NET any -> [51.195.28.168] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231545; rev:1;) alert tcp $HOME_NET any -> [77.232.142.8] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231543; rev:1;) alert tcp $HOME_NET any -> [91.92.240.65] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231542; rev:1;) alert tcp $HOME_NET any -> [193.222.96.25] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231541; rev:1;) alert tcp $HOME_NET any -> [5.182.87.142] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231540; rev:1;) alert tcp $HOME_NET any -> [195.20.16.224] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231539; rev:1;) alert tcp $HOME_NET any -> [20.161.72.166] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231538; rev:1;) alert tcp $HOME_NET any -> [45.204.82.82] 6606 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231537; rev:1;) alert tcp $HOME_NET any -> [167.71.139.50] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231536; rev:1;) alert tcp $HOME_NET any -> [115.79.234.191] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231535; rev:1;) alert tcp $HOME_NET any -> [115.79.234.191] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231534; rev:1;) alert tcp $HOME_NET any -> [91.92.251.28] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231532; rev:1;) alert tcp $HOME_NET any -> [3.6.115.64] 12480 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231533; rev:1;) alert tcp $HOME_NET any -> [188.119.113.105] 2323 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231531; rev:1;) alert tcp $HOME_NET any -> [103.241.66.73] 1604 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cy-security.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231529; rev:1;) alert tcp $HOME_NET any -> [138.197.4.123] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231528; rev:1;) alert tcp $HOME_NET any -> [16.62.217.129] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231526; rev:1;) alert tcp $HOME_NET any -> [45.126.127.218] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231527; rev:1;) alert tcp $HOME_NET any -> [52.66.109.117] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231525; rev:1;) alert tcp $HOME_NET any -> [93.177.167.240] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231523; rev:1;) alert tcp $HOME_NET any -> [66.85.157.78] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231524; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 27212 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231522; rev:1;) alert tcp $HOME_NET any -> [191.82.199.36] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231521; rev:1;) alert tcp $HOME_NET any -> [40.81.26.134] 8443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231519; rev:1;) alert tcp $HOME_NET any -> [103.127.80.52] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231520; rev:1;) alert tcp $HOME_NET any -> [109.193.93.28] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231518; rev:1;) alert tcp $HOME_NET any -> [110.148.223.254] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231517; rev:1;) alert tcp $HOME_NET any -> [54.151.255.201] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231515; rev:1;) alert tcp $HOME_NET any -> [54.151.255.201] 82 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231516; rev:1;) alert tcp $HOME_NET any -> [91.108.240.144] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231514; rev:1;) alert tcp $HOME_NET any -> [45.88.79.168] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231513; rev:1;) alert tcp $HOME_NET any -> [81.19.137.68] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231512; rev:1;) alert tcp $HOME_NET any -> [91.224.92.195] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231511; rev:1;) alert tcp $HOME_NET any -> [185.146.157.121] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231510; rev:1;) alert tcp $HOME_NET any -> [38.207.178.212] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231509; rev:1;) alert tcp $HOME_NET any -> [176.123.169.240] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231507; rev:1;) alert tcp $HOME_NET any -> [38.60.205.80] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231508; rev:1;) alert tcp $HOME_NET any -> [13.245.207.111] 9922 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231506; rev:1;) alert tcp $HOME_NET any -> [20.11.149.168] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231504; rev:1;) alert tcp $HOME_NET any -> [154.90.49.23] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231505; rev:1;) alert tcp $HOME_NET any -> [38.54.59.79] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231503; rev:1;) alert tcp $HOME_NET any -> [91.109.188.9] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231501; rev:1;) alert tcp $HOME_NET any -> [91.109.188.9] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231502; rev:1;) alert tcp $HOME_NET any -> [172.234.95.198] 8443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231500; rev:1;) alert tcp $HOME_NET any -> [158.220.83.114] 9909 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231499; rev:1;) alert tcp $HOME_NET any -> [181.131.219.252] 4203 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231498; rev:1;) alert tcp $HOME_NET any -> [91.109.184.6] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231497; rev:1;) alert tcp $HOME_NET any -> [190.28.139.66] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231495; rev:1;) alert tcp $HOME_NET any -> [91.109.184.6] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231496; rev:1;) alert tcp $HOME_NET any -> [206.123.132.169] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231494; rev:1;) alert tcp $HOME_NET any -> [101.43.162.6] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231493; rev:1;) alert tcp $HOME_NET any -> [119.45.219.31] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231492; rev:1;) alert tcp $HOME_NET any -> [159.75.180.29] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231491; rev:1;) alert tcp $HOME_NET any -> [129.204.56.223] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231490; rev:1;) alert tcp $HOME_NET any -> [1.92.91.219] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231489/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231489; rev:1;) alert tcp $HOME_NET any -> [1.92.91.219] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231488/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231488; rev:1;) alert tcp $HOME_NET any -> [1.92.91.219] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231487/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231487; rev:1;) alert tcp $HOME_NET any -> [1.92.91.219] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231485/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231485; rev:1;) alert tcp $HOME_NET any -> [1.92.91.219] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231486/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231486; rev:1;) alert tcp $HOME_NET any -> [1.92.91.219] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231484/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231484; rev:1;) alert tcp $HOME_NET any -> [1.92.91.219] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231483/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231483; rev:1;) alert tcp $HOME_NET any -> [139.159.146.137] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231482/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231482; rev:1;) alert tcp $HOME_NET any -> [139.159.146.137] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231481/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231481; rev:1;) alert tcp $HOME_NET any -> [139.159.146.137] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231479/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231479; rev:1;) alert tcp $HOME_NET any -> [139.159.146.137] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231480/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231480; rev:1;) alert tcp $HOME_NET any -> [139.159.146.137] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231478/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231478; rev:1;) alert tcp $HOME_NET any -> [124.71.218.160] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231477/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231477; rev:1;) alert tcp $HOME_NET any -> [124.71.218.160] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231476/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231476; rev:1;) alert tcp $HOME_NET any -> [124.71.218.160] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231475/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231475; rev:1;) alert tcp $HOME_NET any -> [124.71.218.160] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231474/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231474; rev:1;) alert tcp $HOME_NET any -> [124.71.218.160] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231473/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231473; rev:1;) alert tcp $HOME_NET any -> [124.71.218.160] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231472/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231472; rev:1;) alert tcp $HOME_NET any -> [155.138.154.203] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231471/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231471; rev:1;) alert tcp $HOME_NET any -> [120.46.66.113] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231470/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231470; rev:1;) alert tcp $HOME_NET any -> [120.46.66.113] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231469/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231469; rev:1;) alert tcp $HOME_NET any -> [120.46.66.113] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231468/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231468; rev:1;) alert tcp $HOME_NET any -> [120.46.66.113] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231467/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231467; rev:1;) alert tcp $HOME_NET any -> [120.46.66.113] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231466/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231466; rev:1;) alert tcp $HOME_NET any -> [120.46.66.113] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231465/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231465; rev:1;) alert tcp $HOME_NET any -> [120.46.66.113] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231464/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231464; rev:1;) alert tcp $HOME_NET any -> [139.9.180.3] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231463/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231463; rev:1;) alert tcp $HOME_NET any -> [139.9.180.3] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231462/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231462; rev:1;) alert tcp $HOME_NET any -> [139.9.180.3] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231461/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231461; rev:1;) alert tcp $HOME_NET any -> [139.9.180.3] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231460/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231460; rev:1;) alert tcp $HOME_NET any -> [1.92.75.200] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231459/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231459; rev:1;) alert tcp $HOME_NET any -> [1.92.75.200] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231457/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231457; rev:1;) alert tcp $HOME_NET any -> [1.92.75.200] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231458/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231458; rev:1;) alert tcp $HOME_NET any -> [1.92.75.200] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231456/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231456; rev:1;) alert tcp $HOME_NET any -> [1.92.75.200] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231454/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231454; rev:1;) alert tcp $HOME_NET any -> [1.92.75.200] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231455/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231455; rev:1;) alert tcp $HOME_NET any -> [1.92.75.200] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231453/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231453; rev:1;) alert tcp $HOME_NET any -> [45.77.183.245] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231452/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231452; rev:1;) alert tcp $HOME_NET any -> [103.140.187.122] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231451/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231451; rev:1;) alert tcp $HOME_NET any -> [174.138.56.147] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231450/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231450; rev:1;) alert tcp $HOME_NET any -> [43.157.27.174] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231449/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231449; rev:1;) alert tcp $HOME_NET any -> [82.64.15.197] 51102 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231448; rev:1;) alert tcp $HOME_NET any -> [82.64.15.197] 51005 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231447; rev:1;) alert tcp $HOME_NET any -> [187.135.148.126] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231445; rev:1;) alert tcp $HOME_NET any -> [187.135.148.126] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231446; rev:1;) alert tcp $HOME_NET any -> [187.135.148.126] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231444; rev:1;) alert tcp $HOME_NET any -> [129.204.53.10] 8081 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231443/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_17; classtype:trojan-activity; sid:91231443; rev:1;) alert tcp $HOME_NET any -> [114.55.131.0] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231442; rev:1;) alert tcp $HOME_NET any -> [114.55.131.0] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231441; rev:1;) alert tcp $HOME_NET any -> [114.55.131.0] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231440; rev:1;) alert tcp $HOME_NET any -> [47.254.233.5] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231439; rev:1;) alert tcp $HOME_NET any -> [101.201.46.105] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231438; rev:1;) alert tcp $HOME_NET any -> [180.101.45.84] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231437; rev:1;) alert tcp $HOME_NET any -> [18.217.32.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231435; rev:1;) alert tcp $HOME_NET any -> [116.204.24.189] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231436; rev:1;) alert tcp $HOME_NET any -> [62.234.16.176] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231434; rev:1;) alert tcp $HOME_NET any -> [47.92.246.30] 18080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231432; rev:1;) alert tcp $HOME_NET any -> [62.234.16.176] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231433; rev:1;) alert tcp $HOME_NET any -> [101.43.46.145] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231431; rev:1;) alert tcp $HOME_NET any -> [47.92.205.12] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231430; rev:1;) alert tcp $HOME_NET any -> [2.58.200.139] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231428; rev:1;) alert tcp $HOME_NET any -> [2.58.200.139] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231429; rev:1;) alert tcp $HOME_NET any -> [101.46.48.24] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231426; rev:1;) alert tcp $HOME_NET any -> [47.92.23.195] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231427; rev:1;) alert tcp $HOME_NET any -> [101.46.48.24] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231425; rev:1;) alert tcp $HOME_NET any -> [150.158.160.24] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231424; rev:1;) alert tcp $HOME_NET any -> [121.36.209.227] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231422; rev:1;) alert tcp $HOME_NET any -> [59.110.217.41] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231423; rev:1;) alert tcp $HOME_NET any -> [165.22.220.70] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231421; rev:1;) alert tcp $HOME_NET any -> [43.136.71.208] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231420; rev:1;) alert tcp $HOME_NET any -> [8.218.79.11] 8899 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231418; rev:1;) alert tcp $HOME_NET any -> [121.4.67.78] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231419; rev:1;) alert tcp $HOME_NET any -> [23.94.233.96] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231417; rev:1;) alert tcp $HOME_NET any -> [114.55.90.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231416; rev:1;) alert tcp $HOME_NET any -> [101.133.148.66] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231415; rev:1;) alert tcp $HOME_NET any -> [110.42.209.75] 881 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231413; rev:1;) alert tcp $HOME_NET any -> [62.106.95.14] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231414; rev:1;) alert tcp $HOME_NET any -> [185.196.9.234] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231412; rev:1;) alert tcp $HOME_NET any -> [119.91.144.105] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231410; rev:1;) alert tcp $HOME_NET any -> [91.92.245.38] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231411; rev:1;) alert tcp $HOME_NET any -> [114.55.72.52] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231409; rev:1;) alert tcp $HOME_NET any -> [47.96.67.181] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231408; rev:1;) alert tcp $HOME_NET any -> [45.142.166.24] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231407; rev:1;) alert tcp $HOME_NET any -> [118.31.229.138] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231406; rev:1;) alert tcp $HOME_NET any -> [194.26.135.115] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231404; rev:1;) alert tcp $HOME_NET any -> [121.196.232.187] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231405; rev:1;) alert tcp $HOME_NET any -> [149.104.23.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231403; rev:1;) alert tcp $HOME_NET any -> [139.155.135.131] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231402; rev:1;) alert tcp $HOME_NET any -> [8.219.170.54] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231400; rev:1;) alert tcp $HOME_NET any -> [8.134.192.169] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231401; rev:1;) alert tcp $HOME_NET any -> [107.148.32.236] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231399; rev:1;) alert tcp $HOME_NET any -> [156.224.26.49] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231397; rev:1;) alert tcp $HOME_NET any -> [123.56.217.32] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231398; rev:1;) alert tcp $HOME_NET any -> [154.90.62.92] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231396; rev:1;) alert tcp $HOME_NET any -> [23.94.208.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231395; rev:1;) alert tcp $HOME_NET any -> [43.139.37.252] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231393; rev:1;) alert tcp $HOME_NET any -> [117.72.11.112] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231394; rev:1;) alert tcp $HOME_NET any -> [45.128.96.186] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zero3.kentest.fyi"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ntc-telecomcorporation.workers.dev"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-depo-gov-pk.ntc-telecomcorporation.workers.dev"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-dgdp-gov-pk.ntc-telecomcorporation.workers.dev"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-hit-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-paf-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alfalahtransct-bank.servehttp.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloud-ntdc.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e-servicesptclnetpk.servehttp.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e-supportntc.servehttp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"financeptcl-govpk.servehttp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flysmart-piac.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogdclcloud-mysharep.servehalflife.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"services-ptclnetpk.servehttp.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wetransfer.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shiningmoons.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"39.100.95.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.37.85.231"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"120.79.154.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"120.79.154.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.113.185.53"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"175.24.175.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"39.100.95.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"185.73.124.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"185.196.9.231"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"185.73.124.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231366; rev:1;) alert tcp $HOME_NET any -> [45.141.136.133] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kr.i110.fun"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"kr.i110.fun"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"saldanha.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231362/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231362; rev:1;) alert tcp $HOME_NET any -> [87.121.87.143] 6696 (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7070bc8.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shomyo.secru.it"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231358; rev:1;) alert tcp $HOME_NET any -> [20.49.255.240] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231359; rev:1;) alert tcp $HOME_NET any -> [18.184.122.75] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231357/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231357; rev:1;) alert tcp $HOME_NET any -> [45.86.86.197] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231346; rev:1;) alert tcp $HOME_NET any -> [94.103.188.147] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abd3wufkw/post.php"; depth:19; nocase; http.host; content:"45.86.86.197"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abd3wufkw/log.php"; depth:18; nocase; http.host; content:"94.103.188.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"120.27.247.156"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"152.32.210.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/make/srv/o3xm3qybtz"; depth:20; nocase; http.host; content:"8.130.110.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231352; rev:1;) alert tcp $HOME_NET any -> [8.130.110.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.130.60.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.130.60.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231345; rev:1;) alert tcp $HOME_NET any -> [42.193.1.241] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231344/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231344; rev:1;) alert tcp $HOME_NET any -> [129.211.31.181] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"129.211.31.181"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231342; rev:1;) alert tcp $HOME_NET any -> [147.124.212.75] 2010 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231341; rev:1;) alert tcp $HOME_NET any -> [130.0.238.42] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231340/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231340; rev:1;) alert tcp $HOME_NET any -> [121.41.99.85] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231339/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"152.32.210.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231338; rev:1;) alert tcp $HOME_NET any -> [13.248.204.3] 10006 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231337/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231337; rev:1;) alert tcp $HOME_NET any -> [119.160.88.100] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231336/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231336; rev:1;) alert tcp $HOME_NET any -> [92.116.91.237] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231335; rev:1;) alert tcp $HOME_NET any -> [162.0.222.178] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231334/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231334; rev:1;) alert tcp $HOME_NET any -> [156.245.11.1] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231332/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231332; rev:1;) alert tcp $HOME_NET any -> [156.245.11.1] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231333/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231333; rev:1;) alert tcp $HOME_NET any -> [156.245.11.1] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231331/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231331; rev:1;) alert tcp $HOME_NET any -> [156.245.11.9] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231330/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231330; rev:1;) alert tcp $HOME_NET any -> [156.245.11.9] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231329/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231329; rev:1;) alert tcp $HOME_NET any -> [156.245.11.9] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231328/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231328; rev:1;) alert tcp $HOME_NET any -> [156.245.11.27] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231327/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231327; rev:1;) alert tcp $HOME_NET any -> [156.245.11.27] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231326/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231326; rev:1;) alert tcp $HOME_NET any -> [156.245.11.27] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231325/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/telegram/personal/sendmessage.php"; depth:34; nocase; http.host; content:"217.197.107.138"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/telegram/pdf/sendmessage.php"; depth:29; nocase; http.host; content:"217.197.107.138"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231311; rev:1;) alert tcp $HOME_NET any -> [217.197.107.138] 80 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f7vkbh7x/index.php"; depth:19; nocase; http.host; content:"87.121.87.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231324; rev:1;) alert tcp $HOME_NET any -> [44.31.248.7] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231323/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ugopounds/five/fre.php"; depth:23; nocase; http.host; content:"saldanha.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231322/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_17; classtype:trojan-activity; sid:91231322; rev:1;) alert tcp $HOME_NET any -> [45.58.35.5] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231321/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231321; rev:1;) alert tcp $HOME_NET any -> [3.22.217.8] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231320/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231320; rev:1;) alert tcp $HOME_NET any -> [194.87.31.166] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231319/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231319; rev:1;) alert tcp $HOME_NET any -> [185.197.251.134] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231318/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231318; rev:1;) alert tcp $HOME_NET any -> [185.73.124.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231317/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231317; rev:1;) alert tcp $HOME_NET any -> [120.27.131.3] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231316/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231316; rev:1;) alert tcp $HOME_NET any -> [195.154.172.233] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231315; rev:1;) alert tcp $HOME_NET any -> [103.1.40.217] 9443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231314/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91231314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"192.168.126.128"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"34.96.149.127"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231309; rev:1;) alert tcp $HOME_NET any -> [185.113.8.110] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231308/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91231308; rev:1;) alert tcp $HOME_NET any -> [38.41.53.160] 84 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231307/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91231307; rev:1;) alert tcp $HOME_NET any -> [175.178.103.238] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231306/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91231306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1063900897270304770/1196763302303379496/npp.8.6.portable.x64.zip"; depth:77; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mydsv"; depth:6; nocase; http.host; content:"livespoints.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sso.dsv.com"; depth:12; nocase; http.host; content:"livespoints.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8sjdtu.php"; depth:11; nocase; http.host; content:"thichgiban.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m1b7o3.php"; depth:11; nocase; http.host; content:"thekostenfamilys.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yv7clr.php"; depth:11; nocase; http.host; content:"multitraders.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ilw4kl.php"; depth:11; nocase; http.host; content:"kashmirworldwide.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"multitraders.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thekostenfamilys.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thichgiban.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kashmirworldwide.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231295; rev:1;) alert tcp $HOME_NET any -> [15.235.166.169] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231294/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91231294; rev:1;) alert tcp $HOME_NET any -> [91.92.108.22] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231293/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91231293; rev:1;) alert tcp $HOME_NET any -> [101.43.169.161] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231292/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_16; classtype:trojan-activity; sid:91231292; rev:1;) alert tcp $HOME_NET any -> [3.208.22.29] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231291/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_16; classtype:trojan-activity; sid:91231291; rev:1;) alert tcp $HOME_NET any -> [5.161.223.88] 2101 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231290/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_16; classtype:trojan-activity; sid:91231290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mahadev.loclx.io"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mahadevcarrentals.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shriramcarrentals.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shriram.loclx.io"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231289; rev:1;) alert tcp $HOME_NET any -> [179.43.191.162] 51020 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/polldb.php"; depth:11; nocase; http.host; content:"011781cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231284; rev:1;) alert tcp $HOME_NET any -> [185.242.86.221] 1523 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f3vn"; depth:5; nocase; http.host; content:"49.235.80.190"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231282/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_16; classtype:trojan-activity; sid:91231282; rev:1;) alert tcp $HOME_NET any -> [95.216.98.218] 2023 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wuxiaoyun.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231280; rev:1;) alert tcp $HOME_NET any -> [140.246.157.86] 9091 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231279/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91231279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ewmrgqnaww.php"; depth:21; nocase; http.host; content:"choosetotruck.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d328.net"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231277; rev:1;) alert tcp $HOME_NET any -> [3.120.209.174] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"scorelineupdate.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ewmrgqnaww.php"; depth:21; nocase; http.host; content:"scorelineupdate.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"phinetik.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.219.207.66"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ch341/index.php"; depth:16; nocase; http.host; content:"chr1zx.shop"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bba-217-165-232-41.alshamil.net.ae"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tpowe2.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"europapokal2024.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imoneymy.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0280678.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.farmbilllawenterprise.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hypocrisync.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.conferencecenters.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231263; rev:1;) alert tcp $HOME_NET any -> [54.72.169.192] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231261; rev:1;) alert tcp $HOME_NET any -> [145.131.30.136] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231262; rev:1;) alert tcp $HOME_NET any -> [45.56.92.137] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231260; rev:1;) alert tcp $HOME_NET any -> [168.80.175.40] 5443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231259; rev:1;) alert tcp $HOME_NET any -> [203.154.83.176] 5555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231258; rev:1;) alert tcp $HOME_NET any -> [47.242.159.138] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231257; rev:1;) alert tcp $HOME_NET any -> [52.169.125.63] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231256; rev:1;) alert tcp $HOME_NET any -> [4.180.77.220] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231255; rev:1;) alert tcp $HOME_NET any -> [203.154.83.98] 5555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231254; rev:1;) alert tcp $HOME_NET any -> [43.136.65.119] 666 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231253; rev:1;) alert tcp $HOME_NET any -> [3.7.46.33] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231251; rev:1;) alert tcp $HOME_NET any -> [34.72.168.221] 1967 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231252; rev:1;) alert tcp $HOME_NET any -> [54.210.42.239] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231250; rev:1;) alert tcp $HOME_NET any -> [167.99.223.18] 33334 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231249; rev:1;) alert tcp $HOME_NET any -> [103.82.227.138] 9205 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231248; rev:1;) alert tcp $HOME_NET any -> [31.223.68.157] 82 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231247; rev:1;) alert tcp $HOME_NET any -> [191.104.11.30] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231246; rev:1;) alert tcp $HOME_NET any -> [20.117.170.132] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231245; rev:1;) alert tcp $HOME_NET any -> [46.36.40.36] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231244; rev:1;) alert tcp $HOME_NET any -> [4.227.224.67] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231242; rev:1;) alert tcp $HOME_NET any -> [65.108.89.108] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231243; rev:1;) alert tcp $HOME_NET any -> [15.206.159.65] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231241; rev:1;) alert tcp $HOME_NET any -> [3.88.124.52] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231240; rev:1;) alert tcp $HOME_NET any -> [20.224.167.144] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231238; rev:1;) alert tcp $HOME_NET any -> [62.171.136.162] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231239; rev:1;) alert tcp $HOME_NET any -> [20.224.167.144] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231237; rev:1;) alert tcp $HOME_NET any -> [195.133.13.135] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231236; rev:1;) alert tcp $HOME_NET any -> [78.22.49.175] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231235; rev:1;) alert tcp $HOME_NET any -> [173.249.54.226] 49166 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231234; rev:1;) alert tcp $HOME_NET any -> [74.234.17.73] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231233; rev:1;) alert tcp $HOME_NET any -> [13.246.184.147] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231232; rev:1;) alert tcp $HOME_NET any -> [159.146.122.238] 82 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231230; rev:1;) alert tcp $HOME_NET any -> [149.102.128.54] 3334 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231231; rev:1;) alert tcp $HOME_NET any -> [34.42.185.243] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231229; rev:1;) alert tcp $HOME_NET any -> [43.139.177.244] 31220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231228; rev:1;) alert tcp $HOME_NET any -> [87.6.251.191] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231227; rev:1;) alert tcp $HOME_NET any -> [20.185.229.32] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231226; rev:1;) alert tcp $HOME_NET any -> [23.99.78.182] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231225; rev:1;) alert tcp $HOME_NET any -> [68.183.229.230] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231224; rev:1;) alert tcp $HOME_NET any -> [3.21.50.171] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231223; rev:1;) alert tcp $HOME_NET any -> [13.80.100.219] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231222; rev:1;) alert tcp $HOME_NET any -> [34.203.222.198] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231221; rev:1;) alert tcp $HOME_NET any -> [103.149.177.179] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231219; rev:1;) alert tcp $HOME_NET any -> [3.77.146.252] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231220; rev:1;) alert tcp $HOME_NET any -> [45.56.92.137] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"play.customerportalverify.store"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.recruiterteams.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231217; rev:1;) alert tcp $HOME_NET any -> [220.173.26.16] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231215; rev:1;) alert tcp $HOME_NET any -> [154.201.65.207] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231214; rev:1;) alert tcp $HOME_NET any -> [103.228.108.247] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231213; rev:1;) alert tcp $HOME_NET any -> [167.88.170.114] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231211; rev:1;) alert tcp $HOME_NET any -> [163.197.217.172] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231212; rev:1;) alert tcp $HOME_NET any -> [8.137.102.7] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231210; rev:1;) alert tcp $HOME_NET any -> [47.94.56.161] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231209; rev:1;) alert tcp $HOME_NET any -> [74.48.184.88] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231208; rev:1;) alert tcp $HOME_NET any -> [193.222.96.183] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231207; rev:1;) alert tcp $HOME_NET any -> [193.222.96.183] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231206; rev:1;) alert tcp $HOME_NET any -> [64.23.168.181] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231205; rev:1;) alert tcp $HOME_NET any -> [122.169.90.181] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231204; rev:1;) alert tcp $HOME_NET any -> [24.199.71.49] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231203; rev:1;) alert tcp $HOME_NET any -> [141.98.7.8] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231202; rev:1;) alert tcp $HOME_NET any -> [119.6.239.18] 888 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231201; rev:1;) alert tcp $HOME_NET any -> [23.224.85.39] 8888 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-87-191-236.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"77.105.146.152.sslip.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231198; rev:1;) alert tcp $HOME_NET any -> [154.201.75.13] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231197; rev:1;) alert tcp $HOME_NET any -> [82.64.91.111] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231195; rev:1;) alert tcp $HOME_NET any -> [45.83.123.169] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231196; rev:1;) alert tcp $HOME_NET any -> [94.156.65.54] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231194; rev:1;) alert tcp $HOME_NET any -> [94.156.65.54] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231193; rev:1;) alert tcp $HOME_NET any -> [193.233.132.84] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231192; rev:1;) alert tcp $HOME_NET any -> [185.196.8.93] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231191; rev:1;) alert tcp $HOME_NET any -> [52.161.69.114] 3389 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231190; rev:1;) alert tcp $HOME_NET any -> [193.233.255.253] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231189; rev:1;) alert tcp $HOME_NET any -> [194.36.177.30] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231188; rev:1;) alert tcp $HOME_NET any -> [61.92.130.64] 2053 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231187; rev:1;) alert tcp $HOME_NET any -> [144.24.156.3] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231186; rev:1;) alert tcp $HOME_NET any -> [154.39.152.134] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231184; rev:1;) alert tcp $HOME_NET any -> [194.33.191.245] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231185; rev:1;) alert tcp $HOME_NET any -> [85.209.176.48] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231183; rev:1;) alert tcp $HOME_NET any -> [194.33.191.171] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app.berkeleyisyou.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kesselfoodmarket.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whoami.cy-security.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231179; rev:1;) alert tcp $HOME_NET any -> [185.161.209.202] 29185 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231178; rev:1;) alert tcp $HOME_NET any -> [87.138.218.214] 47000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231177; rev:1;) alert tcp $HOME_NET any -> [191.82.214.147] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231175; rev:1;) alert tcp $HOME_NET any -> [173.249.3.15] 8443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231176; rev:1;) alert tcp $HOME_NET any -> [103.71.154.60] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231173; rev:1;) alert tcp $HOME_NET any -> [186.222.176.105] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231174; rev:1;) alert tcp $HOME_NET any -> [95.181.151.119] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spacestar.su"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231172; rev:1;) alert tcp $HOME_NET any -> [82.115.223.84] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vasvasniks6.fvds.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suivre-mon-colis.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"track-my-parcel.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231168; rev:1;) alert tcp $HOME_NET any -> [91.224.92.211] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rb-c-clk.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231166; rev:1;) alert tcp $HOME_NET any -> [91.224.92.211] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"htmljys.morebit.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jadu.vip"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpv.xj6.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231162; rev:1;) alert tcp $HOME_NET any -> [154.204.60.236] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muoujiejump2.sbs"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231160; rev:1;) alert tcp $HOME_NET any -> [91.92.255.110] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231158; rev:1;) alert tcp $HOME_NET any -> [82.146.35.250] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231157; rev:1;) alert tcp $HOME_NET any -> [54.151.255.201] 81 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231155; rev:1;) alert tcp $HOME_NET any -> [104.243.248.73] 8088 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231156; rev:1;) alert tcp $HOME_NET any -> [91.107.127.141] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231154; rev:1;) alert tcp $HOME_NET any -> [23.224.102.158] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.159-89-8-28.cprapid.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231152; rev:1;) alert tcp $HOME_NET any -> [213.195.120.238] 4002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231150; rev:1;) alert tcp $HOME_NET any -> [94.130.130.51] 66 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231151; rev:1;) alert tcp $HOME_NET any -> [45.126.209.4] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231149; rev:1;) alert tcp $HOME_NET any -> [104.131.167.132] 4747 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231148; rev:1;) alert tcp $HOME_NET any -> [185.81.157.152] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231146; rev:1;) alert tcp $HOME_NET any -> [185.81.157.152] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231147; rev:1;) alert tcp $HOME_NET any -> [185.81.157.152] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231145; rev:1;) alert tcp $HOME_NET any -> [185.81.157.119] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231144; rev:1;) alert tcp $HOME_NET any -> [91.109.188.6] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231143; rev:1;) alert tcp $HOME_NET any -> [80.79.7.197] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231142; rev:1;) alert tcp $HOME_NET any -> [186.168.66.85] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231140; rev:1;) alert tcp $HOME_NET any -> [186.168.66.85] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231141; rev:1;) alert tcp $HOME_NET any -> [187.24.12.179] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231139; rev:1;) alert tcp $HOME_NET any -> [89.148.48.240] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231137; rev:1;) alert tcp $HOME_NET any -> [103.195.103.138] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231138; rev:1;) alert tcp $HOME_NET any -> [194.213.3.123] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231136; rev:1;) alert tcp $HOME_NET any -> [123.60.174.4] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231135/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231135; rev:1;) alert tcp $HOME_NET any -> [123.60.174.4] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231133/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231133; rev:1;) alert tcp $HOME_NET any -> [123.60.174.4] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231134/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231134; rev:1;) alert tcp $HOME_NET any -> [123.60.174.4] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231132/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231132; rev:1;) alert tcp $HOME_NET any -> [123.60.174.4] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231130/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231130; rev:1;) alert tcp $HOME_NET any -> [123.60.174.4] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231131/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231131; rev:1;) alert tcp $HOME_NET any -> [124.70.98.249] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231129/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231129; rev:1;) alert tcp $HOME_NET any -> [124.70.98.249] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231127/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231127; rev:1;) alert tcp $HOME_NET any -> [124.70.98.249] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231128/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231128; rev:1;) alert tcp $HOME_NET any -> [124.70.98.249] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231126/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231126; rev:1;) alert tcp $HOME_NET any -> [124.70.98.249] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231124/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231124; rev:1;) alert tcp $HOME_NET any -> [124.70.98.249] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231125/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231125; rev:1;) alert tcp $HOME_NET any -> [124.70.98.249] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231123/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231123; rev:1;) alert tcp $HOME_NET any -> [124.70.0.94] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231121/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231121; rev:1;) alert tcp $HOME_NET any -> [124.70.98.249] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231122/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231122; rev:1;) alert tcp $HOME_NET any -> [124.70.0.94] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231120/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231120; rev:1;) alert tcp $HOME_NET any -> [124.70.0.94] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231119/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231119; rev:1;) alert tcp $HOME_NET any -> [124.70.0.94] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231117/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231117; rev:1;) alert tcp $HOME_NET any -> [124.70.0.94] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231118/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231118; rev:1;) alert tcp $HOME_NET any -> [124.70.0.94] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231116/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231116; rev:1;) alert tcp $HOME_NET any -> [124.70.0.94] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231114/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231114; rev:1;) alert tcp $HOME_NET any -> [124.70.0.94] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231115/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231115; rev:1;) alert tcp $HOME_NET any -> [139.159.146.137] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231113/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231113; rev:1;) alert tcp $HOME_NET any -> [139.159.146.137] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231112/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231112; rev:1;) alert tcp $HOME_NET any -> [124.71.222.120] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231110/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231110; rev:1;) alert tcp $HOME_NET any -> [139.159.146.137] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231111/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231111; rev:1;) alert tcp $HOME_NET any -> [124.71.222.120] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231109/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231109; rev:1;) alert tcp $HOME_NET any -> [124.71.222.120] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231107/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231107; rev:1;) alert tcp $HOME_NET any -> [124.71.222.120] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231108/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231108; rev:1;) alert tcp $HOME_NET any -> [124.71.222.120] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231106/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231106; rev:1;) alert tcp $HOME_NET any -> [124.71.222.120] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231104/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231104; rev:1;) alert tcp $HOME_NET any -> [124.71.222.120] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231105/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231105; rev:1;) alert tcp $HOME_NET any -> [124.71.222.120] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231103/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231103; rev:1;) alert tcp $HOME_NET any -> [139.9.180.3] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231102/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231102; rev:1;) alert tcp $HOME_NET any -> [139.9.180.3] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231100/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231100; rev:1;) alert tcp $HOME_NET any -> [139.9.180.3] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231101/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231101; rev:1;) alert tcp $HOME_NET any -> [139.9.180.3] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231099/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231099; rev:1;) alert tcp $HOME_NET any -> [139.9.41.174] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231098/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231098; rev:1;) alert tcp $HOME_NET any -> [139.9.41.174] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231097/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231097; rev:1;) alert tcp $HOME_NET any -> [139.9.41.174] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231095/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231095; rev:1;) alert tcp $HOME_NET any -> [139.9.41.174] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231096/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231096; rev:1;) alert tcp $HOME_NET any -> [139.9.41.174] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231094/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231094; rev:1;) alert tcp $HOME_NET any -> [139.9.41.174] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231092/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231092; rev:1;) alert tcp $HOME_NET any -> [139.9.41.174] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231093/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231093; rev:1;) alert tcp $HOME_NET any -> [139.9.41.174] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231091/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231091; rev:1;) alert tcp $HOME_NET any -> [60.204.211.54] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231090/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231090; rev:1;) alert tcp $HOME_NET any -> [124.71.218.160] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231089/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231089; rev:1;) alert tcp $HOME_NET any -> [124.71.218.160] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231088/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231088; rev:1;) alert tcp $HOME_NET any -> [124.71.188.124] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231086/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231086; rev:1;) alert tcp $HOME_NET any -> [124.71.188.124] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231087/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231087; rev:1;) alert tcp $HOME_NET any -> [1.94.125.189] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231084/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231084; rev:1;) alert tcp $HOME_NET any -> [1.94.125.189] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231085/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231085; rev:1;) alert tcp $HOME_NET any -> [1.94.125.189] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231083/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231083; rev:1;) alert tcp $HOME_NET any -> [1.94.125.189] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231082/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231082; rev:1;) alert tcp $HOME_NET any -> [1.94.125.189] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231081/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231081; rev:1;) alert tcp $HOME_NET any -> [121.37.164.60] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231079/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231079; rev:1;) alert tcp $HOME_NET any -> [1.94.125.189] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231080/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231080; rev:1;) alert tcp $HOME_NET any -> [5.252.178.189] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231077/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231077; rev:1;) alert tcp $HOME_NET any -> [5.252.178.189] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231078/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231078; rev:1;) alert tcp $HOME_NET any -> [194.116.191.150] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231076/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231076; rev:1;) alert tcp $HOME_NET any -> [120.46.66.113] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231075/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231075; rev:1;) alert tcp $HOME_NET any -> [103.91.64.204] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231074/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231074; rev:1;) alert tcp $HOME_NET any -> [1.92.75.200] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231072/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231072; rev:1;) alert tcp $HOME_NET any -> [103.91.64.204] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231073/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231073; rev:1;) alert tcp $HOME_NET any -> [1.92.91.219] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231071/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231071; rev:1;) alert tcp $HOME_NET any -> [35.161.176.76] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231070/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231070; rev:1;) alert tcp $HOME_NET any -> [209.151.148.66] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231069/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231069; rev:1;) alert tcp $HOME_NET any -> [206.189.106.153] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231068/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231068; rev:1;) alert tcp $HOME_NET any -> [44.220.45.98] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231067/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231067; rev:1;) alert tcp $HOME_NET any -> [159.75.120.80] 3389 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231066/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231066; rev:1;) alert tcp $HOME_NET any -> [18.170.56.163] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231065/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231065; rev:1;) alert tcp $HOME_NET any -> [152.238.69.117] 8888 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231064; rev:1;) alert tcp $HOME_NET any -> [105.102.73.65] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231063; rev:1;) alert tcp $HOME_NET any -> [101.43.129.115] 30016 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231062/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_16; classtype:trojan-activity; sid:91231062; rev:1;) alert tcp $HOME_NET any -> [103.233.11.162] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231061; rev:1;) alert tcp $HOME_NET any -> [5.226.48.112] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231060; rev:1;) alert tcp $HOME_NET any -> [114.55.131.0] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231059; rev:1;) alert tcp $HOME_NET any -> [114.55.131.0] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231058; rev:1;) alert tcp $HOME_NET any -> [3.1.204.121] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231057; rev:1;) alert tcp $HOME_NET any -> [20.205.136.186] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231056; rev:1;) alert tcp $HOME_NET any -> [113.250.188.15] 8886 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231055; rev:1;) alert tcp $HOME_NET any -> [121.40.175.169] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231054; rev:1;) alert tcp $HOME_NET any -> [165.22.217.13] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231053; rev:1;) alert tcp $HOME_NET any -> [103.146.179.78] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231051; rev:1;) alert tcp $HOME_NET any -> [3.142.167.4] 12644 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231052; rev:1;) alert tcp $HOME_NET any -> [20.127.240.152] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231050; rev:1;) alert tcp $HOME_NET any -> [101.43.30.194] 3389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231049; rev:1;) alert tcp $HOME_NET any -> [165.22.209.89] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231048; rev:1;) alert tcp $HOME_NET any -> [82.157.17.230] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231047; rev:1;) alert tcp $HOME_NET any -> [175.178.8.109] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231046; rev:1;) alert tcp $HOME_NET any -> [47.97.71.72] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231044; rev:1;) alert tcp $HOME_NET any -> [220.163.125.38] 5678 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231045; rev:1;) alert tcp $HOME_NET any -> [121.4.50.245] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231043; rev:1;) alert tcp $HOME_NET any -> [101.43.252.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231041; rev:1;) alert tcp $HOME_NET any -> [165.22.220.70] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231042; rev:1;) alert tcp $HOME_NET any -> [1.94.38.123] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231040; rev:1;) alert tcp $HOME_NET any -> [39.108.142.219] 64412 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231038; rev:1;) alert tcp $HOME_NET any -> [154.12.88.29] 2000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231039; rev:1;) alert tcp $HOME_NET any -> [101.200.84.39] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231037; rev:1;) alert tcp $HOME_NET any -> [107.151.246.214] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231035; rev:1;) alert tcp $HOME_NET any -> [45.76.76.58] 4567 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231036; rev:1;) alert tcp $HOME_NET any -> [107.151.246.214] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231034; rev:1;) alert tcp $HOME_NET any -> [165.22.222.164] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231032; rev:1;) alert tcp $HOME_NET any -> [185.196.9.231] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231033; rev:1;) alert tcp $HOME_NET any -> [107.172.157.199] 4567 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231031; rev:1;) alert tcp $HOME_NET any -> [149.88.70.64] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231029; rev:1;) alert tcp $HOME_NET any -> [149.88.70.64] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231030; rev:1;) alert tcp $HOME_NET any -> [38.207.165.215] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231028; rev:1;) alert tcp $HOME_NET any -> [165.22.211.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231027; rev:1;) alert tcp $HOME_NET any -> [8.210.236.92] 5678 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231026; rev:1;) alert tcp $HOME_NET any -> [164.90.184.252] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231024; rev:1;) alert tcp $HOME_NET any -> [103.150.10.15] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231025; rev:1;) alert tcp $HOME_NET any -> [120.48.58.156] 3386 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231023; rev:1;) alert tcp $HOME_NET any -> [91.92.255.227] 2000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap816639-7.zap-srv.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231021; rev:1;) alert tcp $HOME_NET any -> [98.66.154.37] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231020; rev:1;) alert tcp $HOME_NET any -> [8.134.192.169] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231018; rev:1;) alert tcp $HOME_NET any -> [45.11.46.63] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231019; rev:1;) alert tcp $HOME_NET any -> [43.139.91.52] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231017; rev:1;) alert tcp $HOME_NET any -> [38.207.178.41] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231016; rev:1;) alert tcp $HOME_NET any -> [123.60.168.6] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231015; rev:1;) alert tcp $HOME_NET any -> [141.11.136.124] 3306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231014; rev:1;) alert tcp $HOME_NET any -> [39.103.146.246] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231012; rev:1;) alert tcp $HOME_NET any -> [54.152.134.141] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231013; rev:1;) alert tcp $HOME_NET any -> [150.158.144.112] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-43-204-108-99.ap-south-1.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231010; rev:1;) alert tcp $HOME_NET any -> [46.246.82.163] 7045 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231009; rev:1;) alert tcp $HOME_NET any -> [107.150.7.246] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231008/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91231008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cachewebspace.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230996; rev:1;) alert tcp $HOME_NET any -> [51.81.69.81] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230997; rev:1;) alert tcp $HOME_NET any -> [88.119.175.241] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230998; rev:1;) alert tcp $HOME_NET any -> [89.208.107.232] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230999; rev:1;) alert tcp $HOME_NET any -> [173.44.141.79] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231004; rev:1;) alert tcp $HOME_NET any -> [123.207.56.214] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.130.60.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.130.60.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"185.196.9.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"privatebankinghsbc.blogspot.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"privatebankinghsbc.blogspot.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230994; rev:1;) alert tcp $HOME_NET any -> [80.92.204.226] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230993/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"chaseonlineprivatebanking.blogspot.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chaseonlineprivatebanking.blogspot.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230992; rev:1;) alert tcp $HOME_NET any -> [34.147.142.69] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230990/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.62.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.236.244.14"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"newstatisc.googleinfo.se"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"1.15.189.30"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"service-pgxnje5g-1307231181.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230983; rev:1;) alert tcp $HOME_NET any -> [111.229.187.212] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230982/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230982; rev:1;) alert tcp $HOME_NET any -> [115.135.103.166] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230981/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230981; rev:1;) alert tcp $HOME_NET any -> [185.73.124.230] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230980/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"185.234.216.102"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230969/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"cstmsklmnaopstrlmas.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230970/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"cstmsklmnaopstrlmas.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230971/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"cstmsklmnaopstrlmas.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230972/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"cstmsklmnaopstrlmasistan.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230973/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"cstmsklmnaopstrlmasistan.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230974/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"cstmsklmnaopstrlmasistans.xyz"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230975/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"cstmsklmnaopstrlmasistans.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230976/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"cstmsklmnaopstrlmasistans.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230977/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230977; rev:1;) alert tcp $HOME_NET any -> [54.200.228.98] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230979/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230979; rev:1;) alert tcp $HOME_NET any -> [110.43.34.176] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230978/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230978; rev:1;) alert tcp $HOME_NET any -> [95.217.243.230] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230966; rev:1;) alert tcp $HOME_NET any -> [159.69.102.168] 7575 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230967; rev:1;) alert tcp $HOME_NET any -> [65.21.187.53] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199612212584"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lve24v"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.21.187.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.102.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.243.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230961; rev:1;) alert tcp $HOME_NET any -> [118.221.65.69] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230960/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230960; rev:1;) alert tcp $HOME_NET any -> [172.93.222.149] 8809 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230959; rev:1;) alert tcp $HOME_NET any -> [34.96.149.127] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230958/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230958; rev:1;) alert tcp $HOME_NET any -> [3.70.47.231] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230957/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e50ac16f7b113954.php"; depth:21; nocase; http.host; content:"149.255.35.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"tradein-myus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230955/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_16; classtype:trojan-activity; sid:91230955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trade-inmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230954/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_16; classtype:trojan-activity; sid:91230954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trad-einmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230953/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_16; classtype:trojan-activity; sid:91230953; rev:1;) alert tcp $HOME_NET any -> [175.24.175.59] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230952/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dd341/index.php"; depth:16; nocase; http.host; content:"ddbl.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4async/windows/packetvideo_/geopollphp/40/protecttrackdownloads/wordpress4packet/linux7/protect/apiprotectbasewp/temporary8asyncauth/eternalphppacketgeoupdateflowerdownloads.php"; depth:178; nocase; http.host; content:"89.185.84.52"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/720/game/centralprovider/toupdatedefault.php"; depth:45; nocase; http.host; content:"176.123.168.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0899768.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230948; rev:1;) alert tcp $HOME_NET any -> [41.99.178.129] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230947/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230947; rev:1;) alert tcp $HOME_NET any -> [83.22.228.184] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230946/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"scorelineupdate.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"188.127.224.127"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230940; rev:1;) alert tcp $HOME_NET any -> [109.107.182.26] 14895 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"phinetik.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"188.127.224.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230945; rev:1;) alert tcp $HOME_NET any -> [18.228.115.60] 13904 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230943; rev:1;) alert tcp $HOME_NET any -> [45.95.169.102] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230941/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_15; classtype:trojan-activity; sid:91230941; rev:1;) alert tcp $HOME_NET any -> [61.19.254.6] 8091 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230927; rev:1;) alert tcp $HOME_NET any -> [154.53.52.33] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vortexlab.azure-api.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230930; rev:1;) alert tcp $HOME_NET any -> [77.83.246.15] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/login"; depth:13; nocase; http.host; content:"vortexlab.azure-api.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230932; rev:1;) alert tcp $HOME_NET any -> [165.22.209.89] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230933; rev:1;) alert tcp $HOME_NET any -> [165.22.217.13] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"165.22.209.89"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"165.22.220.70"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"165.22.209.89"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"165.22.220.70"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230938; rev:1;) alert tcp $HOME_NET any -> [124.220.224.87] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230929/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230929; rev:1;) alert tcp $HOME_NET any -> [95.217.55.214] 28306 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-bauue492-1309306755.gz.tencentapigw.cn"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-bauue492-1309306755.gz.tencentapigw.cn"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"3.89.126.230"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.120.46.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"23.224.61.51"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"182.92.216.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.92.219.221"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230919; rev:1;) alert tcp $HOME_NET any -> [175.178.23.244] 8044 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230916; rev:1;) alert tcp $HOME_NET any -> [1.14.28.172] 9088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31dd08d447d463d4.php"; depth:21; nocase; http.host; content:"77.105.132.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230918; rev:1;) alert tcp $HOME_NET any -> [149.88.80.30] 1111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230915; rev:1;) alert tcp $HOME_NET any -> [3.89.126.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230910; rev:1;) alert tcp $HOME_NET any -> [40.124.87.200] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"40.124.87.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"40.124.87.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b17/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lz4.tiktok123.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b17/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_15; classtype:trojan-activity; sid:91230908; rev:1;) alert tcp $HOME_NET any -> [193.142.59.209] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"120.55.82.147"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230905; rev:1;) alert tcp $HOME_NET any -> [176.31.21.3] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230904/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmpythonsqllinuxwordpresslocaltemptemporary.php"; depth:48; nocase; http.host; content:"009788cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"af31462241.little574.dog"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ad83067819.politician407.cc"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ah24319910.little574.dog"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ah48793979.follow707.cloud"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ak14365841.reduction925.cc"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ax82528484.paste518.cyou"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"bi77461158.reduction925.cc"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"bp61431860.weekend956.agency"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"bq20940184.hole579.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"bz56223611.supper728.gifts"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ca70104711.party257.engineer"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cg26555208.temple357.careers"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ch27390466.operator595.city"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ck36970538.keep822.cam"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ck38055632.operator595.city"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cq69947833.laugh687.delivery"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cx51318470.bus527.cfd"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"dc30117151.wide227.dog"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"dk13597652.block714.mobi"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"dp26034124.follow707.cloud"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ds88277251.earn454.live"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"eba18.ffox.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ef27127706.door111.network"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ei23992012.passenger210.bar"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"em89206696.arch535.industries"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"em92287661.supper728.gifts"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"eu20976880.bit681.center"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"fb28343398.temple321.bar"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"fd76829342.depth305.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"fn22214993.hinder799.cyou"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"fp8565340.temple321.bar"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"fz19876324.circle504.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"fz97829124.operator595.city"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"gk66765425.hole579.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"gq77935519.supper728.gifts"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"gq97717721.blind227.boutique"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"gz52395619.weekend956.agency"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"hw27367815.severe373.asia"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"hz86232397.mnvps.live"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ic10353896.slavery588.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"it38469760.passenger210.bar"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"iv20033491.she583.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"iz83661546.fasten466.golf"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jd56933392.hand995.camp"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"kd37039685.severe373.asia"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"kh40424217.operator595.city"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"kp96190005.laugh687.delivery"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"kw2199162.hand995.camp"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ky72778169.nothing536.loan"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"li75628279.reduction925.cc"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"lp37095324.reduction925.cc"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"lu37005322.operator595.city"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ma16394068.arch535.industries"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"my49898597.party257.engineer"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"na98470849.severe373.asia"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"nd11950863.bind853.me"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ne13599891.slavery588.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ng79410170.earn454.live"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"nj42584278.salt204.me"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ns13102412.circle504.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"oj83725790.hinder799.cyou"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"op10194629.mn-vps.art"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"op89216989.flavor540.info"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"oq67557328.depth305.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"pe3839026.subject403.quest"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ox42878257.blind227.boutique"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"pd87452203.listen884.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"pj69707064.bus527.cfd"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"profiyou.ffox.site"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"pt30120535.circle504.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"qd94153140.operator595.city"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"qi32775626.subject403.quest"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"qi85741768.bus527.cfd"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"qx13279925.subject403.quest"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ra78188285.bind853.me"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ru35757716.supper728.gifts"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"rw2678233.hole579.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"rx74588942.blind227.boutique"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"sam2ur5.ffox.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"sr43121329.bit681.center"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"td53771365.circle504.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"to82078409.earn454.live"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"tu60621748.slavery588.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"tx11121533.wide227.dog"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"tz3839388.little574.dog"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"u8vaaaa.ffox.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"uh42219679.earn454.live"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"un5.ffox.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"um67804342.follow707.cloud"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"un11z.ffox.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"unitcapervhost67405.lowhost.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"up47852607.earn454.live"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ve19ve.ffox.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"vn44479387.party257.engineer"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"vo99726097.hand995.camp"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"vz61763422.permanent875.center"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"wa17139521.paste518.cyou"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"walltraf.ffox.site"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"wh71712897.blind227.boutique"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"wi70718111.follow707.cloud"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"wp9127968.flavor540.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"wz62802319.temple357.careers"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"wz91076974.composition375.digital"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"xc50801004.mnvps.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"xp23013920.frighten164.men"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"yf99616650.fasten466.golf"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"yg89130451.literature539.space"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"yh70522246.wide227.dog"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ym97779850.circle504.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cloud-info.click"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"yp29618907.slavery588.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"data-stat.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.micspanel.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.omapapi.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"static.extenmap.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"static.leadfeedssl.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"web.heapstatic.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jquery-on.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"webstatics.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"checkout-cdn.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"gtagagent.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jqueurystatic.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"doogle-analytics.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"doogle-analytics.store"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"doogle-analytics.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jqbs-cdn.store"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jqbs-min.store"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jqbs-checker.store"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jqbs-rest.store"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jqbs-cloud-min.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jqbs-cloud-cdn.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"shipping-manager.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"checkout-cdn.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"tracker.web-cockpit.jp"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"mn-vps.art"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"zi30717909.war740.engineer"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"politician407.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"zv3305370.weekend956.agency"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"little574.dog"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"paste518.cyou"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"weekend956.agency"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"hole579.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"temple357.careers"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"party257.engineer"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"operator595.city"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"keep822.cam"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"laugh687.delivery"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"wide227.dog"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ffox.site"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"arch535.industries"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"bit681.center"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"hinder799.cyou"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"circle504.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"severe373.asia"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"mnvps.live"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"she583.info"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"fasten466.golf"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"hand995.camp"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"nothing536.loan"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"mn-vps.art"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"flavor540.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"listen884.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"subject403.quest"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"lowhost.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"permanent875.center"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"composition375.digital"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"mnvps.info"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"frighten164.men"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cleanlogo/index.php"; depth:20; nocase; http.host; content:"94.156.65.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"colorschemeas.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"call.colorschemeas.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230733; rev:1;) alert tcp $HOME_NET any -> [193.233.74.8] 37369 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"1.12.231.99"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"8.130.116.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"8.130.116.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"144.217.252.172"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.115.203.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230724; rev:1;) alert tcp $HOME_NET any -> [142.202.190.140] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230723; rev:1;) alert tcp $HOME_NET any -> [65.109.241.139] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230720; rev:1;) alert tcp $HOME_NET any -> [65.109.240.203] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230721; rev:1;) alert tcp $HOME_NET any -> [128.140.123.120] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.240.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230718; rev:1;) alert tcp $HOME_NET any -> [116.202.0.196] 10220 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.123.120"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.139"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.0.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230715; rev:1;) alert tcp $HOME_NET any -> [91.92.242.184] 2602 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230714/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_15; classtype:trojan-activity; sid:91230714; rev:1;) alert tcp $HOME_NET any -> [91.92.242.184] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230713/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_15; classtype:trojan-activity; sid:91230713; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 62984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"106.55.199.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"106.55.199.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"43.138.62.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"103.239.247.51"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.138.62.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.43.46.145"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"42.193.119.4"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.43.46.145"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230703; rev:1;) alert tcp $HOME_NET any -> [103.148.202.10] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230702; rev:1;) alert tcp $HOME_NET any -> [103.148.202.12] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mht_image/"; depth:11; nocase; http.host; content:"success.165gov.cyou"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.42.172.78"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"176.32.38.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230698; rev:1;) alert tcp $HOME_NET any -> [8.209.65.99] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230697/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230697; rev:1;) alert tcp $HOME_NET any -> [47.120.46.210] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230696/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0902645.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230695; rev:1;) alert tcp $HOME_NET any -> [91.92.249.113] 21076 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230694; rev:1;) alert tcp $HOME_NET any -> [109.234.34.210] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230693/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_15; classtype:trojan-activity; sid:91230693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"185.16.39.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230692; rev:1;) alert tcp $HOME_NET any -> [91.92.254.40] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40d570f44e84a454.php"; depth:21; nocase; http.host; content:"185.172.128.24"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"event.coachgreb.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"coachgreb.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"51.81.69.81"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ficinity.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230673; rev:1;) alert tcp $HOME_NET any -> [54.190.125.162] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230689/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230689; rev:1;) alert tcp $HOME_NET any -> [182.92.216.171] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230688/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230688; rev:1;) alert tcp $HOME_NET any -> [23.224.61.51] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230687/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230687; rev:1;) alert tcp $HOME_NET any -> [111.241.144.169] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230686/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_15; classtype:trojan-activity; sid:91230686; rev:1;) alert tcp $HOME_NET any -> [34.211.241.194] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230685/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lx341/index.php"; depth:16; nocase; http.host; content:"lxbn.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7493c28b.php"; depth:13; nocase; http.host; content:"a0904877.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230683; rev:1;) alert tcp $HOME_NET any -> [94.156.64.207] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230682; rev:1;) alert tcp $HOME_NET any -> [3.89.126.230] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230681/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin"; depth:9; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dumpeternal/videosecureprocessprocessorwindowsasyncdlelocal.php"; depth:64; nocase; http.host; content:"82.97.243.114"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cm65543.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230678; rev:1;) alert tcp $HOME_NET any -> [92.246.136.222] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230677/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230677; rev:1;) alert tcp $HOME_NET any -> [195.20.16.224] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230676; rev:1;) alert tcp $HOME_NET any -> [193.233.255.122] 2314 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230675; rev:1;) alert tcp $HOME_NET any -> [213.57.235.107] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230674; rev:1;) alert tcp $HOME_NET any -> [94.249.3.0] 6565 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230669; rev:1;) alert tcp $HOME_NET any -> [94.49.28.52] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230668/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230668; rev:1;) alert tcp $HOME_NET any -> [37.186.54.251] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230667; rev:1;) alert tcp $HOME_NET any -> [37.210.244.83] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230666; rev:1;) alert tcp $HOME_NET any -> [152.18.160.130] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230665; rev:1;) alert tcp $HOME_NET any -> [209.73.143.227] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230664; rev:1;) alert tcp $HOME_NET any -> [3.25.93.101] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230663; rev:1;) alert tcp $HOME_NET any -> [120.132.83.136] 6443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0906284.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230661; rev:1;) alert tcp $HOME_NET any -> [93.44.164.107] 6024 (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230660; rev:1;) alert tcp $HOME_NET any -> [47.108.175.149] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230659/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linecpubigloadmultidblinuxasyncuniversaldatalifedownloads.php"; depth:62; nocase; http.host; content:"837565cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/privatetrack/6voiddbprivate/877image/polllinuxwp.php"; depth:53; nocase; http.host; content:"188.120.226.211"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fooddrinks.cc"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230656; rev:1;) alert tcp $HOME_NET any -> [38.242.201.250] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230655/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thinkvncvbnxc.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uniquevncvbnxc.website"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suitevncvbnxc.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teamvncvbnxc.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smartvncvbnxc.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"simplevncvbnxc.website"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paintvncvbnxc.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"royalvncvbnxc.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nowvncvbnxc.website"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ourvncvbnxc.website"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nhasachlaocai.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fbdasfhdsfdshgiksd.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ilikefggfdbvcbvcbc.online"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lodgevncvbnxc.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"accuratevncvbnxc.website"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dichvuhp.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epicvncvbnxc.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bestofvncvbnxc.website"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clubvncvbnxc.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230601; rev:1;) alert tcp $HOME_NET any -> [138.201.8.186] 8001 (msg:"ThreatFox DUCKTAIL botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230597; rev:1;) alert tcp $HOME_NET any -> [23.88.71.29] 8000 (msg:"ThreatFox DUCKTAIL botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230598; rev:1;) alert tcp $HOME_NET any -> [138.201.8.186] 8000 (msg:"ThreatFox DUCKTAIL botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230596; rev:1;) alert tcp $HOME_NET any -> [149.248.18.142] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230586; rev:1;) alert tcp $HOME_NET any -> [213.248.43.127] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230588; rev:1;) alert tcp $HOME_NET any -> [149.88.75.218] 8011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trustihkl.lol"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230592; rev:1;) alert tcp $HOME_NET any -> [118.195.236.44] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230593; rev:1;) alert tcp $HOME_NET any -> [118.195.236.44] 18443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.micrcscft-store.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"virtualvncvbnxc.website"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcappeal.website"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcbox.website"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxccafe.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcexpertise.website"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcfaq.website"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcfast.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcgenius.website"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcgiant.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxchero.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcmd.website"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcnatural.website"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcoffer.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcpraise.website"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcright.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcsave.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcseeker.website"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcsizable.website"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcsoup.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcthrilling.website"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcvalue.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcwhiz.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcxchange.website"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wikivncvbnxc.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cookie.dichvuhp.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maixunkeji.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"39.106.74.90"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"39.106.74.90"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230648; rev:1;) alert tcp $HOME_NET any -> [128.199.71.62] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230654/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230654; rev:1;) alert tcp $HOME_NET any -> [81.19.216.77] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230653/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.108.175.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"154.204.60.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.236.244.14"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"8.136.241.0"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230649; rev:1;) alert tcp $HOME_NET any -> [54.94.248.37] 12232 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"120.24.179.84"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"1.14.92.24"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"101.43.30.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti2nzrkodrkzmm5/"; depth:18; nocase; http.host; content:"31.41.244.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230524/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti2nzrkodrkzmm5/"; depth:18; nocase; http.host; content:"cinconistanplaskamisto.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230525/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti2nzrkodrkzmm5/"; depth:18; nocase; http.host; content:"cinconistanplaskamist1.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230526/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti2nzrkodrkzmm5/"; depth:18; nocase; http.host; content:"cinconistanplaskamist2.xyz"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230527/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti2nzrkodrkzmm5/"; depth:18; nocase; http.host; content:"cinconistanplaskamist3.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230528/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti2nzrkodrkzmm5/"; depth:18; nocase; http.host; content:"cinconistanplaskamist4.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230529/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti2nzrkodrkzmm5/"; depth:18; nocase; http.host; content:"cinconistanplaskamist5.xyz"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230530/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"4ht227ce29z6.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230532/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"r85d4kbe5729.vip"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230531/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"6kd020yb568x.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230533/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230533; rev:1;) alert tcp $HOME_NET any -> [193.134.211.62] 23333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230557; rev:1;) alert tcp $HOME_NET any -> [193.134.211.62] 24444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230558; rev:1;) alert tcp $HOME_NET any -> [45.157.11.10] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230569/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_14; classtype:trojan-activity; sid:91230569; rev:1;) alert tcp $HOME_NET any -> [54.252.142.240] 14280 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"f2kic1nam25n81k.cc"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230534/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"99ol9f44xvgo.cn"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230535/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230535; rev:1;) alert tcp $HOME_NET any -> [209.141.56.114] 12500 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bofeng.com.cn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230536; rev:1;) alert tcp $HOME_NET any -> [45.61.185.156] 62212 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230541; rev:1;) alert tcp $HOME_NET any -> [45.61.185.156] 62213 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230542; rev:1;) alert tcp $HOME_NET any -> [205.234.181.204] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"debasesingle.life"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230556; rev:1;) alert tcp $HOME_NET any -> [138.201.92.7] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230584/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230584; rev:1;) alert tcp $HOME_NET any -> [176.44.93.104] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230583/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230583; rev:1;) alert tcp $HOME_NET any -> [74.12.147.6] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230582/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230582; rev:1;) alert tcp $HOME_NET any -> [41.96.118.26] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230581/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230581; rev:1;) alert tcp $HOME_NET any -> [200.109.203.57] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230580/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230580; rev:1;) alert tcp $HOME_NET any -> [193.222.96.163] 7443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230579/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230579; rev:1;) alert tcp $HOME_NET any -> [58.181.97.19] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230578/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230578; rev:1;) alert tcp $HOME_NET any -> [135.181.39.81] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230577/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230577; rev:1;) alert tcp $HOME_NET any -> [193.3.19.167] 8000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230576/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0904422.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230575; rev:1;) alert tcp $HOME_NET any -> [217.138.206.254] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230574/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230574; rev:1;) alert tcp $HOME_NET any -> [185.200.246.67] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230573/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230573; rev:1;) alert tcp $HOME_NET any -> [45.136.199.30] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230570/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230570; rev:1;) alert tcp $HOME_NET any -> [13.229.3.203] 18777 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230568; rev:1;) alert tcp $HOME_NET any -> [52.220.121.212] 18777 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230567; rev:1;) alert tcp $HOME_NET any -> [18.136.148.247] 18777 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230566; rev:1;) alert tcp $HOME_NET any -> [154.204.60.179] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230565/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230565; rev:1;) alert tcp $HOME_NET any -> [89.208.106.112] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230564/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230564; rev:1;) alert tcp $HOME_NET any -> [47.115.220.95] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230563/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230563; rev:1;) alert tcp $HOME_NET any -> [5.101.0.60] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230562/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230562; rev:1;) alert tcp $HOME_NET any -> [5.101.1.60] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230561/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230561; rev:1;) alert tcp $HOME_NET any -> [216.218.135.117] 90 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230560; rev:1;) alert tcp $HOME_NET any -> [106.55.199.146] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230559/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cz07639.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230554; rev:1;) alert tcp $HOME_NET any -> [98.66.161.180] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230553/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230553; rev:1;) alert tcp $HOME_NET any -> [23.93.69.203] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230552/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230552; rev:1;) alert tcp $HOME_NET any -> [41.96.4.108] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230551/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230551; rev:1;) alert tcp $HOME_NET any -> [31.190.243.13] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230550/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230550; rev:1;) alert tcp $HOME_NET any -> [13.235.248.157] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230549/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230549; rev:1;) alert tcp $HOME_NET any -> [141.94.69.198] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230548; rev:1;) alert tcp $HOME_NET any -> [90.46.97.127] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230547/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230547; rev:1;) alert tcp $HOME_NET any -> [23.94.198.26] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230546; rev:1;) alert tcp $HOME_NET any -> [45.66.248.135] 3510 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230545/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230545; rev:1;) alert tcp $HOME_NET any -> [134.175.125.207] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230544/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230544; rev:1;) alert tcp $HOME_NET any -> [193.3.19.167] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230543/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"139.9.196.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"139.9.196.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"154.197.99.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230537; rev:1;) alert tcp $HOME_NET any -> [104.233.140.136] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230523/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fashionlazynavyresewg.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v8sjh3hs8/index.php"; depth:20; nocase; http.host; content:"185.172.128.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"106.54.209.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230521; rev:1;) alert tcp $HOME_NET any -> [47.97.46.39] 6543 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns543320.ip-144-217-252.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230508; rev:1;) alert tcp $HOME_NET any -> [144.217.252.172] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.cbhhb.com.cn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230514; rev:1;) alert tcp $HOME_NET any -> [8.218.123.22] 12345 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.218.123.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"ns1.cbhhb.com.cn"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"ns1.cbhhb.com.cn"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"101.34.28.19"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.218.123.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230512; rev:1;) alert tcp $HOME_NET any -> [101.168.22.94] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230511/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230511; rev:1;) alert tcp $HOME_NET any -> [60.205.115.92] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230510/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230510; rev:1;) alert tcp $HOME_NET any -> [3.84.20.87] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230492; rev:1;) alert tcp $HOME_NET any -> [88.214.58.89] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230493; rev:1;) alert tcp $HOME_NET any -> [15.207.223.7] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230494; rev:1;) alert tcp $HOME_NET any -> [54.167.18.211] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230495; rev:1;) alert tcp $HOME_NET any -> [89.147.111.188] 4455 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230496; rev:1;) alert tcp $HOME_NET any -> [54.167.18.211] 11337 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230497; rev:1;) alert tcp $HOME_NET any -> [213.248.43.48] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230500; rev:1;) alert tcp $HOME_NET any -> [45.15.156.186] 29975 (msg:"ThreatFox zgRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230502; rev:1;) alert tcp $HOME_NET any -> [193.223.105.158] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230505/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230505; rev:1;) alert tcp $HOME_NET any -> [31.117.169.56] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230491/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"167.99.75.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230490; rev:1;) alert tcp $HOME_NET any -> [45.154.24.14] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230489/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230489; rev:1;) alert tcp $HOME_NET any -> [66.204.14.246] 1099 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230488/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230488; rev:1;) alert tcp $HOME_NET any -> [91.92.245.54] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230487/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230487; rev:1;) alert tcp $HOME_NET any -> [20.239.152.186] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230486; rev:1;) alert tcp $HOME_NET any -> [147.135.85.114] 4444 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230485/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230485; rev:1;) alert tcp $HOME_NET any -> [41.97.246.37] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230484/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230484; rev:1;) alert tcp $HOME_NET any -> [90.4.110.126] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230483/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230483; rev:1;) alert tcp $HOME_NET any -> [18.201.9.92] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230482/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230482; rev:1;) alert tcp $HOME_NET any -> [84.32.188.80] 65534 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230481/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230481; rev:1;) alert tcp $HOME_NET any -> [193.222.96.163] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230480/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230480; rev:1;) alert tcp $HOME_NET any -> [20.199.89.215] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230479/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230479; rev:1;) alert tcp $HOME_NET any -> [164.92.79.49] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230478/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230478; rev:1;) alert tcp $HOME_NET any -> [47.74.90.4] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230477/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230477; rev:1;) alert tcp $HOME_NET any -> [13.235.248.157] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230476/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230476; rev:1;) alert tcp $HOME_NET any -> [94.198.50.195] 9200 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230475; rev:1;) alert tcp $HOME_NET any -> [137.184.185.109] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7linuxlinux/basedle/geojavascript7/8processsql/lineimagevideouniversal/testdump/cdn0/to1eternal/3uploadsasync/localbigloadlinux/phpbaseprocess/processpython/5/processexternalgenerator/_eternalprovider/authlongpoll/vmlinepipesecurecpuprotectwindows.php"; depth:252; nocase; http.host; content:"89.23.115.8"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230473; rev:1;) alert tcp $HOME_NET any -> [47.236.244.14] 60001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230472/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o//5.jpg"; depth:9; nocase; http.host; content:"9entrevera.sa.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o//7.jpg"; depth:9; nocase; http.host; content:"9entrevera.sa.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o//4.jpg"; depth:9; nocase; http.host; content:"9entrevera.sa.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o//2.jpg"; depth:9; nocase; http.host; content:"9entrevera.sa.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o//3.jpg"; depth:9; nocase; http.host; content:"9entrevera.sa.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o//1.jpg"; depth:9; nocase; http.host; content:"9entrevera.sa.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o//6.jpg"; depth:9; nocase; http.host; content:"9entrevera.sa.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imageupdateprotectasynctrafficdatalifecentral.php"; depth:50; nocase; http.host; content:"147.45.196.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230464; rev:1;) alert tcp $HOME_NET any -> [20.79.30.95] 33223 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230458; rev:1;) alert tcp $HOME_NET any -> [141.95.211.148] 46011 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"analysisswellenterw.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dashboard.renovationsruth.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230454; rev:1;) alert tcp $HOME_NET any -> [66.135.17.87] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.min.js"; depth:11; nocase; http.host; content:"webcachedata.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j6yd"; depth:5; nocase; http.host; content:"1.94.97.134"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230463/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_13; classtype:trojan-activity; sid:91230463; rev:1;) alert tcp $HOME_NET any -> [167.99.75.81] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230462/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230462; rev:1;) alert tcp $HOME_NET any -> [5.75.165.62] 34937 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230461; rev:1;) alert tcp $HOME_NET any -> [103.176.178.88] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230459/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"192.3.80.202"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linerequestpacketlowgeoprocessorlongpolldbdleprivate.php"; depth:57; nocase; http.host; content:"898082lm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230453; rev:1;) alert tcp $HOME_NET any -> [77.105.132.124] 2525 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h5oq"; depth:5; nocase; http.host; content:"54.186.231.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230451/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_12; classtype:trojan-activity; sid:91230451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kw3h"; depth:5; nocase; http.host; content:"146.190.120.217"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230450/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_12; classtype:trojan-activity; sid:91230450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bl341/index.php"; depth:16; nocase; http.host; content:"blbl1.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w4hj"; depth:5; nocase; http.host; content:"47.252.17.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230448/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_12; classtype:trojan-activity; sid:91230448; rev:1;) alert tcp $HOME_NET any -> [119.188.247.158] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230446/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230446; rev:1;) alert tcp $HOME_NET any -> [189.253.229.70] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230445; rev:1;) alert tcp $HOME_NET any -> [46.105.73.148] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230444; rev:1;) alert tcp $HOME_NET any -> [54.185.217.31] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-hsyluctr-1252427727.bj.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-9sehd1r7-1252427727.bj.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-oca34jj9-1257331363.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.ye0kr1n.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"965keji.cn"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zaowanyouqian.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"site.dev.hutechweb.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"965keji.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h4bflh"; depth:7; nocase; http.host; content:"service.specialcraftbox.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"182.23.67.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mali.siegemachine.cn"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kqgrxb"; depth:7; nocase; http.host; content:"soft.specialcraftbox.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yrhyeesre"; depth:10; nocase; http.host; content:"stone.betradingway.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/station"; depth:8; nocase; http.host; content:"goaway.betradingway.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prestart"; depth:9; nocase; http.host; content:"goto.lineferaline.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/editcontent"; depth:12; nocase; http.host; content:"places.creeksidehuntingpreserve.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"places.creeksidehuntingpreserve.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"creeksidehuntingpreserve.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ewmrgqnaww.php"; depth:21; nocase; http.host; content:"lazittarl.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"178.238.247.167"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"lazittarl.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"refillpantrysd.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"surprise.refillpantrysd.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.119.175.241"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230425; rev:1;) alert tcp $HOME_NET any -> [44.221.115.240] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.dracumi.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230441; rev:1;) alert tcp $HOME_NET any -> [35.75.17.163] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"carrefour-uat.sumikuma.tw"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230439; rev:1;) alert tcp $HOME_NET any -> [149.210.56.38] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230438/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/virgin/leo/gate.php"; depth:20; nocase; http.host; content:"fishery.co.in"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230437; rev:1;) alert tcp $HOME_NET any -> [91.92.255.187] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230426/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_12; classtype:trojan-activity; sid:91230426; rev:1;) alert tcp $HOME_NET any -> [195.20.16.210] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230420; rev:1;) alert tcp $HOME_NET any -> [104.243.27.95] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230410/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230410; rev:1;) alert tcp $HOME_NET any -> [185.125.56.177] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230409/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/de4846fc29f26952.php"; depth:21; nocase; http.host; content:"109.107.181.33"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230408; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 15595 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230407; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 15595 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230406; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 15595 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"736628.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230404; rev:1;) alert tcp $HOME_NET any -> [45.94.58.137] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230403; rev:1;) alert tcp $HOME_NET any -> [112.196.45.11] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230402; rev:1;) alert tcp $HOME_NET any -> [20.33.38.1] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230401; rev:1;) alert tcp $HOME_NET any -> [20.77.91.250] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230399; rev:1;) alert tcp $HOME_NET any -> [4.180.77.220] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230400; rev:1;) alert tcp $HOME_NET any -> [38.180.6.129] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230398; rev:1;) alert tcp $HOME_NET any -> [150.95.141.41] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230397; rev:1;) alert tcp $HOME_NET any -> [24.105.180.13] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230396; rev:1;) alert tcp $HOME_NET any -> [119.45.204.226] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230395; rev:1;) alert tcp $HOME_NET any -> [20.235.245.202] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230394; rev:1;) alert tcp $HOME_NET any -> [164.92.117.179] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230393; rev:1;) alert tcp $HOME_NET any -> [104.194.78.89] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230392; rev:1;) alert tcp $HOME_NET any -> [47.109.89.13] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230391; rev:1;) alert tcp $HOME_NET any -> [146.235.217.116] 1268 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230390; rev:1;) alert tcp $HOME_NET any -> [123.99.198.130] 14363 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230389; rev:1;) alert tcp $HOME_NET any -> [125.229.208.221] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230388; rev:1;) alert tcp $HOME_NET any -> [178.20.47.103] 9090 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230387; rev:1;) alert tcp $HOME_NET any -> [188.240.121.104] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230386; rev:1;) alert tcp $HOME_NET any -> [5.206.224.18] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"animegalaxys.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foxee4.cfd"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230383; rev:1;) alert tcp $HOME_NET any -> [91.224.92.201] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230382; rev:1;) alert tcp $HOME_NET any -> [64.31.63.82] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liquiditv.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.liquiditv.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230379; rev:1;) alert tcp $HOME_NET any -> [213.195.120.238] 5003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230378; rev:1;) alert tcp $HOME_NET any -> [213.195.120.238] 4003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230377; rev:1;) alert tcp $HOME_NET any -> [60.204.211.54] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230376/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_12; classtype:trojan-activity; sid:91230376; rev:1;) alert tcp $HOME_NET any -> [60.204.211.54] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230375/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_12; classtype:trojan-activity; sid:91230375; rev:1;) alert tcp $HOME_NET any -> [60.204.211.54] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230374/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_12; classtype:trojan-activity; sid:91230374; rev:1;) alert tcp $HOME_NET any -> [60.204.211.54] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230372/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_12; classtype:trojan-activity; sid:91230372; rev:1;) alert tcp $HOME_NET any -> [60.204.211.54] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230373/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_12; classtype:trojan-activity; sid:91230373; rev:1;) alert tcp $HOME_NET any -> [104.193.69.140] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230371/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_12; classtype:trojan-activity; sid:91230371; rev:1;) alert tcp $HOME_NET any -> [105.98.70.154] 6001 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230370; rev:1;) alert tcp $HOME_NET any -> [139.9.196.215] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230369; rev:1;) alert tcp $HOME_NET any -> [74.119.193.190] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230368; rev:1;) alert tcp $HOME_NET any -> [74.119.193.190] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230367; rev:1;) alert tcp $HOME_NET any -> [139.196.24.227] 50501 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230366; rev:1;) alert tcp $HOME_NET any -> [192.74.237.132] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230365; rev:1;) alert tcp $HOME_NET any -> [192.3.80.202] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230364; rev:1;) alert tcp $HOME_NET any -> [123.57.181.89] 6001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230363; rev:1;) alert tcp $HOME_NET any -> [120.26.196.41] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230362; rev:1;) alert tcp $HOME_NET any -> [20.2.223.43] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230361; rev:1;) alert tcp $HOME_NET any -> [8.217.174.23] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230360; rev:1;) alert tcp $HOME_NET any -> [188.166.22.203] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"182.23.67.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230358; rev:1;) alert tcp $HOME_NET any -> [51.254.33.199] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230357/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"wcs.microsoftwindows.cloud"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/plugmanzx.exe"; depth:26; nocase; http.host; content:"prime.topendpower.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"prime.topendpower.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/linczx.exe"; depth:23; nocase; http.host; content:"link.blueyonderllc.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"link.blueyonderllc.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"topendpower.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blueyonderllc.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230355; rev:1;) alert tcp $HOME_NET any -> [154.197.99.65] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230349/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerimagerequestwindowswpprivate.php"; depth:41; nocase; http.host; content:"45.87.246.118"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230348; rev:1;) alert tcp $HOME_NET any -> [91.92.255.203] 5050 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"elakarraru.site"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230346/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_12; classtype:trojan-activity; sid:91230346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"elakarraru.site"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230345/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_12; classtype:trojan-activity; sid:91230345; rev:1;) alert tcp $HOME_NET any -> [91.92.255.187] 1334 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230344; rev:1;) alert tcp $HOME_NET any -> [104.243.27.95] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230343/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.71.222.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"66.119.15.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"49.65.96.139"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"39.104.20.145"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"209.146.124.195"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.90.247.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/637-08770317-9137754/field-keywords=woman"; depth:61; nocase; http.host; content:"163.5.169.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230334; rev:1;) alert tcp $HOME_NET any -> [45.67.230.205] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230333; rev:1;) alert tcp $HOME_NET any -> [2.58.85.236] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230332/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"209.146.124.195"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"66.119.15.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230330; rev:1;) alert tcp $HOME_NET any -> [139.9.196.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230329/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230329; rev:1;) alert tcp $HOME_NET any -> [66.119.15.241] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ggee.buzz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230283; rev:1;) alert tcp $HOME_NET any -> [101.37.14.112] 6554 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yudsasd.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230281; rev:1;) alert tcp $HOME_NET any -> [120.78.217.180] 50105 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.yudsasd.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ggee.buzz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigmoney.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bigmoney.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.globalmoney.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"globalmoney.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230287; rev:1;) alert tcp $HOME_NET any -> [185.130.47.125] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"codecruncher.pro"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230295; rev:1;) alert tcp $HOME_NET any -> [45.130.201.22] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230297; rev:1;) alert tcp $HOME_NET any -> [2.58.14.243] 8011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230327/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230327; rev:1;) alert tcp $HOME_NET any -> [74.12.147.43] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230326/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230326; rev:1;) alert tcp $HOME_NET any -> [95.179.140.252] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230325/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230325; rev:1;) alert tcp $HOME_NET any -> [172.105.109.228] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230324/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230324; rev:1;) alert tcp $HOME_NET any -> [136.0.3.240] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230323/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230323; rev:1;) alert tcp $HOME_NET any -> [136.0.3.240] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230322/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230322; rev:1;) alert tcp $HOME_NET any -> [64.23.155.109] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230321/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230321; rev:1;) alert tcp $HOME_NET any -> [13.235.248.157] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230320/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230320; rev:1;) alert tcp $HOME_NET any -> [3.253.120.29] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230319/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/process4local/javascriptexternaltrack/geopipe4/provider/mariadb2downloads/7public7private/temp/universaltemporary/0api6/update_/5/4processor/3testgeo/traffic/providerimagepipeto_apiprivate.php"; depth:193; nocase; http.host; content:"62.109.28.71"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externallinetomultiasyncwp.php"; depth:31; nocase; http.host; content:"95.163.228.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230317; rev:1;) alert tcp $HOME_NET any -> [209.146.124.198] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230316/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230316; rev:1;) alert tcp $HOME_NET any -> [104.243.27.95] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230315/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230315; rev:1;) alert tcp $HOME_NET any -> [39.101.177.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230314/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230314; rev:1;) alert tcp $HOME_NET any -> [44.237.77.84] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230313/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230313; rev:1;) alert tcp $HOME_NET any -> [185.81.157.183] 8181 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230312/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/v9-gzhsfuz8492wjynjitv7ouml6xe"; depth:48; nocase; http.host; content:"citrix-update.centralus.cloudapp.azure.com"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230311; rev:1;) alert tcp $HOME_NET any -> [60.204.249.156] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230310/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230310; rev:1;) alert tcp $HOME_NET any -> [145.239.83.165] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230309/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230309; rev:1;) alert tcp $HOME_NET any -> [49.49.140.40] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230308/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230308; rev:1;) alert tcp $HOME_NET any -> [54.89.165.37] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dde7q711skl5j.cloudfront.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"dde7q711skl5j.cloudfront.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"d1dg7ete2wkysb.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d1dg7ete2wkysb.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230304; rev:1;) alert tcp $HOME_NET any -> [220.69.33.144] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230302/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230302; rev:1;) alert tcp $HOME_NET any -> [192.74.238.23] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230301/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230301; rev:1;) alert tcp $HOME_NET any -> [47.216.198.63] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230300/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230300; rev:1;) alert tcp $HOME_NET any -> [120.78.156.73] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230299/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230299; rev:1;) alert tcp $HOME_NET any -> [139.84.228.75] 22669 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230298; rev:1;) alert tcp $HOME_NET any -> [103.114.104.158] 1664 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230296; rev:1;) alert tcp $HOME_NET any -> [101.43.191.108] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.yuejinjianke.cn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.yuejinjianke.cn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dumptemp10/track20/lowprocesslongpollserverdefaulttestprivatecdntemporary.php"; depth:78; nocase; http.host; content:"109.107.182.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230289; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 12232 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230276; rev:1;) alert tcp $HOME_NET any -> [18.228.115.60] 12232 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230277; rev:1;) alert tcp $HOME_NET any -> [18.229.146.63] 12232 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230278; rev:1;) alert tcp $HOME_NET any -> [14.225.210.98] 12024 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230275; rev:1;) alert tcp $HOME_NET any -> [83.213.157.103] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230274/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230274; rev:1;) alert tcp $HOME_NET any -> [40.120.52.205] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230273; rev:1;) alert tcp $HOME_NET any -> [111.30.29.23] 3335 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230272; rev:1;) alert tcp $HOME_NET any -> [123.58.210.31] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230271; rev:1;) alert tcp $HOME_NET any -> [103.101.224.16] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230270; rev:1;) alert tcp $HOME_NET any -> [146.185.22.147] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230269; rev:1;) alert tcp $HOME_NET any -> [118.195.236.44] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230268; rev:1;) alert tcp $HOME_NET any -> [152.136.49.42] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-76-227-205.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"havoc.redethics.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sc.zhanshizhan.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.stupefied-banach.91-215-85-177.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230263; rev:1;) alert tcp $HOME_NET any -> [172.86.68.180] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230262; rev:1;) alert tcp $HOME_NET any -> [187.135.144.49] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230260; rev:1;) alert tcp $HOME_NET any -> [187.135.144.49] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230261; rev:1;) alert tcp $HOME_NET any -> [121.43.225.222] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230259; rev:1;) alert tcp $HOME_NET any -> [101.43.194.122] 886 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230258; rev:1;) alert tcp $HOME_NET any -> [45.129.14.102] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230257; rev:1;) alert tcp $HOME_NET any -> [60.205.231.128] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230256; rev:1;) alert tcp $HOME_NET any -> [121.41.49.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230255; rev:1;) alert tcp $HOME_NET any -> [39.106.74.90] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230254; rev:1;) alert tcp $HOME_NET any -> [185.239.69.162] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230253; rev:1;) alert tcp $HOME_NET any -> [43.138.72.60] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230251; rev:1;) alert tcp $HOME_NET any -> [206.188.196.204] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230252; rev:1;) alert tcp $HOME_NET any -> [103.30.77.235] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230250; rev:1;) alert tcp $HOME_NET any -> [112.124.62.216] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230249; rev:1;) alert tcp $HOME_NET any -> [8.130.166.74] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230248; rev:1;) alert tcp $HOME_NET any -> [101.201.119.107] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230247; rev:1;) alert tcp $HOME_NET any -> [74.12.147.43] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230246/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_11; classtype:trojan-activity; sid:91230246; rev:1;) alert tcp $HOME_NET any -> [2.91.189.30] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230245/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_11; classtype:trojan-activity; sid:91230245; rev:1;) alert tcp $HOME_NET any -> [107.172.57.92] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230244/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_11; classtype:trojan-activity; sid:91230244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/central/7/db8db/pollwordpress/serverauthtempdump/auth/server7line2/pipedatalife/poll4/linephpdatalife.php"; depth:106; nocase; http.host; content:"83.220.169.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230243; rev:1;) alert tcp $HOME_NET any -> [54.242.28.234] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230242/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230242; rev:1;) alert tcp $HOME_NET any -> [18.184.177.22] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230241/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230241; rev:1;) alert tcp $HOME_NET any -> [23.94.40.12] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"make-hex-32332e39342e34302e3132-rr.1u.ms"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gtbidding.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230238; rev:1;) alert tcp $HOME_NET any -> [45.56.105.235] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dogs.graspthemes.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"45-56-105-235.ip.linodeusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"make-hex-32332e39352e3139372e313934-rr.1u.ms"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post/v1.98/cyum68zbb6fh"; depth:24; nocase; http.host; content:"45.77.255.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/recite/granted/e1q45fxnyqs9"; depth:28; nocase; http.host; content:"74.48.184.88"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230231; rev:1;) alert tcp $HOME_NET any -> [185.161.211.17] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/posting.html"; depth:13; nocase; http.host; content:"hostapimgmt.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hostapimgmt.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"176.32.38.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230227; rev:1;) alert tcp $HOME_NET any -> [78.92.112.76] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230226/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230226; rev:1;) alert tcp $HOME_NET any -> [8.218.123.22] 7654 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230224/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"liquisync.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:bad-unknown; sid:91230107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"js-utilities.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:bad-unknown; sid:91230108; rev:1;) alert tcp $HOME_NET any -> [123.207.45.112] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230220/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230220; rev:1;) alert tcp $HOME_NET any -> [103.146.140.99] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230219/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230219; rev:1;) alert tcp $HOME_NET any -> [51.21.137.60] 8009 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230218/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230218; rev:1;) alert tcp $HOME_NET any -> [96.44.166.186] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"recruitment60.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4280678.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.jmccarth.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foodpantrybestpractices.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230212; rev:1;) alert tcp $HOME_NET any -> [107.170.86.54] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230211; rev:1;) alert tcp $HOME_NET any -> [176.9.38.220] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230210; rev:1;) alert tcp $HOME_NET any -> [141.95.100.182] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230209; rev:1;) alert tcp $HOME_NET any -> [222.234.220.156] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230207; rev:1;) alert tcp $HOME_NET any -> [216.249.175.251] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230206; rev:1;) alert tcp $HOME_NET any -> [52.29.110.121] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230205; rev:1;) alert tcp $HOME_NET any -> [20.235.6.212] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230204; rev:1;) alert tcp $HOME_NET any -> [107.174.156.151] 8333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230203; rev:1;) alert tcp $HOME_NET any -> [40.90.254.146] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230201; rev:1;) alert tcp $HOME_NET any -> [3.127.68.49] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230202; rev:1;) alert tcp $HOME_NET any -> [124.221.28.34] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230200; rev:1;) alert tcp $HOME_NET any -> [122.169.64.215] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230199; rev:1;) alert tcp $HOME_NET any -> [52.23.33.245] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"great-golick.45-141-215-173.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230197; rev:1;) alert tcp $HOME_NET any -> [91.92.252.7] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230196; rev:1;) alert tcp $HOME_NET any -> [5.181.7.60] 4831 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230195; rev:1;) alert tcp $HOME_NET any -> [195.20.16.210] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230194; rev:1;) alert tcp $HOME_NET any -> [8.217.83.74] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230193; rev:1;) alert tcp $HOME_NET any -> [115.74.20.156] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230192; rev:1;) alert tcp $HOME_NET any -> [47.76.181.76] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"namyonghospital.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nadon.net"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230189; rev:1;) alert tcp $HOME_NET any -> [175.16.183.116] 8089 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiyidh21.sbs"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jino57.fvds.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanafb3.sbs"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karasergkaravaev4.fvds.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230185; rev:1;) alert tcp $HOME_NET any -> [91.92.241.235] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nowseacoin.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230183; rev:1;) alert tcp $HOME_NET any -> [18.141.3.52] 83 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vasvasniks5.fvds.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.practical-hawking.159-89-8-28.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230179; rev:1;) alert tcp $HOME_NET any -> [65.20.106.42] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230178; rev:1;) alert tcp $HOME_NET any -> [34.171.179.211] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230177; rev:1;) alert tcp $HOME_NET any -> [88.229.34.236] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230176; rev:1;) alert tcp $HOME_NET any -> [190.28.171.243] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230175; rev:1;) alert tcp $HOME_NET any -> [185.81.157.148] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230173; rev:1;) alert tcp $HOME_NET any -> [74.222.22.137] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230174; rev:1;) alert tcp $HOME_NET any -> [187.24.11.12] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230172; rev:1;) alert tcp $HOME_NET any -> [124.71.188.124] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230171/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230171; rev:1;) alert tcp $HOME_NET any -> [124.71.188.124] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230169/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230169; rev:1;) alert tcp $HOME_NET any -> [124.71.188.124] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230170/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230170; rev:1;) alert tcp $HOME_NET any -> [124.71.188.124] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230168/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230168; rev:1;) alert tcp $HOME_NET any -> [45.32.106.247] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230167/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230167; rev:1;) alert tcp $HOME_NET any -> [45.67.34.151] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230166/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230166; rev:1;) alert tcp $HOME_NET any -> [192.71.26.172] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230164/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230164; rev:1;) alert tcp $HOME_NET any -> [1.94.125.189] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230165/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230165; rev:1;) alert tcp $HOME_NET any -> [158.220.115.82] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230163/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230163; rev:1;) alert tcp $HOME_NET any -> [5.8.10.71] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230162/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230162; rev:1;) alert tcp $HOME_NET any -> [187.135.144.49] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230161; rev:1;) alert tcp $HOME_NET any -> [187.135.144.49] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230159; rev:1;) alert tcp $HOME_NET any -> [187.135.144.49] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230160; rev:1;) alert tcp $HOME_NET any -> [187.135.144.49] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230158; rev:1;) alert tcp $HOME_NET any -> [187.135.144.49] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230157; rev:1;) alert tcp $HOME_NET any -> [187.135.144.49] 2309 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230155; rev:1;) alert tcp $HOME_NET any -> [187.135.144.49] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230156; rev:1;) alert tcp $HOME_NET any -> [79.137.199.167] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230154; rev:1;) alert tcp $HOME_NET any -> [106.55.199.146] 6667 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230153; rev:1;) alert tcp $HOME_NET any -> [91.92.243.197] 445 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230151; rev:1;) alert tcp $HOME_NET any -> [91.92.243.197] 8010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230152; rev:1;) alert tcp $HOME_NET any -> [91.92.243.197] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230150; rev:1;) alert tcp $HOME_NET any -> [47.92.219.221] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230148; rev:1;) alert tcp $HOME_NET any -> [182.23.67.109] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230149; rev:1;) alert tcp $HOME_NET any -> [101.43.144.125] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230147; rev:1;) alert tcp $HOME_NET any -> [124.223.220.137] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230146; rev:1;) alert tcp $HOME_NET any -> [59.110.15.143] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230145; rev:1;) alert tcp $HOME_NET any -> [8.137.107.50] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230144; rev:1;) alert tcp $HOME_NET any -> [194.26.135.115] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230143; rev:1;) alert tcp $HOME_NET any -> [114.132.197.186] 4438 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230142; rev:1;) alert tcp $HOME_NET any -> [39.105.2.113] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230141; rev:1;) alert tcp $HOME_NET any -> [39.105.2.113] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230140; rev:1;) alert tcp $HOME_NET any -> [103.234.72.88] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230139; rev:1;) alert tcp $HOME_NET any -> [8.140.254.173] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230137; rev:1;) alert tcp $HOME_NET any -> [39.106.74.90] 8389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230138; rev:1;) alert tcp $HOME_NET any -> [47.236.244.14] 60000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230136; rev:1;) alert tcp $HOME_NET any -> [66.112.210.81] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230135; rev:1;) alert tcp $HOME_NET any -> [114.55.226.103] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230134; rev:1;) alert tcp $HOME_NET any -> [38.54.68.65] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230132; rev:1;) alert tcp $HOME_NET any -> [91.240.118.233] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230133; rev:1;) alert tcp $HOME_NET any -> [121.41.17.125] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230131; rev:1;) alert tcp $HOME_NET any -> [103.30.77.235] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230130; rev:1;) alert tcp $HOME_NET any -> [94.156.64.124] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nz-us.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.onbuyhouses.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230128; rev:1;) alert tcp $HOME_NET any -> [2.56.10.80] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230126/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230126; rev:1;) alert tcp $HOME_NET any -> [93.153.68.186] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230125/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230125; rev:1;) alert tcp $HOME_NET any -> [93.153.68.186] 61125 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230124/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230124; rev:1;) alert tcp $HOME_NET any -> [149.102.235.34] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230123/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230123; rev:1;) alert tcp $HOME_NET any -> [149.102.235.34] 61125 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230122/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.222.213.61"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.blueseaedu.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.blueseaedu.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.108.137.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.105.69.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"150.158.13.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"39.104.20.145"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"124.222.54.66"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230109; rev:1;) alert tcp $HOME_NET any -> [139.180.171.110] 22636 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230106/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230106; rev:1;) alert tcp $HOME_NET any -> [139.180.171.110] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230105/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230105; rev:1;) alert tcp $HOME_NET any -> [171.5.179.208] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230104/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230104; rev:1;) alert tcp $HOME_NET any -> [194.33.191.248] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230103/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.115.213.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wcs.microsoftwindows.cloud"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"wcs.microsoftwindows.cloud"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230100; rev:1;) alert tcp $HOME_NET any -> [45.77.255.59] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post/v1.98/cyum68zbb6fh"; depth:24; nocase; http.host; content:"45.77.255.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230098; rev:1;) alert tcp $HOME_NET any -> [91.92.255.112] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230097/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/mwkru-hytoycqt-hf63baudhjrkwrqbgpdf"; depth:53; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230095; rev:1;) alert tcp $HOME_NET any -> [80.66.75.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"114.132.218.55"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.104.28.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/audiencemanager.js"; depth:19; nocase; http.host; content:"home.aliba-inc.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"home.aliba-inc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"123.207.45.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230090; rev:1;) alert tcp $HOME_NET any -> [123.56.189.125] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230089/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230089; rev:1;) alert tcp $HOME_NET any -> [187.135.144.49] 2232 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230088/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.fiducaire.lu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.asurances.lu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sagsblog.telinduslab.lu"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.jocelynhealth.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a1b2c3.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.5cce1d35e.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230081; rev:1;) alert tcp $HOME_NET any -> [43.138.22.122] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230087/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_11; classtype:trojan-activity; sid:91230087; rev:1;) alert tcp $HOME_NET any -> [93.90.72.13] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230086/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_11; classtype:trojan-activity; sid:91230086; rev:1;) alert tcp $HOME_NET any -> [72.27.103.160] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230085/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_11; classtype:trojan-activity; sid:91230085; rev:1;) alert tcp $HOME_NET any -> [18.162.214.171] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230084/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_11; classtype:trojan-activity; sid:91230084; rev:1;) alert tcp $HOME_NET any -> [167.99.156.77] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230083/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_11; classtype:trojan-activity; sid:91230083; rev:1;) alert tcp $HOME_NET any -> [3.106.130.174] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230082/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_11; classtype:trojan-activity; sid:91230082; rev:1;) alert tcp $HOME_NET any -> [47.99.139.108] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230075/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230075; rev:1;) alert tcp $HOME_NET any -> [45.155.249.183] 1337 (msg:"ThreatFox Loda botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"185azyn6606dec24rd13.ddns.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230073; rev:1;) alert tcp $HOME_NET any -> [185.224.128.11] 55650 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230071/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230071; rev:1;) alert tcp $HOME_NET any -> [45.90.97.101] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230072/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230072; rev:1;) alert tcp $HOME_NET any -> [91.92.240.231] 13781 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230069; rev:1;) alert tcp $HOME_NET any -> [139.162.148.153] 23433 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gamemodz.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230068; rev:1;) alert tcp $HOME_NET any -> [45.128.96.133] 58001 (msg:"ThreatFox zgRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230067/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230067; rev:1;) alert tcp $HOME_NET any -> [91.92.240.61] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230066/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wealthyblessed.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"opendomain.lyamore-metal.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"open.lyamore-metal.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"opendomain.taiwantradeglobal.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"open.taiwantradeglobal.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230064; rev:1;) alert tcp $HOME_NET any -> [91.92.251.144] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230060/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moonvenom4449.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230059; rev:1;) alert tcp $HOME_NET any -> [119.81.84.107] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230058/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lazittarl.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"188.127.225.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230052; rev:1;) alert tcp $HOME_NET any -> [141.98.10.85] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230054/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cnc7.cremeonu.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230055/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230055; rev:1;) alert tcp $HOME_NET any -> [77.91.124.92] 33992 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230057; rev:1;) alert tcp $HOME_NET any -> [82.147.85.205] 24010 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230056; rev:1;) alert tcp $HOME_NET any -> [205.189.160.217] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230053/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91230053; rev:1;) alert tcp $HOME_NET any -> [64.237.181.19] 1800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230050/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91230050; rev:1;) alert tcp $HOME_NET any -> [45.61.138.9] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230049/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91230049; rev:1;) alert tcp $HOME_NET any -> [45.32.159.208] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230048/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91230048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2021/63388.cab"; depth:42; nocase; http.host; content:"139.180.144.171"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t.10nf0x.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230044; rev:1;) alert tcp $HOME_NET any -> [134.209.92.85] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230045; rev:1;) alert tcp $HOME_NET any -> [49.234.12.22] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webtest.icbcbc.com.cn"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.icbcbc.com.cn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"git.icbcbc.com.cn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230040; rev:1;) alert tcp $HOME_NET any -> [95.6.72.229] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230039; rev:1;) alert tcp $HOME_NET any -> [39.40.168.159] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230038; rev:1;) alert tcp $HOME_NET any -> [184.96.139.136] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230037; rev:1;) alert tcp $HOME_NET any -> [72.27.11.30] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230036; rev:1;) alert tcp $HOME_NET any -> [172.242.145.126] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230035; rev:1;) alert tcp $HOME_NET any -> [37.186.58.51] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230034; rev:1;) alert tcp $HOME_NET any -> [31.117.56.211] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230033; rev:1;) alert tcp $HOME_NET any -> [103.126.7.66] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230032; rev:1;) alert tcp $HOME_NET any -> [20.107.115.8] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230031; rev:1;) alert tcp $HOME_NET any -> [91.236.230.169] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230030/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abd3wufkw/log.php"; depth:18; nocase; http.host; content:"87.251.66.248"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abd3wufkw/log.php"; depth:18; nocase; http.host; content:"193.233.18.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abd3wufkw/post.php"; depth:19; nocase; http.host; content:"87.251.66.248"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.111.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"139.9.93.128"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"123.207.45.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230024; rev:1;) alert tcp $HOME_NET any -> [193.233.18.157] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230023/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_10; classtype:trojan-activity; sid:91230023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abd3wufkw/post.php"; depth:19; nocase; http.host; content:"193.233.18.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230022; rev:1;) alert tcp $HOME_NET any -> [37.220.86.102] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230021/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_10; classtype:trojan-activity; sid:91230021; rev:1;) alert tcp $HOME_NET any -> [87.251.66.248] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230020/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_10; classtype:trojan-activity; sid:91230020; rev:1;) alert tcp $HOME_NET any -> [123.207.45.112] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230019/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91230019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test1/get.php"; depth:14; nocase; http.host; content:"habrafa.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.47.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.69.37"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.44.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.167.169"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.241.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.187.82"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.178.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230011; rev:1;) alert tcp $HOME_NET any -> [95.216.178.60] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230004; rev:1;) alert tcp $HOME_NET any -> [95.217.241.217] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230005; rev:1;) alert tcp $HOME_NET any -> [116.202.187.82] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230006; rev:1;) alert tcp $HOME_NET any -> [116.203.167.169] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230007; rev:1;) alert tcp $HOME_NET any -> [128.140.69.37] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230008; rev:1;) alert tcp $HOME_NET any -> [195.201.44.3] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230009; rev:1;) alert tcp $HOME_NET any -> [195.201.47.172] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230010; rev:1;) alert tcp $HOME_NET any -> [95.216.178.60] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.178.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230002; rev:1;) alert tcp $HOME_NET any -> [91.215.85.23] 6601 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"electricnico.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230000; rev:1;) alert tcp $HOME_NET any -> [106.38.221.252] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229999/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229999; rev:1;) alert tcp $HOME_NET any -> [42.194.249.55] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229998/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229998; rev:1;) alert tcp $HOME_NET any -> [161.35.146.96] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229997/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"retraining.allstardriving.org"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"allstardriving.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229996; rev:1;) alert tcp $HOME_NET any -> [46.246.4.8] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229994; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 14402 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229993; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 14402 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229992; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 14402 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229991; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 14402 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229990; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 14402 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229989; rev:1;) alert tcp $HOME_NET any -> [121.41.0.213] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229988/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229988; rev:1;) alert tcp $HOME_NET any -> [2.50.140.18] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229987; rev:1;) alert tcp $HOME_NET any -> [94.198.50.195] 9000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.yop918kiss.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.babyeonb.cc"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"farmbilllawenterprise.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229983; rev:1;) alert tcp $HOME_NET any -> [164.92.250.55] 443 (msg:"ThreatFox Octopus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229982; rev:1;) alert tcp $HOME_NET any -> [154.8.204.131] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229980; rev:1;) alert tcp $HOME_NET any -> [18.135.30.45] 4010 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229981; rev:1;) alert tcp $HOME_NET any -> [170.187.181.74] 44386 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229979; rev:1;) alert tcp $HOME_NET any -> [45.132.88.28] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229978; rev:1;) alert tcp $HOME_NET any -> [54.237.206.70] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229977; rev:1;) alert tcp $HOME_NET any -> [3.234.60.33] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229976; rev:1;) alert tcp $HOME_NET any -> [34.234.47.172] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229975; rev:1;) alert tcp $HOME_NET any -> [13.235.21.176] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229974; rev:1;) alert tcp $HOME_NET any -> [181.237.128.179] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229973; rev:1;) alert tcp $HOME_NET any -> [202.83.17.58] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229972; rev:1;) alert tcp $HOME_NET any -> [13.93.87.157] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229971; rev:1;) alert tcp $HOME_NET any -> [193.23.55.98] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229970; rev:1;) alert tcp $HOME_NET any -> [85.215.108.157] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229969; rev:1;) alert tcp $HOME_NET any -> [124.90.130.241] 10056 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229968; rev:1;) alert tcp $HOME_NET any -> [223.167.229.127] 8200 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229967; rev:1;) alert tcp $HOME_NET any -> [24.105.180.14] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"outlook.trabede.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229965; rev:1;) alert tcp $HOME_NET any -> [60.247.156.214] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229964; rev:1;) alert tcp $HOME_NET any -> [194.15.216.203] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229963; rev:1;) alert tcp $HOME_NET any -> [116.204.43.111] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229962; rev:1;) alert tcp $HOME_NET any -> [54.87.191.236] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elated-black.45-141-215-173.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229960; rev:1;) alert tcp $HOME_NET any -> [91.92.240.153] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229959; rev:1;) alert tcp $HOME_NET any -> [194.33.191.106] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229958; rev:1;) alert tcp $HOME_NET any -> [91.92.241.244] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229956; rev:1;) alert tcp $HOME_NET any -> [194.33.191.106] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229957; rev:1;) alert tcp $HOME_NET any -> [91.92.241.244] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229955; rev:1;) alert tcp $HOME_NET any -> [91.92.240.152] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229954; rev:1;) alert tcp $HOME_NET any -> [193.233.132.49] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229953; rev:1;) alert tcp $HOME_NET any -> [94.228.169.198] 3000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229952; rev:1;) alert tcp $HOME_NET any -> [115.74.20.156] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229951; rev:1;) alert tcp $HOME_NET any -> [45.141.215.178] 61240 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thesirenmika.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hc.info-163.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft-webservices.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.lucarne-films.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229945; rev:1;) alert tcp $HOME_NET any -> [45.126.125.144] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kasm.cy-security.de"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn.cy-security.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dl.info-163.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229943; rev:1;) alert tcp $HOME_NET any -> [8.219.206.59] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229941; rev:1;) alert tcp $HOME_NET any -> [89.221.224.197] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"festive-jemison.173-249-59-190.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqrmtohl90.za.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.festive-jemison.173-249-59-190.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hilfe-konto.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229937; rev:1;) alert tcp $HOME_NET any -> [20.55.233.193] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foxee5.cfd"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229935; rev:1;) alert tcp $HOME_NET any -> [92.118.113.12] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229933; rev:1;) alert tcp $HOME_NET any -> [79.137.203.29] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiyifb4.cfd"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229931; rev:1;) alert tcp $HOME_NET any -> [79.133.180.197] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229929; rev:1;) alert tcp $HOME_NET any -> [91.107.124.135] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229930; rev:1;) alert tcp $HOME_NET any -> [193.233.132.35] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.137-184-80-125.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229927; rev:1;) alert tcp $HOME_NET any -> [208.85.17.219] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229926; rev:1;) alert tcp $HOME_NET any -> [20.211.251.199] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229925; rev:1;) alert tcp $HOME_NET any -> [185.81.157.172] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229923; rev:1;) alert tcp $HOME_NET any -> [185.81.157.172] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229924; rev:1;) alert tcp $HOME_NET any -> [209.145.56.0] 4123 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229922; rev:1;) alert tcp $HOME_NET any -> [206.123.132.236] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229921; rev:1;) alert tcp $HOME_NET any -> [92.46.172.137] 10258 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229919; rev:1;) alert tcp $HOME_NET any -> [92.46.172.137] 28363 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229920; rev:1;) alert tcp $HOME_NET any -> [54.38.151.131] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229918; rev:1;) alert tcp $HOME_NET any -> [186.112.202.162] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229916; rev:1;) alert tcp $HOME_NET any -> [54.38.151.131] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229917; rev:1;) alert tcp $HOME_NET any -> [213.195.120.238] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229915; rev:1;) alert tcp $HOME_NET any -> [185.130.214.116] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229914/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229914; rev:1;) alert tcp $HOME_NET any -> [121.37.164.60] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229913/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229913; rev:1;) alert tcp $HOME_NET any -> [121.37.164.60] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229912/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229912; rev:1;) alert tcp $HOME_NET any -> [121.37.164.60] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229910/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229910; rev:1;) alert tcp $HOME_NET any -> [121.37.164.60] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229911/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229911; rev:1;) alert tcp $HOME_NET any -> [194.116.191.150] 8081 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229909/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229909; rev:1;) alert tcp $HOME_NET any -> [155.138.142.176] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229908/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 90%)"; dns_query; content:"www.glouton.ca"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229907/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229907; rev:1;) alert tcp $HOME_NET any -> [46.105.83.251] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229906/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229906; rev:1;) alert tcp $HOME_NET any -> [20.234.169.130] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229905/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229905; rev:1;) alert tcp $HOME_NET any -> [20.56.158.50] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229904/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229904; rev:1;) alert tcp $HOME_NET any -> [187.135.178.68] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229902; rev:1;) alert tcp $HOME_NET any -> [187.135.178.68] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229903; rev:1;) alert tcp $HOME_NET any -> [187.135.178.68] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229900; rev:1;) alert tcp $HOME_NET any -> [187.135.178.68] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229901; rev:1;) alert tcp $HOME_NET any -> [187.135.178.68] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229899; rev:1;) alert tcp $HOME_NET any -> [187.135.178.68] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229898; rev:1;) alert tcp $HOME_NET any -> [187.135.178.68] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229896; rev:1;) alert tcp $HOME_NET any -> [187.135.178.68] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229897; rev:1;) alert tcp $HOME_NET any -> [187.135.178.68] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229895; rev:1;) alert tcp $HOME_NET any -> [67.141.168.212] 4444 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229894; rev:1;) alert tcp $HOME_NET any -> [47.120.37.45] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229893; rev:1;) alert tcp $HOME_NET any -> [121.43.186.227] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229892; rev:1;) alert tcp $HOME_NET any -> [101.200.36.30] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229890; rev:1;) alert tcp $HOME_NET any -> [47.92.110.61] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229891; rev:1;) alert tcp $HOME_NET any -> [101.201.59.29] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229889; rev:1;) alert tcp $HOME_NET any -> [101.201.59.29] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229888; rev:1;) alert tcp $HOME_NET any -> [47.99.114.238] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229886; rev:1;) alert tcp $HOME_NET any -> [23.224.198.98] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229887; rev:1;) alert tcp $HOME_NET any -> [107.174.242.74] 20000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229885; rev:1;) alert tcp $HOME_NET any -> [158.247.238.223] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229884; rev:1;) alert tcp $HOME_NET any -> [123.57.206.33] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229882; rev:1;) alert tcp $HOME_NET any -> [45.145.228.224] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229883; rev:1;) alert tcp $HOME_NET any -> [209.146.124.195] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229881; rev:1;) alert tcp $HOME_NET any -> [101.43.211.190] 60020 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229879; rev:1;) alert tcp $HOME_NET any -> [8.137.33.166] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229880; rev:1;) alert tcp $HOME_NET any -> [209.146.124.196] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229877; rev:1;) alert tcp $HOME_NET any -> [182.23.67.109] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229878; rev:1;) alert tcp $HOME_NET any -> [39.104.52.1] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229876; rev:1;) alert tcp $HOME_NET any -> [101.37.85.231] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229875; rev:1;) alert tcp $HOME_NET any -> [101.33.210.191] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229874; rev:1;) alert tcp $HOME_NET any -> [114.55.72.98] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229872; rev:1;) alert tcp $HOME_NET any -> [120.55.39.237] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229873; rev:1;) alert tcp $HOME_NET any -> [47.116.38.40] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229871; rev:1;) alert tcp $HOME_NET any -> [107.174.90.202] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229870; rev:1;) alert tcp $HOME_NET any -> [101.34.28.19] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229868; rev:1;) alert tcp $HOME_NET any -> [112.124.65.163] 20230 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229869; rev:1;) alert tcp $HOME_NET any -> [209.146.124.197] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229867; rev:1;) alert tcp $HOME_NET any -> [194.32.149.227] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229866; rev:1;) alert tcp $HOME_NET any -> [110.42.189.52] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229865; rev:1;) alert tcp $HOME_NET any -> [154.8.158.60] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229864; rev:1;) alert tcp $HOME_NET any -> [107.151.247.233] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229862; rev:1;) alert tcp $HOME_NET any -> [209.146.124.199] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229863; rev:1;) alert tcp $HOME_NET any -> [1.94.111.137] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229861; rev:1;) alert tcp $HOME_NET any -> [121.43.113.36] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229860; rev:1;) alert tcp $HOME_NET any -> [107.151.247.19] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229858; rev:1;) alert tcp $HOME_NET any -> [107.151.247.19] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229859; rev:1;) alert tcp $HOME_NET any -> [152.136.125.88] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freiheit.co.kr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"41-216-183-115.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229855; rev:1;) alert tcp $HOME_NET any -> [45.95.146.38] 671 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229841/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_10; classtype:trojan-activity; sid:91229841; rev:1;) alert tcp $HOME_NET any -> [74.48.184.88] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229854/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229854; rev:1;) alert tcp $HOME_NET any -> [18.170.11.119] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229853/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-2c8ubzu7-1257331363.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-2c8ubzu7-1257331363.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"164.90.169.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.55.82.147"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"content.microsoft.com.w.kunlunca.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"162.14.107.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"107.175.247.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.116.17.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229843; rev:1;) alert tcp $HOME_NET any -> [3.122.237.119] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229842/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns.emaratalyoum.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229840; rev:1;) alert tcp $HOME_NET any -> [91.92.240.61] 65535 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wealthyman.ddnsfree.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"124.222.213.61"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229839; rev:1;) alert tcp $HOME_NET any -> [209.146.124.196] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qfdb"; depth:5; nocase; http.host; content:"146.190.120.217"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229837/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_10; classtype:trojan-activity; sid:91229837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"60.204.249.156"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.120.37.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"119.3.175.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229834; rev:1;) alert tcp $HOME_NET any -> [45.121.48.43] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"45.121.48.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"157.245.158.14"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"39.104.20.145"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229830; rev:1;) alert tcp $HOME_NET any -> [101.37.85.231] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229827/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"telemetry-notification.azureedge.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heur-labs.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"confident-blackwell.159-223-29-112.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229826; rev:1;) alert tcp $HOME_NET any -> [159.235.45.136] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229823/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229823; rev:1;) alert tcp $HOME_NET any -> [41.97.128.158] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229822/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229822; rev:1;) alert tcp $HOME_NET any -> [86.98.50.35] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229821/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229821; rev:1;) alert tcp $HOME_NET any -> [187.232.174.122] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229820/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229820; rev:1;) alert tcp $HOME_NET any -> [86.96.75.73] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229819/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229819; rev:1;) alert tcp $HOME_NET any -> [130.51.20.64] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229818/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229818; rev:1;) alert tcp $HOME_NET any -> [161.35.239.147] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229817/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229817; rev:1;) alert tcp $HOME_NET any -> [91.92.251.215] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229816/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229816; rev:1;) alert tcp $HOME_NET any -> [91.92.251.215] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229815; rev:1;) alert tcp $HOME_NET any -> [91.92.251.215] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229814/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229814; rev:1;) alert tcp $HOME_NET any -> [65.20.101.150] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229813/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229813; rev:1;) alert tcp $HOME_NET any -> [52.211.169.127] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229812/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229812; rev:1;) alert tcp $HOME_NET any -> [5.252.179.38] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229811/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229811; rev:1;) alert tcp $HOME_NET any -> [5.252.179.38] 50666 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229810/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229810; rev:1;) alert tcp $HOME_NET any -> [91.92.253.220] 80 (msg:"ThreatFox Lumma Stealer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pic/2.exe"; depth:10; nocase; http.host; content:"91.92.253.220"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pic/3.exe"; depth:10; nocase; http.host; content:"91.92.253.220"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pic/1.exe"; depth:10; nocase; http.host; content:"91.92.253.220"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sideindexfollowragelrew.pw"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pic/4.exe"; depth:10; nocase; http.host; content:"91.92.253.220"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229786; rev:1;) alert tcp $HOME_NET any -> [38.46.8.66] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sideindexfollowragelrew.pw"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229784; rev:1;) alert tcp $HOME_NET any -> [38.46.8.67] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229762; rev:1;) alert tcp $HOME_NET any -> [38.46.8.68] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229763; rev:1;) alert tcp $HOME_NET any -> [38.46.8.69] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229764; rev:1;) alert tcp $HOME_NET any -> [38.46.8.70] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229765; rev:1;) alert tcp $HOME_NET any -> [157.90.162.211] 1515 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229766; rev:1;) alert tcp $HOME_NET any -> [110.41.19.62] 10086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229767; rev:1;) alert tcp $HOME_NET any -> [175.178.68.156] 10086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229768; rev:1;) alert tcp $HOME_NET any -> [157.90.162.211] 1111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229769; rev:1;) alert tcp $HOME_NET any -> [185.185.68.164] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229782; rev:1;) alert tcp $HOME_NET any -> [45.11.27.62] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229783; rev:1;) alert tcp $HOME_NET any -> [79.98.45.97] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229809/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229809; rev:1;) alert tcp $HOME_NET any -> [110.41.189.19] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-fkkrrv8q-1307850644.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229807; rev:1;) alert tcp $HOME_NET any -> [110.41.189.19] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-fkkrrv8q-1307850644.gz.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-fkkrrv8q-1307850644.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229804; rev:1;) alert tcp $HOME_NET any -> [52.147.121.107] 19530 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229803; rev:1;) alert tcp $HOME_NET any -> [187.135.178.68] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229802/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229802; rev:1;) alert tcp $HOME_NET any -> [43.139.128.212] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229801/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229801; rev:1;) alert tcp $HOME_NET any -> [91.92.252.6] 61715 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229800; rev:1;) alert tcp $HOME_NET any -> [141.255.145.89] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229799/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229799; rev:1;) alert tcp $HOME_NET any -> [203.24.92.243] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get_log.txt"; depth:16; nocase; http.host; content:"203.24.92.243"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229797; rev:1;) alert tcp $HOME_NET any -> [203.24.92.243] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get_log.txt"; depth:16; nocase; http.host; content:"64.44.177.178"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229795; rev:1;) alert tcp $HOME_NET any -> [45.61.154.80] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229794/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229794; rev:1;) alert tcp $HOME_NET any -> [23.95.90.63] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc/def/"; depth:9; nocase; http.host; content:"23.95.90.63"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2022/12/29136388_"; depth:45; nocase; http.host; content:"39.99.128.40"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229791; rev:1;) alert tcp $HOME_NET any -> [72.27.79.178] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229781/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229781; rev:1;) alert tcp $HOME_NET any -> [88.237.198.37] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229780/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229780; rev:1;) alert tcp $HOME_NET any -> [184.96.134.78] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229779/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229779; rev:1;) alert tcp $HOME_NET any -> [39.40.159.189] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229778/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229778; rev:1;) alert tcp $HOME_NET any -> [197.204.232.211] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229777/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229777; rev:1;) alert tcp $HOME_NET any -> [18.162.58.174] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229776/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229776; rev:1;) alert tcp $HOME_NET any -> [94.130.198.190] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229775/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229775; rev:1;) alert tcp $HOME_NET any -> [120.26.241.141] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229774/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229774; rev:1;) alert tcp $HOME_NET any -> [35.180.226.123] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229773/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229773; rev:1;) alert tcp $HOME_NET any -> [5.180.155.87] 64765 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpprocessorbigloadlinux.php"; depth:30; nocase; http.host; content:"tiyeso4885.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229771; rev:1;) alert tcp $HOME_NET any -> [135.181.242.178] 42473 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"jhueby.diskstation.me"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"120.48.58.156"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firepro.php"; depth:16; nocase; http.host; content:"77.105.147.130"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"000197.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emailmigration.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weekendstartupshow.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mpr23-421-c2.westus2.cloudapp.azure.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.emailmigration.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229695; rev:1;) alert tcp $HOME_NET any -> [195.20.16.168] 34926 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"superjunggvbvqq.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229700/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"junggvbvqqqqqq.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229701/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"lajunggvbvqq.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229702/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"junggvbvqqgroup.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229703/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"junggvbvqqnet.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229704/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"abgggpoh.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229705/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"nisiqniqqsiq.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229706/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtq4mmuxodbhmtvi/"; depth:18; nocase; http.host; content:"194.26.135.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229707/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229707; rev:1;) alert tcp $HOME_NET any -> [142.154.77.0] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.3280678.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hypocrisync.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229756; rev:1;) alert tcp $HOME_NET any -> [18.135.30.45] 4372 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229755; rev:1;) alert tcp $HOME_NET any -> [38.181.56.43] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229754; rev:1;) alert tcp $HOME_NET any -> [8.219.3.40] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229753; rev:1;) alert tcp $HOME_NET any -> [4.227.149.56] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229752; rev:1;) alert tcp $HOME_NET any -> [64.23.150.41] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229751; rev:1;) alert tcp $HOME_NET any -> [20.28.145.206] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.trabede.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"account.trabede.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229748; rev:1;) alert tcp $HOME_NET any -> [101.35.153.30] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229747; rev:1;) alert tcp $HOME_NET any -> [43.139.61.221] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229746; rev:1;) alert tcp $HOME_NET any -> [101.34.214.78] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229745; rev:1;) alert tcp $HOME_NET any -> [37.110.19.55] 88 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sharp-hugle.45-141-215-173.plesk.page"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229743; rev:1;) alert tcp $HOME_NET any -> [91.92.248.67] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229742; rev:1;) alert tcp $HOME_NET any -> [91.92.248.39] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nvidiaapp.cloud"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229740; rev:1;) alert tcp $HOME_NET any -> [88.119.171.83] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229739; rev:1;) alert tcp $HOME_NET any -> [173.249.59.190] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"o-paketverfolgung.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229737; rev:1;) alert tcp $HOME_NET any -> [168.1.193.211] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229736; rev:1;) alert tcp $HOME_NET any -> [35.197.55.147] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229735; rev:1;) alert tcp $HOME_NET any -> [3.26.24.38] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229734; rev:1;) alert tcp $HOME_NET any -> [38.54.63.8] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229733; rev:1;) alert tcp $HOME_NET any -> [92.46.172.137] 636 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229732; rev:1;) alert tcp $HOME_NET any -> [92.46.172.137] 46949 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229730; rev:1;) alert tcp $HOME_NET any -> [92.46.172.137] 427 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229731; rev:1;) alert tcp $HOME_NET any -> [92.46.172.137] 29256 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229728; rev:1;) alert tcp $HOME_NET any -> [92.46.172.137] 36274 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229729; rev:1;) alert tcp $HOME_NET any -> [186.112.202.162] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229727; rev:1;) alert tcp $HOME_NET any -> [47.243.104.165] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"supershell.dongling.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229725; rev:1;) alert tcp $HOME_NET any -> [139.159.250.245] 38888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229724; rev:1;) alert tcp $HOME_NET any -> [35.180.226.123] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229723/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_09; classtype:trojan-activity; sid:91229723; rev:1;) alert tcp $HOME_NET any -> [47.57.12.167] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229722; rev:1;) alert tcp $HOME_NET any -> [47.92.110.61] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229721; rev:1;) alert tcp $HOME_NET any -> [111.230.30.197] 65262 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229720; rev:1;) alert tcp $HOME_NET any -> [165.232.70.231] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229719; rev:1;) alert tcp $HOME_NET any -> [47.113.147.219] 8063 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229718; rev:1;) alert tcp $HOME_NET any -> [192.144.219.118] 8845 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229716; rev:1;) alert tcp $HOME_NET any -> [190.92.227.9] 60060 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229717; rev:1;) alert tcp $HOME_NET any -> [112.124.23.19] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229715; rev:1;) alert tcp $HOME_NET any -> [116.62.123.217] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229713; rev:1;) alert tcp $HOME_NET any -> [39.99.141.149] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229714; rev:1;) alert tcp $HOME_NET any -> [147.78.47.184] 1455 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229712; rev:1;) alert tcp $HOME_NET any -> [47.94.56.161] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229711; rev:1;) alert tcp $HOME_NET any -> [47.108.236.50] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229710; rev:1;) alert tcp $HOME_NET any -> [194.87.196.79] 5557 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229709; rev:1;) alert tcp $HOME_NET any -> [52.221.252.111] 8389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229708; rev:1;) alert tcp $HOME_NET any -> [91.92.246.124] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229699/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_09; classtype:trojan-activity; sid:91229699; rev:1;) alert tcp $HOME_NET any -> [123.60.88.219] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229698/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229698; rev:1;) alert tcp $HOME_NET any -> [89.23.118.243] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229697/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229697; rev:1;) alert tcp $HOME_NET any -> [14.99.115.211] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229689/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229689; rev:1;) alert tcp $HOME_NET any -> [170.130.55.92] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229686; rev:1;) alert tcp $HOME_NET any -> [107.158.62.160] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229688/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4update/httpcdndle/eternalprovider1multi/betterphp/dleupdate/securetemporaryapicentral/lowtestproviderprotect/cdnupdatemariadb/proton/javascripttrackpipe6/6vm/base/secure/db/async8/defaulttemp.php"; depth:197; nocase; http.host; content:"89.23.112.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"110.40.184.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.138.62.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.120.37.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"164.90.169.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"39.105.4.90"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"federalstudentaid-usdepartmentofeducation.tandemcyberops.co"; depth:59; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"federalstudentaid-usdepartmentofeducation.tandemcyberops.co"; depth:59; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"42.193.119.4"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/idle/1376547834/1"; depth:18; nocase; http.host; content:"95.164.35.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"150.158.45.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"219.151.137.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"120.222.152.106"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"1.62.64.108"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"120.222.152.85"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"124.225.14.210"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229671; rev:1;) alert tcp $HOME_NET any -> [108.181.166.130] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229670/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229670; rev:1;) alert tcp $HOME_NET any -> [157.245.158.14] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229669/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bigloadwpdleprivatedownloadstemporary.php"; depth:42; nocase; http.host; content:"775515cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229666; rev:1;) alert tcp $HOME_NET any -> [80.92.204.241] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229668/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229668; rev:1;) alert tcp $HOME_NET any -> [80.92.204.233] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229667/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229667; rev:1;) alert tcp $HOME_NET any -> [95.54.8.107] 3112 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229665; rev:1;) alert tcp $HOME_NET any -> [75.90.35.49] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jhueby.diskstation.me"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"jhueby.diskstation.me"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229662; rev:1;) alert tcp $HOME_NET any -> [111.92.243.236] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"111.92.243.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"114.115.210.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229659; rev:1;) alert tcp $HOME_NET any -> [65.21.188.123] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229658; rev:1;) alert tcp $HOME_NET any -> [49.12.114.15] 10220 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229656; rev:1;) alert tcp $HOME_NET any -> [168.119.106.20] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.21.188.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229654; rev:1;) alert tcp $HOME_NET any -> [95.217.25.10] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"168.119.106.20"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199601319247"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.25.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bg3goty"; depth:8; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.114.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229649; rev:1;) alert tcp $HOME_NET any -> [119.3.175.203] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229648/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hk-once.520226.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229637; rev:1;) alert tcp $HOME_NET any -> [124.221.237.200] 7890 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229646; rev:1;) alert tcp $HOME_NET any -> [124.221.237.200] 7891 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229647; rev:1;) alert tcp $HOME_NET any -> [94.49.45.216] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229645; rev:1;) alert tcp $HOME_NET any -> [159.0.5.190] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229644; rev:1;) alert tcp $HOME_NET any -> [103.156.171.39] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229643; rev:1;) alert tcp $HOME_NET any -> [45.76.145.241] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229642; rev:1;) alert tcp $HOME_NET any -> [34.203.229.137] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229641; rev:1;) alert tcp $HOME_NET any -> [103.113.100.99] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229640/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229640; rev:1;) alert tcp $HOME_NET any -> [114.83.4.23] 15780 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229639; rev:1;) alert tcp $HOME_NET any -> [54.93.117.12] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzrlzgfmyzq5nzc0/"; depth:18; nocase; http.host; content:"lilisiaplaksiminailmas.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229541/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzrlzgfmyzq5nzc0/"; depth:18; nocase; http.host; content:"lilisiaplaksiminailmas.xyz"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229542/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzrlzgfmyzq5nzc0/"; depth:18; nocase; http.host; content:"lilisiaplaksiminailmas.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229543/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njkxzjrjmjnlyty4/"; depth:18; nocase; http.host; content:"cmkalanka1.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229544/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njkxzjrjmjnlyty4/"; depth:18; nocase; http.host; content:"cmkalankada1.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229545/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njkxzjrjmjnlyty4/"; depth:18; nocase; http.host; content:"cmkalankahs21.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229546/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njkxzjrjmjnlyty4/"; depth:18; nocase; http.host; content:"cmkalankasga61.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229547/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njkxzjrjmjnlyty4/"; depth:18; nocase; http.host; content:"cmkalankakms51.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229548/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"111.90.141.192"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzrlzgfmyzq5nzc0/"; depth:18; nocase; http.host; content:"lilisiaplaksiminailmas.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229540/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzrlzgfmyzq5nzc0/"; depth:18; nocase; http.host; content:"2.57.149.175"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229539/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229539; rev:1;) alert tcp $HOME_NET any -> [193.233.132.95] 3699 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"80.66.79.248"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"185.177.94.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229561; rev:1;) alert tcp $HOME_NET any -> [136.244.98.49] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229636; rev:1;) alert tcp $HOME_NET any -> [5.161.223.88] 4104 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229635; rev:1;) alert tcp $HOME_NET any -> [2.139.237.194] 8087 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229634; rev:1;) alert tcp $HOME_NET any -> [18.135.30.45] 4398 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229633; rev:1;) alert tcp $HOME_NET any -> [194.67.87.250] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229632; rev:1;) alert tcp $HOME_NET any -> [20.28.238.153] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229631; rev:1;) alert tcp $HOME_NET any -> [44.216.132.79] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229630; rev:1;) alert tcp $HOME_NET any -> [202.155.238.7] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229628; rev:1;) alert tcp $HOME_NET any -> [123.56.134.143] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229629; rev:1;) alert tcp $HOME_NET any -> [18.184.225.151] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229627; rev:1;) alert tcp $HOME_NET any -> [110.42.156.84] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229626; rev:1;) alert tcp $HOME_NET any -> [34.236.127.162] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229625; rev:1;) alert tcp $HOME_NET any -> [116.202.1.25] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229624; rev:1;) alert tcp $HOME_NET any -> [3.140.108.240] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229623; rev:1;) alert tcp $HOME_NET any -> [123.60.168.6] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229622; rev:1;) alert tcp $HOME_NET any -> [34.79.204.1] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229621; rev:1;) alert tcp $HOME_NET any -> [173.249.198.97] 8888 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229620; rev:1;) alert tcp $HOME_NET any -> [45.81.235.110] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229619; rev:1;) alert tcp $HOME_NET any -> [195.20.16.207] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229618; rev:1;) alert tcp $HOME_NET any -> [161.35.21.152] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229617; rev:1;) alert tcp $HOME_NET any -> [103.42.30.21] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229616; rev:1;) alert tcp $HOME_NET any -> [34.239.255.86] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229615; rev:1;) alert tcp $HOME_NET any -> [179.96.164.83] 445 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229614; rev:1;) alert tcp $HOME_NET any -> [223.155.16.102] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229613; rev:1;) alert tcp $HOME_NET any -> [223.155.16.114] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229612; rev:1;) alert tcp $HOME_NET any -> [223.155.16.115] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229610; rev:1;) alert tcp $HOME_NET any -> [223.155.16.119] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229611; rev:1;) alert tcp $HOME_NET any -> [223.155.16.109] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229609; rev:1;) alert tcp $HOME_NET any -> [223.155.16.95] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229607; rev:1;) alert tcp $HOME_NET any -> [217.208.240.203] 25565 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"znwfb3.buzz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229606; rev:1;) alert tcp $HOME_NET any -> [176.123.168.211] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229605; rev:1;) alert tcp $HOME_NET any -> [185.211.170.96] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229604; rev:1;) alert tcp $HOME_NET any -> [185.172.128.52] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229603; rev:1;) alert tcp $HOME_NET any -> [213.195.112.94] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229602; rev:1;) alert tcp $HOME_NET any -> [144.126.128.158] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229600; rev:1;) alert tcp $HOME_NET any -> [144.126.128.158] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229601; rev:1;) alert tcp $HOME_NET any -> [82.65.19.134] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229599; rev:1;) alert tcp $HOME_NET any -> [8.217.161.236] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229598; rev:1;) alert tcp $HOME_NET any -> [43.129.232.211] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229597; rev:1;) alert tcp $HOME_NET any -> [123.60.174.4] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229596/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_09; classtype:trojan-activity; sid:91229596; rev:1;) alert tcp $HOME_NET any -> [60.204.211.54] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229595/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_09; classtype:trojan-activity; sid:91229595; rev:1;) alert tcp $HOME_NET any -> [124.71.188.124] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229594/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_09; classtype:trojan-activity; sid:91229594; rev:1;) alert tcp $HOME_NET any -> [121.37.164.60] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229593/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_09; classtype:trojan-activity; sid:91229593; rev:1;) alert tcp $HOME_NET any -> [1.94.125.189] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229592/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_09; classtype:trojan-activity; sid:91229592; rev:1;) alert tcp $HOME_NET any -> [5.8.10.66] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229591/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_09; classtype:trojan-activity; sid:91229591; rev:1;) alert tcp $HOME_NET any -> [44.222.150.23] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229590/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_09; classtype:trojan-activity; sid:91229590; rev:1;) alert tcp $HOME_NET any -> [5.8.10.71] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229589/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_09; classtype:trojan-activity; sid:91229589; rev:1;) alert tcp $HOME_NET any -> [187.135.178.86] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229588; rev:1;) alert tcp $HOME_NET any -> [187.135.178.86] 1608 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229587; rev:1;) alert tcp $HOME_NET any -> [187.135.178.86] 2233 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229586; rev:1;) alert tcp $HOME_NET any -> [187.135.178.86] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229585; rev:1;) alert tcp $HOME_NET any -> [187.135.178.86] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229583; rev:1;) alert tcp $HOME_NET any -> [187.135.178.86] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229584; rev:1;) alert tcp $HOME_NET any -> [187.135.178.86] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229582; rev:1;) alert tcp $HOME_NET any -> [123.56.64.225] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229580; rev:1;) alert tcp $HOME_NET any -> [121.41.0.213] 123 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229581; rev:1;) alert tcp $HOME_NET any -> [8.140.48.59] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229579; rev:1;) alert tcp $HOME_NET any -> [182.92.127.203] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229578; rev:1;) alert tcp $HOME_NET any -> [8.130.116.89] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229576; rev:1;) alert tcp $HOME_NET any -> [47.57.12.167] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229577; rev:1;) alert tcp $HOME_NET any -> [101.200.122.80] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229575; rev:1;) alert tcp $HOME_NET any -> [47.94.199.234] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229574; rev:1;) alert tcp $HOME_NET any -> [114.55.232.33] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229573; rev:1;) alert tcp $HOME_NET any -> [120.46.152.54] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229571; rev:1;) alert tcp $HOME_NET any -> [110.41.16.127] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229572; rev:1;) alert tcp $HOME_NET any -> [120.46.152.54] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229570; rev:1;) alert tcp $HOME_NET any -> [103.234.72.30] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229568; rev:1;) alert tcp $HOME_NET any -> [185.94.165.120] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229569; rev:1;) alert tcp $HOME_NET any -> [172.233.72.15] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229567; rev:1;) alert tcp $HOME_NET any -> [75.90.35.49] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229566; rev:1;) alert tcp $HOME_NET any -> [8.137.33.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229565; rev:1;) alert tcp $HOME_NET any -> [82.157.255.112] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229564; rev:1;) alert tcp $HOME_NET any -> [62.234.46.238] 4320 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229563; rev:1;) alert tcp $HOME_NET any -> [124.222.117.74] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3cdn/base5securepublic/dle7sqlline/1video/php_/sqldump/8pipepython/dumptemptrafficexternal/defaultjavascript0/externalimagevmrequestpolllowlongpollservercentral.php"; depth:165; nocase; http.host; content:"185.251.91.215"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229558; rev:1;) alert tcp $HOME_NET any -> [80.78.25.228] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229557/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpjavascriptbasewordpresstempdownloads.php"; depth:44; nocase; http.host; content:"045134cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229556; rev:1;) alert tcp $HOME_NET any -> [141.255.152.155] 2222 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229555; rev:1;) alert tcp $HOME_NET any -> [141.255.152.155] 4444 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"111.230.119.183"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229552; rev:1;) alert tcp $HOME_NET any -> [111.230.119.183] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229553; rev:1;) alert tcp $HOME_NET any -> [91.92.253.212] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d1railx6y20syj.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"d1railx6y20syj.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternallinejspacketlowprotectsqldbgeneratorcdn.php"; depth:51; nocase; http.host; content:"526775cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"111.231.31.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229537; rev:1;) alert tcp $HOME_NET any -> [95.56.104.12] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229536; rev:1;) alert tcp $HOME_NET any -> [188.173.33.11] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229534/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229534; rev:1;) alert tcp $HOME_NET any -> [31.117.230.129] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229533/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229533; rev:1;) alert tcp $HOME_NET any -> [34.239.255.86] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229532/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229532; rev:1;) alert tcp $HOME_NET any -> [64.176.66.86] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229531/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"evokenumberpottruckere.fun"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"goddirtybrilliancece.fun"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"revivalconflictgrippe.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229526; rev:1;) alert tcp $HOME_NET any -> [3.127.253.86] 13739 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229529; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 13739 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229528; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 13739 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229527; rev:1;) alert tcp $HOME_NET any -> [45.138.157.57] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229524/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_08; classtype:trojan-activity; sid:91229524; rev:1;) alert tcp $HOME_NET any -> [46.246.6.15] 1234 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229523; rev:1;) alert tcp $HOME_NET any -> [43.142.183.159] 8444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229522; rev:1;) alert tcp $HOME_NET any -> [43.142.183.159] 8445 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229521; rev:1;) alert tcp $HOME_NET any -> [117.120.62.147] 6666 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229520; rev:1;) alert tcp $HOME_NET any -> [155.94.140.13] 4493 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229519; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 9561 (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229518; rev:1;) alert tcp $HOME_NET any -> [198.23.254.30] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mss.supportflash.pics"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/"; depth:9; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/alucmon.wav"; depth:20; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/dxwxrelllvk.wav"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/eucjlrz.vdf"; depth:20; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/fmbidfqiew.wav"; depth:23; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/fujgch.mp3"; depth:19; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/hreelq.wav"; depth:19; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/ikfnlucrfeq.dat"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/jystkgzqv.wav"; depth:22; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/kzdzejqjq.mp4"; depth:22; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/mpsenzr.mp3"; depth:20; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/nmszdiichnu.mp3"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/ogzgi.wav"; depth:18; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/pqcdghctwi.wav"; depth:23; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/qfvxqoncr.wav"; depth:22; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/qgkltuqpt.vdf"; depth:22; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/qwuhtbm.mp4"; depth:20; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/qjwhtxehdqw.mp3"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/sxkainlspoh.wav"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/wyfeklim.pdf"; depth:21; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/alucmon.wav"; depth:20; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/dxwxrelllvk.wav"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/eucjlrz.vdf"; depth:20; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/fmbidfqiew.wav"; depth:23; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/fujgch.mp3"; depth:19; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/hreelq.wav"; depth:19; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/ikfnlucrfeq.dat"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/jystkgzqv.wav"; depth:22; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/kzdzejqjq.mp4"; depth:22; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/mpsenzr.mp3"; depth:20; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/nmszdiichnu.mp3"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/ogzgi.wav"; depth:18; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/qgkltuqpt.vdf"; depth:22; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/pqcdghctwi.wav"; depth:23; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/qfvxqoncr.wav"; depth:22; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/qjwhtxehdqw.mp3"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/qwuhtbm.mp4"; depth:20; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/sxkainlspoh.wav"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229511; rev:1;) alert tcp $HOME_NET any -> [103.171.0.200] 80 (msg:"ThreatFox zgRAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/wyfeklim.pdf"; depth:21; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229512; rev:1;) alert tcp $HOME_NET any -> [103.171.0.200] 443 (msg:"ThreatFox zgRAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"choosetotruck.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"188.127.224.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"choosetotruck.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewmrgqnaww.php"; depth:15; nocase; http.host; content:"choosetotruck.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/letter.php"; depth:17; nocase; http.host; content:"choosetotruck.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"boxtechcompany.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"boxtechcompany.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"188.127.224.160"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.181.156.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0.whitelinetosplit.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2.whitelinetosplit.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"from.whitelinetosplit.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goto.whitelinetosplit.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"frenchpies.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"213.171.14.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bjz1khvv"; depth:9; nocase; http.host; content:"nowordshere.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nowordshere.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"restraining.allstardriving.org"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"185.130.47.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229457; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 36499 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229440/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_08; classtype:trojan-activity; sid:91229440; rev:1;) alert tcp $HOME_NET any -> [34.154.74.85] 587 (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229454; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 58297 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.jsp"; depth:10; nocase; http.host; content:"121.37.206.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"45.207.45.188"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"161.35.186.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"85.208.109.15"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229450; rev:1;) alert tcp $HOME_NET any -> [217.165.232.41] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.tpowe2.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.m18888.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229447; rev:1;) alert tcp $HOME_NET any -> [188.164.199.44] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229446; rev:1;) alert tcp $HOME_NET any -> [15.229.2.119] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229445; rev:1;) alert tcp $HOME_NET any -> [20.83.179.56] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229444; rev:1;) alert tcp $HOME_NET any -> [159.75.174.82] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229443; rev:1;) alert tcp $HOME_NET any -> [207.2.123.65] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229442; rev:1;) alert tcp $HOME_NET any -> [175.178.39.16] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"get.specialcraftbox.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service.specialcraftbox.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soft.specialcraftbox.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"43.129.187.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-5-62-203.compute-1.amazonaws.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229438; rev:1;) alert tcp $HOME_NET any -> [34.249.99.131] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229437; rev:1;) alert tcp $HOME_NET any -> [103.82.26.41] 4447 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229436; rev:1;) alert tcp $HOME_NET any -> [103.42.30.42] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"esdm-internal.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229434; rev:1;) alert tcp $HOME_NET any -> [175.16.147.232] 8089 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229433; rev:1;) alert tcp $HOME_NET any -> [191.82.240.73] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229432; rev:1;) alert tcp $HOME_NET any -> [154.9.227.45] 6774 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229431; rev:1;) alert tcp $HOME_NET any -> [119.160.235.251] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229430; rev:1;) alert tcp $HOME_NET any -> [104.233.210.104] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229429; rev:1;) alert tcp $HOME_NET any -> [149.154.70.118] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229428; rev:1;) alert tcp $HOME_NET any -> [91.224.92.176] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229427; rev:1;) alert tcp $HOME_NET any -> [66.94.120.244] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229425; rev:1;) alert tcp $HOME_NET any -> [66.94.120.244] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229426; rev:1;) alert tcp $HOME_NET any -> [43.142.51.234] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229424; rev:1;) alert tcp $HOME_NET any -> [123.60.174.4] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229423/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_08; classtype:trojan-activity; sid:91229423; rev:1;) alert tcp $HOME_NET any -> [60.204.211.54] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229422/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_08; classtype:trojan-activity; sid:91229422; rev:1;) alert tcp $HOME_NET any -> [121.37.164.60] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229421/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_08; classtype:trojan-activity; sid:91229421; rev:1;) alert tcp $HOME_NET any -> [121.37.164.60] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229420/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_08; classtype:trojan-activity; sid:91229420; rev:1;) alert tcp $HOME_NET any -> [124.71.188.124] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229419/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_08; classtype:trojan-activity; sid:91229419; rev:1;) alert tcp $HOME_NET any -> [121.41.50.152] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229418; rev:1;) alert tcp $HOME_NET any -> [120.27.247.156] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229416; rev:1;) alert tcp $HOME_NET any -> [60.204.152.185] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229417; rev:1;) alert tcp $HOME_NET any -> [47.104.28.38] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229415; rev:1;) alert tcp $HOME_NET any -> [47.104.28.38] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229414; rev:1;) alert tcp $HOME_NET any -> [47.120.16.255] 4567 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229413; rev:1;) alert tcp $HOME_NET any -> [206.237.5.20] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229412; rev:1;) alert tcp $HOME_NET any -> [47.115.208.55] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229411; rev:1;) alert tcp $HOME_NET any -> [38.150.3.24] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229410; rev:1;) alert tcp $HOME_NET any -> [8.130.92.31] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229409; rev:1;) alert tcp $HOME_NET any -> [103.234.72.30] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alehej54.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alehmv64.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alejcw73.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alekah57.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alenep53.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aleqxd56.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alevfe67.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alexfy76.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alezop66.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alezqi75.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aleeyd31.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alefuk34.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alepvb33.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alerhb46.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alelof36.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alenjf44.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alensr26.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alesxu45.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alevju41.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alezjy47.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alezno43.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g9jjjbnadshz/index.php"; depth:23; nocase; http.host; content:"rubyonthewal.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qonein9sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qonein9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoleven11vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qonein9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qonein9pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoleven11pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoleven11sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoleven11sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoleven11ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoleven11pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofourt14sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofourt14vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofive5vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofourt14sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofourt14ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofourt14pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofive5pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofifteen15sb.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofifteen15vt.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofifteen15pt.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qitvelv12ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofifteen15ht.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qitvelv12vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qiten10vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qithirt13vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qisix6ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qisix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qiten10ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qinein9vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qileven11vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qinein9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qifourt14ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qifourt14vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qifive5pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qifive5vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qififteen15pt.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qififteen15vs.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qifive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qonein9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qonein9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qosix6ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qosix6pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qosix6sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qosix6pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qosix6sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qosix6vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoten10pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoten10ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoten10pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoten10sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoten10sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoten10vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qothirt13ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qothirt13pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qothirt13pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qothirt13sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qothirt13sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qothirt13vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qotvelv12ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qotvelv12pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qotvelv12pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qotvelv12sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qotvelv12sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qotvelv12vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpfourt14ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpfourt14sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpleven11ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpleven11sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpleven11sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpnein9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpnein9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpnein9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qptvelv12ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qptvelv12sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qptwo2sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qleven11sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qleven11vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qleven11pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229300; rev:1;) alert tcp $HOME_NET any -> [124.223.64.88] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229302/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_08; classtype:trojan-activity; sid:91229302; rev:1;) alert tcp $HOME_NET any -> [211.76.170.240] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229301/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_08; classtype:trojan-activity; sid:91229301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdseven7pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdseven7vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdsix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdsix6vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdten10sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdten10vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdthirteen13ht.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdthirteen13pt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdthirteen13vs.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdthre3ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdthirteen13sb.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdthre3pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdthre3sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdthre3vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdtwo2sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdtwo2sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdtwo2vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdtwo2vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfeight8pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffive5vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffourt14ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffourt14pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffourt14vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfleven11ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfleven11pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfleven11vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfnein9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfnein9pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfnein9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfnein9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfone1pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfone1sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfone1vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfseven7pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfsix6sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfseven7vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfsix6vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qften10ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qften10pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qften10vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthirteen13ht.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthirteen13vt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdone1vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdone1sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdone1ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdone1pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdone1sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdnein9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdnein9vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdnein9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdnein9sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdnein9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfourt14vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfourt14sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfourt14ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfour4sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfour4vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfour4ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfour4pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfive5vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfive5pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qd10ten.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdeight8vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hkblk02.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hkbmy02.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hkbpl02.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kykudat.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hkbau02.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hkbmix02.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthirteen13pn.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthre3pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthre3vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qftwo2sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qftwo2vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qleven11pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qleven11ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qleven11vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qleven11sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qstwo2pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3ddesign.3utilities.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229296; rev:1;) alert tcp $HOME_NET any -> [185.185.68.48] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cloudwebhub.pro"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nowordshere.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229201; rev:1;) alert tcp $HOME_NET any -> [82.97.241.207] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"116.198.11.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"110.41.11.72"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"123.249.101.92"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.138.62.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"sanjianke.icu"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/async/newtab_ogb"; depth:17; nocase; http.host; content:"74.235.187.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"147.139.32.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/async/newtab_ogb"; depth:17; nocase; http.host; content:"74.235.187.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"36.99.39.121"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"192.144.220.12"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure.html"; depth:12; nocase; http.host; content:"20.49.255.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.132.182.180"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"4.194.41.34"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"120.55.82.147"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.90.247.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.100.199.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"1.13.17.173"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.35.253.212"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"101.43.127.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/users.jsp"; depth:10; nocase; http.host; content:"helloone.accountants.monster"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229175; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apiv8/getstatus"; depth:16; nocase; http.host; content:"seruvadessigen.3utilities.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seruvadessigen.3utilities.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.43.30.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"locall.miragov.info"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"locall.miragov.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"146.56.234.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229167; rev:1;) alert tcp $HOME_NET any -> [3.137.178.137] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"workday.us.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"workday.us.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"88.214.27.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3se9ewodke339f0e83.connectivitytests.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-4.6.0.min.js"; depth:20; nocase; http.host; content:"107.172.16.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.222.173.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"101.201.57.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"42.193.119.4"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.100.199.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"52.226.247.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.7.1.min.js"; depth:20; nocase; http.host; content:"159.65.150.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"success.165gov.cyou"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"success.165gov.cyou"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"120.27.212.14"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"107.175.247.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"143.198.101.149"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d20tk7ygz8ugsj.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229149; rev:1;) alert tcp $HOME_NET any -> [8.138.82.105] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.134.80.227"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.110.253.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"199.195.252.200"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-rbr85ft5-1259685312.cd.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get"; depth:8; nocase; http.host; content:"service-rbr85ft5-1259685312.cd.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229143; rev:1;) alert tcp $HOME_NET any -> [65.49.210.124] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"check.cloudupdateserver.cloudns.org"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"check.cloudupdateserver.cloudns.org"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.goodljlagfhssss.live"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"1.94.67.222"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/case.css"; depth:9; nocase; http.host; content:"cins.hin7lostvas.pro"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"101.200.72.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.99.151.68"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"154.204.60.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"121.4.59.117"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229133; rev:1;) alert tcp $HOME_NET any -> [8.130.94.202] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.wiiooiij.tk"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"test.wiiooiij.tk"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"185.196.9.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"124.223.64.88"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api-opt-2023-gfr/3"; depth:19; nocase; http.host; content:"fk.n0reply.eu.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fk.n0reply.eu.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theme/login.php"; depth:16; nocase; http.host; content:"185.215.113.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229125; rev:1;) alert tcp $HOME_NET any -> [78.100.236.181] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229124/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229124; rev:1;) alert tcp $HOME_NET any -> [72.27.165.49] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229123/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229123; rev:1;) alert tcp $HOME_NET any -> [54.154.24.71] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229122/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229122; rev:1;) alert tcp $HOME_NET any -> [185.196.10.126] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229121/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229121; rev:1;) alert tcp $HOME_NET any -> [119.152.6.213] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229120/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229120; rev:1;) alert tcp $HOME_NET any -> [54.250.116.148] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229119/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229119; rev:1;) alert tcp $HOME_NET any -> [193.233.254.194] 11584 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthirteen13sr.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthre3ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qften10sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qften10sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qften10vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfsix6sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfsix6ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfone1pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfnein9vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfone1ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfleven11sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfnein9sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfleven11vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffourt14vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfleven11sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffive5vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffourt14sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfeight8vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjfourt14vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjnein9vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjseven7vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfeight8sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pichadex.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228918; rev:1;) alert tcp $HOME_NET any -> [46.199.193.93] 3551 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myhostfrfr0.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theme/index.php"; depth:16; nocase; http.host; content:"185.215.113.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"diagramfiremonkeyowwa.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cakecoldsplurgrewe.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"soupinterestoe.fun"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"neighborhoodfeelsa.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"dayfarrichjwclik.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ratefacilityframw.fun"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228901; rev:1;) alert tcp $HOME_NET any -> [154.223.17.134] 5959 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228902; rev:1;) alert tcp $HOME_NET any -> [165.232.87.210] 5945 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ruspyc.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthre3sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgeit8ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgfourt14ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgfourt14pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgfourt14sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgleven11ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgleven11pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgnein9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgnein9pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgnein9sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgseven7vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgsix6vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgten10pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgten10ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgthre3pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgthre3vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgtwo2vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qtfive5pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qttwo2pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emv1.qffive5ht.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emv1.qften10sr.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffourt14sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgeiht8sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfnein9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgleven11sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgten10sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228975; rev:1;) alert tcp $HOME_NET any -> [79.137.198.170] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crazy-hugle.185-196-8-89.plesk.page"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"midlifeprogrammer.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gallant-booth.185-196-8-89.plesk.page"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"185-196-8-89.plesk.page"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.conectmeto.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"online.microsoftoffice.cyou"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229116; rev:1;) alert tcp $HOME_NET any -> [158.220.96.15] 3320 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229117; rev:1;) alert tcp $HOME_NET any -> [2.91.179.245] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229110; rev:1;) alert tcp $HOME_NET any -> [140.82.33.83] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229109/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_08; classtype:trojan-activity; sid:91229109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.736626.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"recruitment61.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.europapokal2024.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.1280678.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.peninsula3.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.seismicsisterhood.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229103; rev:1;) alert tcp $HOME_NET any -> [35.210.122.136] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229101; rev:1;) alert tcp $HOME_NET any -> [35.210.122.136] 5555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229102; rev:1;) alert tcp $HOME_NET any -> [3.218.61.11] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229100; rev:1;) alert tcp $HOME_NET any -> [103.106.191.10] 8000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229099; rev:1;) alert tcp $HOME_NET any -> [62.113.117.13] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229098; rev:1;) alert tcp $HOME_NET any -> [18.195.76.113] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229097; rev:1;) alert tcp $HOME_NET any -> [62.171.159.175] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229096; rev:1;) alert tcp $HOME_NET any -> [181.237.128.179] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229095; rev:1;) alert tcp $HOME_NET any -> [168.62.49.51] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229094; rev:1;) alert tcp $HOME_NET any -> [20.230.19.10] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229093; rev:1;) alert tcp $HOME_NET any -> [18.222.106.155] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229092; rev:1;) alert tcp $HOME_NET any -> [46.151.214.196] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229091; rev:1;) alert tcp $HOME_NET any -> [1.12.48.214] 31220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229090; rev:1;) alert tcp $HOME_NET any -> [106.52.233.34] 31220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229089; rev:1;) alert tcp $HOME_NET any -> [13.209.204.53] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229088; rev:1;) alert tcp $HOME_NET any -> [18.158.149.45] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229087; rev:1;) alert tcp $HOME_NET any -> [18.158.149.45] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229086; rev:1;) alert tcp $HOME_NET any -> [45.139.222.37] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m.customerportalverify.store"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apis.customerportalverify.store"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omns.customerportalverify.store"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fc.customerportalverify.store"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"content.customerportalverify.store"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229080; rev:1;) alert tcp $HOME_NET any -> [159.65.47.249] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stats.customerportalverify.store"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229079; rev:1;) alert tcp $HOME_NET any -> [5.42.64.70] 2096 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229077; rev:1;) alert tcp $HOME_NET any -> [192.248.184.70] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229075; rev:1;) alert tcp $HOME_NET any -> [47.96.43.107] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229076; rev:1;) alert tcp $HOME_NET any -> [180.141.51.20] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.payandhay.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-235-217-21.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-217-28-109.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-210-248-214.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ams-k-node1.vleo.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.elated-black.45-141-215-173.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fbadearnings.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"85.192.63.57.sslip.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"79.137.194.188.sslip.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229066; rev:1;) alert tcp $HOME_NET any -> [193.233.132.61] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229064; rev:1;) alert tcp $HOME_NET any -> [193.233.132.67] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229063; rev:1;) alert tcp $HOME_NET any -> [193.233.132.62] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229062; rev:1;) alert tcp $HOME_NET any -> [167.88.168.158] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229061; rev:1;) alert tcp $HOME_NET any -> [27.74.166.158] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229060; rev:1;) alert tcp $HOME_NET any -> [20.6.33.42] 9099 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229058; rev:1;) alert tcp $HOME_NET any -> [27.74.166.158] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229059; rev:1;) alert tcp $HOME_NET any -> [103.42.30.30] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229057; rev:1;) alert tcp $HOME_NET any -> [103.42.30.39] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229055; rev:1;) alert tcp $HOME_NET any -> [103.42.30.58] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oxyphyllous.20402177.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"159-223-92-16.digitaloceandns.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"git.cy-security.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sicher-online.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proxy-apps.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229051; rev:1;) alert tcp $HOME_NET any -> [172.94.93.15] 2222 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229049; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 38655 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229048; rev:1;) alert tcp $HOME_NET any -> [13.213.38.230] 81 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reksiaeksinov1.fvds.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mebadboy.fvds.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229045; rev:1;) alert tcp $HOME_NET any -> [91.92.249.143] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229044; rev:1;) alert tcp $HOME_NET any -> [91.92.240.134] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api-encar.nibiru.pro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229041; rev:1;) alert tcp $HOME_NET any -> [54.211.212.149] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229042; rev:1;) alert tcp $HOME_NET any -> [91.92.255.80] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bitrix.avtokuba.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229040; rev:1;) alert tcp $HOME_NET any -> [176.123.168.117] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229038; rev:1;) alert tcp $HOME_NET any -> [79.174.13.18] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229037; rev:1;) alert tcp $HOME_NET any -> [119.160.235.239] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229036; rev:1;) alert tcp $HOME_NET any -> [157.90.21.73] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229035; rev:1;) alert tcp $HOME_NET any -> [213.195.119.8] 4001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229034; rev:1;) alert tcp $HOME_NET any -> [45.126.209.4] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229033; rev:1;) alert tcp $HOME_NET any -> [185.250.148.237] 2424 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229031; rev:1;) alert tcp $HOME_NET any -> [88.229.34.236] 3004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229032; rev:1;) alert tcp $HOME_NET any -> [185.172.128.52] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229029; rev:1;) alert tcp $HOME_NET any -> [54.38.151.131] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229030; rev:1;) alert tcp $HOME_NET any -> [185.172.128.52] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229028; rev:1;) alert tcp $HOME_NET any -> [74.222.22.109] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229027; rev:1;) alert tcp $HOME_NET any -> [91.109.186.9] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229025; rev:1;) alert tcp $HOME_NET any -> [187.24.64.252] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229026; rev:1;) alert tcp $HOME_NET any -> [51.20.249.187] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229024; rev:1;) alert tcp $HOME_NET any -> [5.161.182.109] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229022; rev:1;) alert tcp $HOME_NET any -> [178.33.203.39] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229023; rev:1;) alert tcp $HOME_NET any -> [66.94.120.244] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229021; rev:1;) alert tcp $HOME_NET any -> [122.10.10.115] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229019; rev:1;) alert tcp $HOME_NET any -> [107.174.115.223] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229020; rev:1;) alert tcp $HOME_NET any -> [20.61.4.19] 6000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229018/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_08; classtype:trojan-activity; sid:91229018; rev:1;) alert tcp $HOME_NET any -> [47.102.151.229] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229016; rev:1;) alert tcp $HOME_NET any -> [62.234.166.174] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229017; rev:1;) alert tcp $HOME_NET any -> [47.100.199.201] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229015; rev:1;) alert tcp $HOME_NET any -> [123.57.164.84] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229014; rev:1;) alert tcp $HOME_NET any -> [123.56.64.225] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229013; rev:1;) alert tcp $HOME_NET any -> [123.56.64.225] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229012; rev:1;) alert tcp $HOME_NET any -> [168.100.9.112] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229011; rev:1;) alert tcp $HOME_NET any -> [8.130.66.111] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229010; rev:1;) alert tcp $HOME_NET any -> [45.95.174.47] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229009; rev:1;) alert tcp $HOME_NET any -> [43.134.183.43] 60000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229008; rev:1;) alert tcp $HOME_NET any -> [43.134.183.43] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229007; rev:1;) alert tcp $HOME_NET any -> [121.41.50.152] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229006; rev:1;) alert tcp $HOME_NET any -> [51.81.69.69] 42069 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229005; rev:1;) alert tcp $HOME_NET any -> [61.75.17.84] 59992 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229004; rev:1;) alert tcp $HOME_NET any -> [39.106.47.126] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229003; rev:1;) alert tcp $HOME_NET any -> [101.35.199.148] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229002; rev:1;) alert tcp $HOME_NET any -> [101.35.199.148] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229001; rev:1;) alert tcp $HOME_NET any -> [120.46.69.230] 65401 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229000; rev:1;) alert tcp $HOME_NET any -> [108.136.162.32] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228999; rev:1;) alert tcp $HOME_NET any -> [124.223.87.14] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228998; rev:1;) alert tcp $HOME_NET any -> [38.147.172.234] 5557 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228996; rev:1;) alert tcp $HOME_NET any -> [59.110.9.127] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228997; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 3958 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228995; rev:1;) alert tcp $HOME_NET any -> [18.229.146.63] 12288 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228994; rev:1;) alert tcp $HOME_NET any -> [18.229.248.167] 12288 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228993; rev:1;) alert tcp $HOME_NET any -> [18.228.115.60] 12288 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228992; rev:1;) alert tcp $HOME_NET any -> [193.233.254.4] 13200 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228991; rev:1;) alert tcp $HOME_NET any -> [46.246.12.15] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"194.87.218.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228989; rev:1;) alert tcp $HOME_NET any -> [47.243.31.155] 8123 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228988/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_08; classtype:trojan-activity; sid:91228988; rev:1;) alert tcp $HOME_NET any -> [154.204.60.179] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228987/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_08; classtype:trojan-activity; sid:91228987; rev:1;) alert tcp $HOME_NET any -> [176.29.41.251] 8000 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228986; rev:1;) alert tcp $HOME_NET any -> [194.87.79.209] 34130 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228984; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 30710 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228983; rev:1;) alert tcp $HOME_NET any -> [210.97.234.97] 9735 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/serverlinuxtestwordpressprivate.php"; depth:36; nocase; http.host; content:"028874lm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dftrqgmt6hzf2.cloudfront.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228979; rev:1;) alert tcp $HOME_NET any -> [108.137.133.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"dftrqgmt6hzf2.cloudfront.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/266ba446.php"; depth:13; nocase; http.host; content:"glacial-liquor.000webhostapp.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228977; rev:1;) alert tcp $HOME_NET any -> [45.207.45.188] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228976/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"111.231.22.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228925; rev:1;) alert tcp $HOME_NET any -> [134.175.55.199] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228924; rev:1;) alert tcp $HOME_NET any -> [185.196.8.89] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/account/kdikpcoywu"; depth:28; nocase; http.host; content:"erihudeg.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"39.107.242.130"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"165.154.132.129"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228920; rev:1;) alert tcp $HOME_NET any -> [43.139.220.166] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228919; rev:1;) alert tcp $HOME_NET any -> [66.19.9.115] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228915/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228915; rev:1;) alert tcp $HOME_NET any -> [38.54.85.21] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228914/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228914; rev:1;) alert tcp $HOME_NET any -> [94.49.47.218] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228913/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228913; rev:1;) alert tcp $HOME_NET any -> [190.134.210.144] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228912/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228912; rev:1;) alert tcp $HOME_NET any -> [77.49.83.47] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228911/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228911; rev:1;) alert tcp $HOME_NET any -> [2.6.197.29] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228910/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228910; rev:1;) alert tcp $HOME_NET any -> [27.99.41.173] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228909/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228909; rev:1;) alert tcp $HOME_NET any -> [103.106.228.51] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228908/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228908; rev:1;) alert tcp $HOME_NET any -> [64.23.143.159] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228907; rev:1;) alert tcp $HOME_NET any -> [185.228.234.171] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228906; rev:1;) alert tcp $HOME_NET any -> [52.197.96.6] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228905; rev:1;) alert tcp $HOME_NET any -> [5.42.64.57] 43890 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228857; rev:1;) alert tcp $HOME_NET any -> [45.131.108.210] 747 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228849; rev:1;) alert tcp $HOME_NET any -> [5.42.66.49] 43890 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228858; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"62.72.32.30"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"95.156.227.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"185.183.98.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"79.133.51.114"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"91.206.178.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"101.99.94.198"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard"; depth:10; nocase; http.host; content:"188.116.22.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228892; rev:1;) alert tcp $HOME_NET any -> [47.100.199.201] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228894/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"101.43.215.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"124.221.178.17"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d8g.lol"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228883; rev:1;) alert tcp $HOME_NET any -> [159.75.104.157] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"d8g.lol"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.140.147.193"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"106.14.144.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228880; rev:1;) alert tcp $HOME_NET any -> [43.139.35.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228879; rev:1;) alert tcp $HOME_NET any -> [164.155.212.249] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"165.3.113.96"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"164.155.212.249"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228876; rev:1;) alert tcp $HOME_NET any -> [164.155.212.249] 2000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"152.32.210.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228874; rev:1;) alert tcp $HOME_NET any -> [185.196.8.89] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/account/kdikpcoywu"; depth:28; nocase; http.host; content:"erihudeg.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"8.142.117.162"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"8.142.5.148"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"193.201.9.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.112.137.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"metersphere.zenmen.cloud"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"www.goodljlagfhss.live"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"121.4.50.245"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"120.27.148.91"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-oca34jj9-1257331363.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-oca34jj9-1257331363.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.112.137.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228860; rev:1;) alert tcp $HOME_NET any -> [185.164.163.75] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228859/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228859; rev:1;) alert tcp $HOME_NET any -> [90.91.100.126] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228856/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"101.34.222.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.100.199.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.108.175.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"154.204.60.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"updates.adobe-soft.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"194.87.218.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"164.90.169.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228847; rev:1;) alert tcp $HOME_NET any -> [164.90.169.184] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228848; rev:1;) alert tcp $HOME_NET any -> [45.60.75.128] 9443 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228846/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228846; rev:1;) alert tcp $HOME_NET any -> [151.236.18.179] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.simplence.cn"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228761/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.mylcyz.top"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228759/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.rememdam.xyz"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228760/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.kp1nm8ao.xyz"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228756/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.microsoft-update.one"; depth:24; nocase; reference:url, threatfox.abuse.ch/ioc/1228757/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.microsoft2888.top"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1228758/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.dns-supports.online"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228754/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.dnslogik.com"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228755/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.crnbchina.top"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.dmitolt.com"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1228753/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.centos-yum.xyz"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.chongfan1990.xyz"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1228751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.623866.xyz"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228746/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.akingump.cloud"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.az-gateway.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.bre1ce.top"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"server1.bre1ce.top"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"service-mew"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228745/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"sanjianke.icu"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"septcntr.com"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1228743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"rano.initiativeus.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1228738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"rano.outlookonlines.com"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"recommendation.digihealthlocker.com"; depth:35; nocase; reference:url, threatfox.abuse.ch/ioc/1228740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"redteam.tandemcyberops.co"; depth:25; nocase; reference:url, threatfox.abuse.ch/ioc/1228741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"po.vigorlabs.info"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228736/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"qw.regsvcast.com"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"js.msedgeupdate.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1228734/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pics.d3fgg12.lol"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228735/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"annualraises2023.zip"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1228733/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.teleradiocom.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1228762/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.weepstakes.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228763/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.xiaopeng111.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1228764/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.zengjunhe.top"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228765/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.163microsoft.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1228766/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.623866.xyz"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228767/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.az-gateway.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228768/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.centos-yum.xyz"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228769/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.chongfan1990.xyz"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1228770/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.crnbchina.top"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228771/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.dns-supports.online"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228772/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.dnslogik.com"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228773/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.kp1nm8ao.xyz"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228774/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.microsoft-update.one"; depth:24; nocase; reference:url, threatfox.abuse.ch/ioc/1228775/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.mylcyz.top"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228776/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.rememdam.xyz"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228777/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.simplence.cn"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228778/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.xiaopeng111.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1228779/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.zengjunhe.top"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228780/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns3.chongfan1990.xyz"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1228781/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns3.simplence.cn"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228782/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns3.xiaopeng111.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1228783/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns8.x7z.mom"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228784/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns88.nanyafpg.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228785/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"nsns1.container911.site"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228786/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"nt2.227api.com"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228788/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"nt3.227api.com"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228789/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"nt1.227api.com"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228787/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"oa.cncb.info"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1228790/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ok.ppctech.xyz"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228791/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"one.gxzf.site"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228792/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"osssss.huawei.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228793/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pak.update.nadra-pk.org"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228794/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pic.micros0ft-security.org"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1228795/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.centos-yum.xyz"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228796/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pak.update.nadra-pk.org"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228797/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pic.micros0ft-security.org"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1228798/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.dns-supports.online"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228799/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.microsoft-update.one"; depth:24; nocase; reference:url, threatfox.abuse.ch/ioc/1228800/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.az-gateway.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228801/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.az-gateway.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228802/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.dns-supports.online"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228803/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"iane.outlookonlines.com"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228805/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"iane.initiativeus.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1228804/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"leno.initiativeus.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1228806/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"leno.outlookonlines.com"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228807/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"lindacolor.com"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228808/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"log.lihaimaoyi.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228809/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mail.cncb.info"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228810/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"metersphere.zenmen.cloud"; depth:24; nocase; reference:url, threatfox.abuse.ch/ioc/1228811/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mricossoftmanager.info"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1228812/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"n1.johnchen88.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228814/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"myappsec.eu"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228813/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns.b1ing.com"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1228815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns.checkavail.space"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1228816/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns.controlcavi.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228817/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns.n0reply.eu.org"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228818/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns.tqrjfru.cn"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228819/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns0248.euskinc.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228820/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.163microsoft.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1228821/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kennynanobelintourismedleonline.dumb1.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alpacino.club"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bukkva.club"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gavrik.club"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"voiceaichanger.pro"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"dzxngxmlsim3.cloudfront.net"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1228842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"dh5rg5aebo6yx.cloudfront.net"; depth:28; nocase; reference:url, threatfox.abuse.ch/ioc/1228843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"voice.k7pw.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228840; rev:1;) alert tcp $HOME_NET any -> [80.66.75.53] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-delivery.fortaxen.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228705; rev:1;) alert tcp $HOME_NET any -> [185.170.144.250] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228706; rev:1;) alert tcp $HOME_NET any -> [45.148.120.115] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tollactionancestorw.pw"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"links-transition.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fall-sustained.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"realitysocialiolee.site"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"pubettttg.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228722/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"pubeggggoa.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228723/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"pubetjokotg.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228724/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"gebasgao.shop"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228725/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"fexggohii.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228726/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"vukyggtou.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228727/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogy2ywu5otm4otq3/"; depth:18; nocase; http.host; content:"c2c2adfff.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228728/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogy2ywu5otm4otq3/"; depth:18; nocase; http.host; content:"g232ddxda.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228729/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogy2ywu5otm4otq3/"; depth:18; nocase; http.host; content:"ebwaebaw23xx.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228730/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"verhovuh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228731/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228731; rev:1;) alert tcp $HOME_NET any -> [86.122.248.34] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228839; rev:1;) alert tcp $HOME_NET any -> [176.44.122.88] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228838; rev:1;) alert tcp $HOME_NET any -> [3.110.101.202] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228837; rev:1;) alert tcp $HOME_NET any -> [139.84.172.20] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228836; rev:1;) alert tcp $HOME_NET any -> [139.84.172.248] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228835/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228835; rev:1;) alert tcp $HOME_NET any -> [94.131.100.223] 4444 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228834/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228834; rev:1;) alert tcp $HOME_NET any -> [18.136.0.29] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228830/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228830; rev:1;) alert tcp $HOME_NET any -> [88.229.34.236] 3001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228829/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0902024.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228828; rev:1;) alert tcp $HOME_NET any -> [91.92.250.243] 4887 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228827; rev:1;) alert tcp $HOME_NET any -> [141.98.212.12] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228826/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228826; rev:1;) alert tcp $HOME_NET any -> [162.251.166.166] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228825/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228825; rev:1;) alert tcp $HOME_NET any -> [91.92.251.179] 1334 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228823; rev:1;) alert tcp $HOME_NET any -> [85.195.105.85] 7072 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228822; rev:1;) alert tcp $HOME_NET any -> [142.202.191.238] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress0low/bigload/defaultimagesql/sql7/pollserverprotectdefaultsqltraffictest.php"; depth:86; nocase; http.host; content:"77.83.173.248"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0903379.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228720; rev:1;) alert tcp $HOME_NET any -> [3.94.5.127] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d2kb8sccbn3wgs.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/favicon"; depth:8; nocase; http.host; content:"d2kb8sccbn3wgs.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228716; rev:1;) alert tcp $HOME_NET any -> [82.102.218.155] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228713; rev:1;) alert tcp $HOME_NET any -> [85.195.137.207] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228712; rev:1;) alert tcp $HOME_NET any -> [78.101.236.188] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228711; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 41958 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228710; rev:1;) alert tcp $HOME_NET any -> [88.214.58.89] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228709/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hetooppentyir.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"intros.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kefkfkf.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"landoflegendstore.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linkappc.link"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linkappd.link"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malletmissile.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mamkindomen.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"menrere.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mistral3.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mobilesuit.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"opendoors.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"promakerboi.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prunerflowershop.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rowlingimpala.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wejqwed.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grilledwings.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gzgbnserv639.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goodideal.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"databasecontrol.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"functionalrejh.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"game2030.space"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bukkva.link"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baskettorchaff.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adverting-cdn.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alogsme.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alpacino.best"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigpetsmall.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blogsme.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clogsme.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cozanostra.best"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deniedfight.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dfthdsb.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daymong.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ed2efjw.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fasdas.link"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fickita.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fickitc.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fickotstuk.space"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdgserv29.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"untouchablename.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"venecia.best"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228644; rev:1;) alert tcp $HOME_NET any -> [124.223.64.88] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228704/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228704; rev:1;) alert tcp $HOME_NET any -> [141.255.159.46] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228703/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228703; rev:1;) alert tcp $HOME_NET any -> [71.24.150.141] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pics.d3fgg12.lol"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cj13214.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228700; rev:1;) alert tcp $HOME_NET any -> [47.100.199.201] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228699/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228699; rev:1;) alert tcp $HOME_NET any -> [45.66.248.135] 4593 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"levellivingfield.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228697; rev:1;) alert tcp $HOME_NET any -> [149.28.168.162] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228696; rev:1;) alert tcp $HOME_NET any -> [18.135.30.45] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228695; rev:1;) alert tcp $HOME_NET any -> [62.171.159.173] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228694; rev:1;) alert tcp $HOME_NET any -> [38.54.84.70] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228693; rev:1;) alert tcp $HOME_NET any -> [46.45.130.200] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228692; rev:1;) alert tcp $HOME_NET any -> [35.207.223.236] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228691; rev:1;) alert tcp $HOME_NET any -> [18.195.76.113] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228690; rev:1;) alert tcp $HOME_NET any -> [3.111.231.169] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228689; rev:1;) alert tcp $HOME_NET any -> [3.144.241.40] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228688; rev:1;) alert tcp $HOME_NET any -> [193.200.149.111] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228687; rev:1;) alert tcp $HOME_NET any -> [68.183.157.146] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228686; rev:1;) alert tcp $HOME_NET any -> [143.198.59.128] 40080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228685; rev:1;) alert tcp $HOME_NET any -> [93.188.167.2] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228684; rev:1;) alert tcp $HOME_NET any -> [43.139.220.166] 31220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228683; rev:1;) alert tcp $HOME_NET any -> [134.209.107.62] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228682; rev:1;) alert tcp $HOME_NET any -> [3.125.178.172] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228681; rev:1;) alert tcp $HOME_NET any -> [8.217.168.80] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228680; rev:1;) alert tcp $HOME_NET any -> [115.159.152.161] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.crypticgamings.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.crypticgamings.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"objective-shannon.2-58-113-220.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228676; rev:1;) alert tcp $HOME_NET any -> [94.228.168.159] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228675; rev:1;) alert tcp $HOME_NET any -> [193.233.132.74] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228673; rev:1;) alert tcp $HOME_NET any -> [193.233.132.55] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228674; rev:1;) alert tcp $HOME_NET any -> [172.206.62.226] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228672; rev:1;) alert tcp $HOME_NET any -> [103.42.30.83] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228671; rev:1;) alert tcp $HOME_NET any -> [87.237.54.174] 4447 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloud.cy-security.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228669; rev:1;) alert tcp $HOME_NET any -> [191.82.202.123] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228668; rev:1;) alert tcp $HOME_NET any -> [37.120.137.230] 1433 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228667; rev:1;) alert tcp $HOME_NET any -> [88.99.210.25] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"server289.mukhost.uk"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228664; rev:1;) alert tcp $HOME_NET any -> [91.92.251.140] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app.to-kgb.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228663; rev:1;) alert tcp $HOME_NET any -> [13.213.38.230] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228662; rev:1;) alert tcp $HOME_NET any -> [13.213.38.230] 82 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228661; rev:1;) alert tcp $HOME_NET any -> [198.186.130.12] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228660; rev:1;) alert tcp $HOME_NET any -> [178.130.132.247] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nifty-clarke.137-184-80-125.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228658; rev:1;) alert tcp $HOME_NET any -> [185.16.38.41] 2034 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228657; rev:1;) alert tcp $HOME_NET any -> [185.81.157.213] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228655; rev:1;) alert tcp $HOME_NET any -> [212.102.59.84] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228656; rev:1;) alert tcp $HOME_NET any -> [155.133.27.6] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228654; rev:1;) alert tcp $HOME_NET any -> [122.114.18.86] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228653/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_06; classtype:trojan-activity; sid:91228653; rev:1;) alert tcp $HOME_NET any -> [154.92.14.85] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228652; rev:1;) alert tcp $HOME_NET any -> [62.234.31.154] 5432 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228651; rev:1;) alert tcp $HOME_NET any -> [101.33.210.191] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228650; rev:1;) alert tcp $HOME_NET any -> [182.92.179.238] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228649; rev:1;) alert tcp $HOME_NET any -> [161.35.186.154] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qimen.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228647; rev:1;) alert tcp $HOME_NET any -> [91.215.85.23] 22277 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228646; rev:1;) alert tcp $HOME_NET any -> [66.42.105.125] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228597/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228597; rev:1;) alert tcp $HOME_NET any -> [185.224.81.16] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228595; rev:1;) alert tcp $HOME_NET any -> [185.164.163.75] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"49.atk.im"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228592; rev:1;) alert tcp $HOME_NET any -> [141.98.196.77] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiilll1.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yourself-catholic.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"gumuh5gm.kt007.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cmcqgm.kt007.com"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"ns.tqrjfru.cn"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"ns.tqrjfru.cn"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"www.luxiaofei.online"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1228581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228581; rev:1;) alert tcp $HOME_NET any -> [114.115.210.125] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bing921.215436454.xyz"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1228580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228580; rev:1;) alert tcp $HOME_NET any -> [103.164.81.74] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hk-once.520226.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m.molang007.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228585; rev:1;) alert tcp $HOME_NET any -> [139.155.127.233] 8790 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228586; rev:1;) alert tcp $HOME_NET any -> [8.130.122.200] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msprojectserver.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wmpupdate.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228589; rev:1;) alert tcp $HOME_NET any -> [43.136.71.208] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"micros0fti.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228591; rev:1;) alert tcp $HOME_NET any -> [51.77.137.208] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228584/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228584; rev:1;) alert tcp $HOME_NET any -> [43.139.220.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228579; rev:1;) alert tcp $HOME_NET any -> [149.40.62.54] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"188.166.214.231"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228577; rev:1;) alert tcp $HOME_NET any -> [5.42.66.50] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/navigation"; depth:11; nocase; http.host; content:"updataus.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updataus.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228575; rev:1;) alert tcp $HOME_NET any -> [47.100.199.201] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.100.199.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"23.95.197.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"16.171.112.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"165.154.132.129"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns.tqrjfru.cn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"locall.navybd-gov.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"locall.navybd-gov.info"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228556; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 24544 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmpipepythonlowprotectdefaultgeneratortraffic.php"; depth:50; nocase; http.host; content:"990489lm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228553; rev:1;) alert tcp $HOME_NET any -> [102.22.83.27] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"updates-nessus.org"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228552; rev:1;) alert tcp $HOME_NET any -> [43.134.183.43] 30002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228550; rev:1;) alert tcp $HOME_NET any -> [107.182.190.222] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228548/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228548; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 56274 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228547; rev:1;) alert tcp $HOME_NET any -> [116.203.123.207] 3001 (msg:"ThreatFox Vidar payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.123.207"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199588685141"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"142.132.232.235"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.215.64"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mcfuture"; depth:9; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199592921038"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"20.5.43.62"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"20.5.43.62"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"45.93.20.242"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228441; rev:1;) alert tcp $HOME_NET any -> [121.41.9.223] 23335 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"152.136.128.162"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2i3zwfjnjnhm2i5/"; depth:18; nocase; http.host; content:"194.33.191.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228490/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2i3zwfjnjnhm2i5/"; depth:18; nocase; http.host; content:"xex2napggq.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228491/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2i3zwfjnjnhm2i5/"; depth:18; nocase; http.host; content:"cccd1xzaza.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2i3zwfjnjnhm2i5/"; depth:18; nocase; http.host; content:"vittixx2q.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228492/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2i3zwfjnjnhm2i5/"; depth:18; nocase; http.host; content:"sabaasbaor.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzg1ytc1n2rlnwq4/"; depth:18; nocase; http.host; content:"176.113.115.188"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228497/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzg1ytc1n2rlnwq4/"; depth:18; nocase; http.host; content:"91.92.242.212"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228498/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"176.111.174.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228499/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"ghost23241312.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228500/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"ghost232412512.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228501/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"ghost232412312.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228502/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"epinciifirarda227.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228503/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"epinciifirarda27.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228504/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"epi2nciifirarda227.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228506/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"epinciifirarda237.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228505/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"epi3nciifirarda27.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228507/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"epi5nciifirarda237.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228508/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"yobuy01.com"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228510; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 11297 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228511; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 11297 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228512; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 11297 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228513; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 11297 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228514; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 11297 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228515; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 11297 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"service-hzdzk12c-1318485841.gz.apigw.tencentcs.com"; depth:50; nocase; reference:url, threatfox.abuse.ch/ioc/1228518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"service-oca34jj9-1257331363.sh.tencentapigw.com"; depth:47; nocase; reference:url, threatfox.abuse.ch/ioc/1228519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"static-47-206-167-222.tamp.fl.frontiernet.net"; depth:45; nocase; reference:url, threatfox.abuse.ch/ioc/1228521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"47.206.167.222"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228520; rev:1;) alert tcp $HOME_NET any -> [45.13.119.251] 9932 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228524; rev:1;) alert tcp $HOME_NET any -> [176.223.133.62] 1290 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228525; rev:1;) alert tcp $HOME_NET any -> [23.159.248.156] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228545/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228545; rev:1;) alert tcp $HOME_NET any -> [142.247.111.85] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228544/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228544; rev:1;) alert tcp $HOME_NET any -> [104.157.2.130] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228543/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228543; rev:1;) alert tcp $HOME_NET any -> [213.35.152.193] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228542/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228542; rev:1;) alert tcp $HOME_NET any -> [20.61.52.34] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228541/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228541; rev:1;) alert tcp $HOME_NET any -> [188.166.39.71] 4444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228540/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228540; rev:1;) alert tcp $HOME_NET any -> [195.90.223.120] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228539/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228539; rev:1;) alert tcp $HOME_NET any -> [23.168.152.5] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228538/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228538; rev:1;) alert tcp $HOME_NET any -> [124.220.66.44] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228537/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228537; rev:1;) alert tcp $HOME_NET any -> [3.127.181.115] 15464 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228536; rev:1;) alert tcp $HOME_NET any -> [3.67.62.142] 15464 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228535; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 15464 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228534; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 15464 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228533; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 15464 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228532; rev:1;) alert tcp $HOME_NET any -> [3.67.112.102] 15464 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228531; rev:1;) alert tcp $HOME_NET any -> [167.172.69.159] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228530/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228530; rev:1;) alert tcp $HOME_NET any -> [188.166.214.231] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228529/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228529; rev:1;) alert tcp $HOME_NET any -> [110.43.39.138] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228528/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vm8phpdatalife/7imagecentraldatalife/phplowlinuxgeneratorcdn.php"; depth:65; nocase; http.host; content:"185.103.101.0"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0902362.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228526; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 12944 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228523; rev:1;) alert tcp $HOME_NET any -> [91.92.247.99] 46554 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228522; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 12288 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228509; rev:1;) alert tcp $HOME_NET any -> [43.138.212.90] 4431 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-hs6w7s26-1317863896.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providertotemp.php"; depth:19; nocase; http.host; content:"276721cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228489; rev:1;) alert tcp $HOME_NET any -> [104.200.72.113] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.1319554.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jmccarth.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228486; rev:1;) alert tcp $HOME_NET any -> [34.93.252.18] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228485; rev:1;) alert tcp $HOME_NET any -> [18.236.198.84] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228484; rev:1;) alert tcp $HOME_NET any -> [3.145.135.41] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228483; rev:1;) alert tcp $HOME_NET any -> [52.6.94.197] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228482; rev:1;) alert tcp $HOME_NET any -> [82.157.157.190] 13333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228481; rev:1;) alert tcp $HOME_NET any -> [42.192.42.48] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228480; rev:1;) alert tcp $HOME_NET any -> [2.58.113.172] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crypticgamings.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228478; rev:1;) alert tcp $HOME_NET any -> [41.216.183.94] 8080 (msg:"ThreatFox Bandit Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.microsoft.authenticateoffice.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ethicalhackersworkshop.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228476; rev:1;) alert tcp $HOME_NET any -> [213.136.71.179] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naughty-elion.107-173-140-104.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228473; rev:1;) alert tcp $HOME_NET any -> [207.148.29.229] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228472; rev:1;) alert tcp $HOME_NET any -> [94.250.252.21] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228471; rev:1;) alert tcp $HOME_NET any -> [51.103.216.212] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228470; rev:1;) alert tcp $HOME_NET any -> [18.135.210.230] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228469; rev:1;) alert tcp $HOME_NET any -> [213.195.119.8] 4002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228468; rev:1;) alert tcp $HOME_NET any -> [213.195.119.8] 5003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228466; rev:1;) alert tcp $HOME_NET any -> [213.195.119.8] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228467; rev:1;) alert tcp $HOME_NET any -> [213.195.119.8] 4003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228465; rev:1;) alert tcp $HOME_NET any -> [23.159.248.206] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228463; rev:1;) alert tcp $HOME_NET any -> [47.99.188.174] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228464; rev:1;) alert tcp $HOME_NET any -> [44.210.141.208] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228462/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_05; classtype:trojan-activity; sid:91228462; rev:1;) alert tcp $HOME_NET any -> [38.207.173.58] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228461/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_05; classtype:trojan-activity; sid:91228461; rev:1;) alert tcp $HOME_NET any -> [103.27.186.143] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228460/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_05; classtype:trojan-activity; sid:91228460; rev:1;) alert tcp $HOME_NET any -> [139.9.62.19] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228458; rev:1;) alert tcp $HOME_NET any -> [124.221.37.117] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228459; rev:1;) alert tcp $HOME_NET any -> [47.100.199.201] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228457; rev:1;) alert tcp $HOME_NET any -> [3.88.109.88] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228456; rev:1;) alert tcp $HOME_NET any -> [120.78.217.180] 50003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228455; rev:1;) alert tcp $HOME_NET any -> [8.130.119.191] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228454; rev:1;) alert tcp $HOME_NET any -> [108.61.127.105] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228453; rev:1;) alert tcp $HOME_NET any -> [23.94.240.149] 4567 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228452; rev:1;) alert tcp $HOME_NET any -> [106.14.189.254] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guoxue.qimen.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228451; rev:1;) alert tcp $HOME_NET any -> [148.163.89.57] 44136 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"reitaust.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228448/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"piratia.su"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228447/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"piratia-life.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228446/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"esmic.at"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228445/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"cittrans.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228444/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"channelpi.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228443/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228443; rev:1;) alert tcp $HOME_NET any -> [139.162.170.233] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228442/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asdjjasdhioasdia.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cooldockmantoo.men"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fuckmy.website"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iliveona.cloud"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cjfop.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hbdfblf.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shetoldmeshewas12.uno"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"homehitter.tk"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"idfdfh.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jxhfn.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"skid.uno"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"getcred.uk"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fuckmy.store"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dogeatingchink.uno"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fuckmy.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0kn.tech"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"opewu.homes"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228430; rev:1;) alert tcp $HOME_NET any -> [195.144.21.137] 6667 (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228431; rev:1;) alert tcp $HOME_NET any -> [195.144.21.137] 888 (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228432; rev:1;) alert tcp $HOME_NET any -> [87.121.58.103] 6666 (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228433; rev:1;) alert tcp $HOME_NET any -> [87.121.58.103] 9701 (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228434; rev:1;) alert tcp $HOME_NET any -> [20.5.43.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228436; rev:1;) alert tcp $HOME_NET any -> [213.171.14.82] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228435; rev:1;) alert tcp $HOME_NET any -> [102.40.46.101] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228277/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228277; rev:1;) alert tcp $HOME_NET any -> [47.116.198.16] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228276/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228276; rev:1;) alert tcp $HOME_NET any -> [81.169.252.120] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228275/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228275; rev:1;) alert tcp $HOME_NET any -> [24.46.79.89] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228274/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228274; rev:1;) alert tcp $HOME_NET any -> [86.190.166.153] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228273/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228273; rev:1;) alert tcp $HOME_NET any -> [2.50.16.211] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228272/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228272; rev:1;) alert tcp $HOME_NET any -> [139.84.162.47] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228271/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228271; rev:1;) alert tcp $HOME_NET any -> [82.153.138.180] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228270/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228270; rev:1;) alert tcp $HOME_NET any -> [18.201.203.167] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228269/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"152.32.210.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228268; rev:1;) alert tcp $HOME_NET any -> [104.200.72.113] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228267/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228267; rev:1;) alert tcp $HOME_NET any -> [104.200.72.113] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228265/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228265; rev:1;) alert tcp $HOME_NET any -> [104.200.72.113] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228266/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228266; rev:1;) alert tcp $HOME_NET any -> [20.65.145.66] 1337 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228264; rev:1;) alert tcp $HOME_NET any -> [172.86.75.91] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228263/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"valarioulinity1.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228262/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"vacantion18ffeu.cc"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228261/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"sulugilioiu19.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228260/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"selebration17io.io"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228259/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"goodfooggooftool.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228258/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"cassiosssionunu.me"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228257/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"buriatiarutuhuob.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228256/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228256; rev:1;) alert tcp $HOME_NET any -> [5.61.37.91] 443 (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228250; rev:1;) alert tcp $HOME_NET any -> [46.17.41.112] 443 (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228251; rev:1;) alert tcp $HOME_NET any -> [91.241.93.253] 443 (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228252; rev:1;) alert tcp $HOME_NET any -> [139.144.212.80] 443 (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228253; rev:1;) alert tcp $HOME_NET any -> [176.10.111.99] 443 (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228254; rev:1;) alert tcp $HOME_NET any -> [185.14.30.10] 443 (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228255; rev:1;) alert tcp $HOME_NET any -> [141.255.145.242] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228249/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jspacket.php"; depth:13; nocase; http.host; content:"62.109.15.166"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228248; rev:1;) alert tcp $HOME_NET any -> [103.178.235.88] 19990 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228246/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bngoc.skyljne.click"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228247/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228247; rev:1;) alert tcp $HOME_NET any -> [104.200.72.113] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228245; rev:1;) alert tcp $HOME_NET any -> [187.135.122.213] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228243; rev:1;) alert tcp $HOME_NET any -> [187.135.122.213] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228244; rev:1;) alert tcp $HOME_NET any -> [187.135.122.213] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228242; rev:1;) alert tcp $HOME_NET any -> [187.135.122.213] 1745 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.stripchat70.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stripchat70.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m18888.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228238; rev:1;) alert tcp $HOME_NET any -> [3.18.193.245] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228236; rev:1;) alert tcp $HOME_NET any -> [18.135.30.45] 4242 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228237; rev:1;) alert tcp $HOME_NET any -> [164.92.181.100] 3131 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228235; rev:1;) alert tcp $HOME_NET any -> [202.10.36.221] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228234; rev:1;) alert tcp $HOME_NET any -> [223.167.229.49] 8200 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228233; rev:1;) alert tcp $HOME_NET any -> [185.239.209.215] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228232; rev:1;) alert tcp $HOME_NET any -> [193.46.238.181] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228231; rev:1;) alert tcp $HOME_NET any -> [217.160.89.160] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228230; rev:1;) alert tcp $HOME_NET any -> [49.0.229.148] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228229; rev:1;) alert tcp $HOME_NET any -> [47.109.79.80] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228228; rev:1;) alert tcp $HOME_NET any -> [18.194.31.56] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228226; rev:1;) alert tcp $HOME_NET any -> [60.204.157.150] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228227; rev:1;) alert tcp $HOME_NET any -> [49.113.72.129] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228225; rev:1;) alert tcp $HOME_NET any -> [108.165.115.40] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228224; rev:1;) alert tcp $HOME_NET any -> [124.220.2.204] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228223; rev:1;) alert tcp $HOME_NET any -> [118.126.93.98] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228222; rev:1;) alert tcp $HOME_NET any -> [2.58.113.220] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228221; rev:1;) alert tcp $HOME_NET any -> [2.58.113.172] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228220; rev:1;) alert tcp $HOME_NET any -> [152.89.217.215] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228219; rev:1;) alert tcp $HOME_NET any -> [34.194.123.143] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-35-169-28-72.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228218; rev:1;) alert tcp $HOME_NET any -> [3.217.28.109] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228216; rev:1;) alert tcp $HOME_NET any -> [185.225.200.120] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228215; rev:1;) alert tcp $HOME_NET any -> [141.98.83.242] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228214; rev:1;) alert tcp $HOME_NET any -> [18.130.69.162] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-239-255-86.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228212; rev:1;) alert tcp $HOME_NET any -> [188.166.39.71] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228211; rev:1;) alert tcp $HOME_NET any -> [65.108.111.159] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228210; rev:1;) alert tcp $HOME_NET any -> [149.28.201.102] 82 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eurolub.ec4you.at"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"openbank-dispositivo.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"info-ibercaja.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228206; rev:1;) alert tcp $HOME_NET any -> [45.76.87.78] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228205; rev:1;) alert tcp $HOME_NET any -> [91.107.127.88] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228204; rev:1;) alert tcp $HOME_NET any -> [92.63.106.153] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4-72-seguimiento.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"159-89-8-28.cprapid.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228201; rev:1;) alert tcp $HOME_NET any -> [213.195.119.8] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228200; rev:1;) alert tcp $HOME_NET any -> [213.195.119.8] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228199; rev:1;) alert tcp $HOME_NET any -> [151.80.238.21] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228198; rev:1;) alert tcp $HOME_NET any -> [198.12.125.30] 8801 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228197; rev:1;) alert tcp $HOME_NET any -> [45.126.209.4] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228196; rev:1;) alert tcp $HOME_NET any -> [103.82.134.190] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228195; rev:1;) alert tcp $HOME_NET any -> [91.109.190.6] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228194; rev:1;) alert tcp $HOME_NET any -> [45.32.99.50] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228193; rev:1;) alert tcp $HOME_NET any -> [166.1.190.150] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 90%)"; dns_query; content:"sdfsj3h1s54-yh.foy9dong.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228191/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_05; classtype:trojan-activity; sid:91228191; rev:1;) alert tcp $HOME_NET any -> [152.32.210.127] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228190; rev:1;) alert tcp $HOME_NET any -> [36.99.39.121] 55442 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228188; rev:1;) alert tcp $HOME_NET any -> [152.32.210.127] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228189; rev:1;) alert tcp $HOME_NET any -> [111.231.22.61] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228187; rev:1;) alert tcp $HOME_NET any -> [8.136.241.0] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228186; rev:1;) alert tcp $HOME_NET any -> [47.112.137.119] 89 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228185; rev:1;) alert tcp $HOME_NET any -> [46.101.69.223] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228183; rev:1;) alert tcp $HOME_NET any -> [139.9.62.19] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228184; rev:1;) alert tcp $HOME_NET any -> [202.144.192.114] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228182; rev:1;) alert tcp $HOME_NET any -> [101.133.225.51] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228181; rev:1;) alert tcp $HOME_NET any -> [47.111.227.202] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228179; rev:1;) alert tcp $HOME_NET any -> [47.111.227.202] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228180; rev:1;) alert tcp $HOME_NET any -> [47.94.56.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228178; rev:1;) alert tcp $HOME_NET any -> [60.204.231.191] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228176; rev:1;) alert tcp $HOME_NET any -> [43.139.177.77] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228177; rev:1;) alert tcp $HOME_NET any -> [120.48.58.156] 811 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228175; rev:1;) alert tcp $HOME_NET any -> [35.183.238.86] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228174; rev:1;) alert tcp $HOME_NET any -> [8.210.65.76] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228173; rev:1;) alert tcp $HOME_NET any -> [172.245.60.61] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228172; rev:1;) alert tcp $HOME_NET any -> [107.174.242.74] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228171; rev:1;) alert tcp $HOME_NET any -> [47.104.28.38] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228170; rev:1;) alert tcp $HOME_NET any -> [114.132.183.17] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228169; rev:1;) alert tcp $HOME_NET any -> [8.141.84.223] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"voiceai.linkedsl.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228167; rev:1;) alert tcp $HOME_NET any -> [91.92.245.15] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228166; rev:1;) alert tcp $HOME_NET any -> [62.197.48.112] 3333 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228165/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228165; rev:1;) alert tcp $HOME_NET any -> [91.238.181.238] 3389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"blissful-shaw.45-61-162-107.plesk.page"; depth:38; nocase; reference:url, threatfox.abuse.ch/ioc/1228163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45-61-162-107.cprapid.com"; depth:25; nocase; reference:url, threatfox.abuse.ch/ioc/1228164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228164; rev:1;) alert tcp $HOME_NET any -> [154.47.17.246] 1443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"msprojectserver.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1228157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228157; rev:1;) alert tcp $HOME_NET any -> [5.42.64.57] 1443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228158; rev:1;) alert tcp $HOME_NET any -> [5.42.66.49] 1443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228159; rev:1;) alert tcp $HOME_NET any -> [45.76.208.125] 20001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.sys-ipsec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.99.34.158"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updates.adobe-soft.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/safebrowsing/rd/c1ktwibhehcmdfebad2h12nw1-ioku7h2"; depth:50; nocase; http.host; content:"45.121.48.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228153; rev:1;) alert tcp $HOME_NET any -> [202.144.192.62] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns0248.euskinc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228151; rev:1;) alert tcp $HOME_NET any -> [54.89.165.37] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.dmitolt.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228149; rev:1;) alert tcp $HOME_NET any -> [152.32.210.127] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cscs.luxiaofei.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228147; rev:1;) alert tcp $HOME_NET any -> [50.7.61.26] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.kp1nm8ao.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.kp1nm8ao.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228144; rev:1;) alert tcp $HOME_NET any -> [47.103.20.98] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.simplence.cn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.simplence.cn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.simplence.cn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.254.4"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228139; rev:1;) alert tcp $HOME_NET any -> [185.130.226.143] 6575 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.53"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.55"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.54"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.59"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.61"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.60"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.77"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.81"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.140"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1228088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.130"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1228087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.241.184"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.242.113"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.244.7"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.245.143"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.251.17"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1228093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.251.113"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.252.214"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.64.114"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.253.254"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.64.115"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.64.116"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.64.218"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.68.149"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.68.150"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.68.151"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.68.152"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.68.153"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.8"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.36"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.14"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.21"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.20"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.22"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.23"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.24"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.25"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.26"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.27"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.28"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.29"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.30"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.32"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.31"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.33"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.34"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.35"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.37"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.38"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.39"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.40"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.41"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.43"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.45"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.42"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.44"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.46"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.47"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.48"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228136; rev:1;) alert tcp $HOME_NET any -> [66.204.14.247] 55000 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228137/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"123.207.46.13"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"grigorjevas.com"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1228062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"gourmand.lt"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mutualgrimness.entrydns.org"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1228064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"healthiertoday.site"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1228065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"43.136.84.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228076; rev:1;) alert tcp $HOME_NET any -> [194.116.191.52] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apiv8/getstatus"; depth:16; nocase; http.host; content:"194.116.191.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"110.42.213.232"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"120.55.82.147"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228071; rev:1;) alert tcp $HOME_NET any -> [120.55.82.147] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ongmanibeimeihong.cdnaliyun.top"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin"; depth:9; nocase; http.host; content:"ongmanibeimeihong.cdnaliyun.top"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228069; rev:1;) alert tcp $HOME_NET any -> [165.22.184.218] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_"; depth:2; nocase; http.host; content:"165.22.184.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"103.164.81.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228066; rev:1;) alert tcp $HOME_NET any -> [165.22.184.218] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228058; rev:1;) alert tcp $HOME_NET any -> [45.90.217.165] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228059/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"superendpoint.azureedge.net"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1228060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.108.175.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228061; rev:1;) alert tcp $HOME_NET any -> [194.87.218.132] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228057/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228057; rev:1;) alert tcp $HOME_NET any -> [216.224.123.241] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228056/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228056; rev:1;) alert tcp $HOME_NET any -> [104.243.25.78] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228055/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.dracumi.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91227981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bestone/.nekoisdaddy.mips"; depth:26; nocase; http.host; content:"45.86.155.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91227985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cnc.nekololis.ovh"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91227986; rev:1;) alert tcp $HOME_NET any -> [87.121.58.103] 80 (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91227987; rev:1;) alert tcp $HOME_NET any -> [45.86.155.249] 80 (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91227988; rev:1;) alert tcp $HOME_NET any -> [45.229.237.214] 80 (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91227989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login/"; depth:12; nocase; http.host; content:"my-vidar.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login/"; depth:12; nocase; http.host; content:"my-odin.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sellers/auth/login"; depth:19; nocase; http.host; content:"egetfile.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login/"; depth:12; nocase; http.host; content:"testingversion.my-vidar.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228013; rev:1;) alert tcp $HOME_NET any -> [178.255.168.49] 4782 (msg:"ThreatFox Quasar RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228015; rev:1;) alert tcp $HOME_NET any -> [79.107.199.218] 6666 (msg:"ThreatFox Quasar RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ratsakis.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sfxn.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"thietbiytebt.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228019; rev:1;) alert tcp $HOME_NET any -> [185.224.128.187] 7774 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228026/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228026; rev:1;) alert tcp $HOME_NET any -> [16.171.112.33] 8010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228029; rev:1;) alert tcp $HOME_NET any -> [16.171.112.33] 18010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228030; rev:1;) alert tcp $HOME_NET any -> [84.54.51.74] 19285 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228031/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cdn.microsolt.top"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.147.231.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.153.240.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"94.242.53.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"46.29.162.103"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"104.194.156.51"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"172.86.66.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"172.86.70.150"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"176.32.33.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.220.180"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228054; rev:1;) alert tcp $HOME_NET any -> [5.75.220.180] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228053; rev:1;) alert tcp $HOME_NET any -> [139.224.188.135] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228044/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228044; rev:1;) alert tcp $HOME_NET any -> [71.88.240.64] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228043/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228043; rev:1;) alert tcp $HOME_NET any -> [94.98.78.18] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228042; rev:1;) alert tcp $HOME_NET any -> [50.35.133.122] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228041; rev:1;) alert tcp $HOME_NET any -> [78.100.238.179] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228040; rev:1;) alert tcp $HOME_NET any -> [176.44.67.57] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228039; rev:1;) alert tcp $HOME_NET any -> [86.236.26.94] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228038; rev:1;) alert tcp $HOME_NET any -> [69.159.0.230] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228037; rev:1;) alert tcp $HOME_NET any -> [179.96.164.40] 445 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228036; rev:1;) alert tcp $HOME_NET any -> [160.238.36.135] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228035; rev:1;) alert tcp $HOME_NET any -> [45.61.187.244] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228034; rev:1;) alert tcp $HOME_NET any -> [143.110.151.209] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externaleternalvideosecureprocessservermulti.php"; depth:49; nocase; http.host; content:"137953cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228028; rev:1;) alert tcp $HOME_NET any -> [37.220.80.225] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228027/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228027; rev:1;) alert tcp $HOME_NET any -> [177.7.164.13] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228025/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228025; rev:1;) alert tcp $HOME_NET any -> [93.179.113.142] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228009; rev:1;) alert tcp $HOME_NET any -> [159.65.147.98] 9090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228008; rev:1;) alert tcp $HOME_NET any -> [111.193.206.216] 9333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"potomac-clickstream.usaa.website"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clix.usaa.website"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bfp.usaa.website"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"objects.usaa.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paxful.usaa.website"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228003; rev:1;) alert tcp $HOME_NET any -> [198.46.226.84] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228001; rev:1;) alert tcp $HOME_NET any -> [193.22.152.104] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228000; rev:1;) alert tcp $HOME_NET any -> [154.92.14.85] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"infallible-lichterman.45-141-215-173.plesk.page"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227998; rev:1;) alert tcp $HOME_NET any -> [77.91.68.183] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"monitor.cll5.fact.solutions"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227996; rev:1;) alert tcp $HOME_NET any -> [91.92.250.211] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227995; rev:1;) alert tcp $HOME_NET any -> [88.229.34.236] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227994; rev:1;) alert tcp $HOME_NET any -> [124.70.196.94] 8883 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227993; rev:1;) alert tcp $HOME_NET any -> [165.154.132.129] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227992; rev:1;) alert tcp $HOME_NET any -> [165.154.132.129] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227991; rev:1;) alert tcp $HOME_NET any -> [101.43.30.194] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"101.43.58.176"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227983; rev:1;) alert tcp $HOME_NET any -> [108.30.227.173] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227982/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227982; rev:1;) alert tcp $HOME_NET any -> [95.217.236.92] 39545 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227980; rev:1;) alert tcp $HOME_NET any -> [89.247.50.36] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227979/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227979; rev:1;) alert tcp $HOME_NET any -> [18.153.210.153] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227978/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227978; rev:1;) alert tcp $HOME_NET any -> [159.253.120.84] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227977/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227977; rev:1;) alert tcp $HOME_NET any -> [5.230.74.102] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227976/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227976; rev:1;) alert tcp $HOME_NET any -> [38.47.101.14] 8008 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227975/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227975; rev:1;) alert tcp $HOME_NET any -> [35.80.38.180] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227974/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227974; rev:1;) alert tcp $HOME_NET any -> [122.51.216.39] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227973/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227973; rev:1;) alert tcp $HOME_NET any -> [154.85.56.248] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_04; classtype:trojan-activity; sid:91227972; rev:1;) alert tcp $HOME_NET any -> [74.12.145.184] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227971/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_04; classtype:trojan-activity; sid:91227971; rev:1;) alert tcp $HOME_NET any -> [83.110.196.159] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_04; classtype:trojan-activity; sid:91227970; rev:1;) alert tcp $HOME_NET any -> [194.87.31.229] 6438 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227969/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227969; rev:1;) alert tcp $HOME_NET any -> [65.108.20.160] 11396 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227968; rev:1;) alert tcp $HOME_NET any -> [212.25.9.240] 1099 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227967/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227967; rev:1;) alert tcp $HOME_NET any -> [136.244.108.223] 1411 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227966; rev:1;) alert tcp $HOME_NET any -> [187.135.122.222] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227965; rev:1;) alert tcp $HOME_NET any -> [187.135.122.222] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227964; rev:1;) alert tcp $HOME_NET any -> [187.135.122.222] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227963; rev:1;) alert tcp $HOME_NET any -> [187.135.122.222] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.petrus4.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ritestowritemyword.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227960; rev:1;) alert tcp $HOME_NET any -> [18.135.30.45] 4002 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227959; rev:1;) alert tcp $HOME_NET any -> [18.143.166.2] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227958; rev:1;) alert tcp $HOME_NET any -> [45.249.244.18] 89 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227957; rev:1;) alert tcp $HOME_NET any -> [143.110.147.108] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227956; rev:1;) alert tcp $HOME_NET any -> [18.197.64.51] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227955; rev:1;) alert tcp $HOME_NET any -> [13.43.41.39] 5723 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227953; rev:1;) alert tcp $HOME_NET any -> [18.197.64.51] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227954; rev:1;) alert tcp $HOME_NET any -> [3.107.10.141] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227952; rev:1;) alert tcp $HOME_NET any -> [139.59.44.192] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227951; rev:1;) alert tcp $HOME_NET any -> [139.59.17.211] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227950; rev:1;) alert tcp $HOME_NET any -> [69.162.150.73] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227949; rev:1;) alert tcp $HOME_NET any -> [18.197.171.40] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227947; rev:1;) alert tcp $HOME_NET any -> [18.197.171.40] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227948; rev:1;) alert tcp $HOME_NET any -> [212.64.195.38] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227946; rev:1;) alert tcp $HOME_NET any -> [18.102.176.3] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sessions.usaa.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lms.usaa.website"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sensors.usaa.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mobile2.usaa.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure07c.usaa.website"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227941; rev:1;) alert tcp $HOME_NET any -> [147.139.1.27] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227939; rev:1;) alert tcp $HOME_NET any -> [8.134.138.198] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227938; rev:1;) alert tcp $HOME_NET any -> [216.238.111.60] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227937; rev:1;) alert tcp $HOME_NET any -> [150.158.150.131] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227936; rev:1;) alert tcp $HOME_NET any -> [116.211.228.236] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"payandhay.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.payandhay.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227933; rev:1;) alert tcp $HOME_NET any -> [51.195.83.133] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227932; rev:1;) alert tcp $HOME_NET any -> [51.195.83.133] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip133.ip-51-195-83.eu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3ps1l0n.life"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agniane.sbs"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkeye.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-729780f6.vps.ovh.ca"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rastro.pages.dev"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z3us.online"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vectorstealer.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227923; rev:1;) alert tcp $HOME_NET any -> [54.210.248.214] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227922; rev:1;) alert tcp $HOME_NET any -> [45.141.215.173] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227921; rev:1;) alert tcp $HOME_NET any -> [97.120.154.174] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227920; rev:1;) alert tcp $HOME_NET any -> [65.20.68.219] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227919; rev:1;) alert tcp $HOME_NET any -> [20.217.81.50] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227918; rev:1;) alert tcp $HOME_NET any -> [185.16.38.41] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227917; rev:1;) alert tcp $HOME_NET any -> [103.59.94.45] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227916; rev:1;) alert tcp $HOME_NET any -> [13.235.254.216] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lightfull.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227915; rev:1;) alert tcp $HOME_NET any -> [37.120.137.230] 3333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reksiaeksinov.fvds.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227912; rev:1;) alert tcp $HOME_NET any -> [97.151.208.70] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227911; rev:1;) alert tcp $HOME_NET any -> [206.123.132.170] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227910; rev:1;) alert tcp $HOME_NET any -> [190.213.184.38] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227909; rev:1;) alert tcp $HOME_NET any -> [88.235.35.170] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227907; rev:1;) alert tcp $HOME_NET any -> [212.102.59.84] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227908; rev:1;) alert tcp $HOME_NET any -> [39.100.128.2] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227906; rev:1;) alert tcp $HOME_NET any -> [107.172.201.247] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227905; rev:1;) alert tcp $HOME_NET any -> [162.33.178.80] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227904; rev:1;) alert tcp $HOME_NET any -> [154.39.245.146] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227903; rev:1;) alert tcp $HOME_NET any -> [165.154.183.177] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227902/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_04; classtype:trojan-activity; sid:91227902; rev:1;) alert tcp $HOME_NET any -> [47.120.47.43] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227901; rev:1;) alert tcp $HOME_NET any -> [101.43.58.176] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227900; rev:1;) alert tcp $HOME_NET any -> [47.99.34.158] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227899; rev:1;) alert tcp $HOME_NET any -> [114.116.30.63] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227898; rev:1;) alert tcp $HOME_NET any -> [20.5.43.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227897; rev:1;) alert tcp $HOME_NET any -> [44.221.115.240] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"114.115.210.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"154.3.2.253"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"39.105.4.90"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.139.74.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"206.119.171.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"23.26.147.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.93.216.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"23.95.197.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/acces/login"; depth:12; nocase; http.host; content:"62.72.33.132"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/acces/login"; depth:12; nocase; http.host; content:"62.72.33.127"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/acces/login"; depth:12; nocase; http.host; content:"5.230.72.46"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227887; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 19483 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227884; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 19483 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227883; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 19483 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227882; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 19483 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard"; depth:10; nocase; http.host; content:"94.242.53.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227880; rev:1;) alert tcp $HOME_NET any -> [103.151.228.65] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227879; rev:1;) alert tcp $HOME_NET any -> [137.175.17.181] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227878/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227878; rev:1;) alert tcp $HOME_NET any -> [194.147.140.205] 4040 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227877/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227877; rev:1;) alert tcp $HOME_NET any -> [93.123.85.79] 1337 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227875; rev:1;) alert tcp $HOME_NET any -> [103.13.209.45] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227876; rev:1;) alert tcp $HOME_NET any -> [141.98.10.85] 1024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227869/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"igo0gle.com"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1227872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"igo0gle.com"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1227871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ftp.igo0gle.com"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1227873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ftp.igo0gle.com"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1227874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227874; rev:1;) alert tcp $HOME_NET any -> [110.42.214.238] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227870/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227870; rev:1;) alert tcp $HOME_NET any -> [170.130.55.84] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"flsgfjrughtsvsv.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1227866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"170.130.55.84"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"94.74.105.131"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.108.137.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"118.31.114.23"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227863; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.90.247.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"124.71.222.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"124.71.46.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227860; rev:1;) alert tcp $HOME_NET any -> [45.150.65.159] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nsns1.container911.site"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227858; rev:1;) alert tcp $HOME_NET any -> [47.99.34.158] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227857/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.136.218.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.136.218.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-18c6z8nb-1303896379.sh.tencentapigw.cn"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-18c6z8nb-1303896379.sh.tencentapigw.cn"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/del/lockout/q56sz0mji3"; depth:23; nocase; http.host; content:"120.76.174.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/del/lockout/q56sz0mji3"; depth:23; nocase; http.host; content:"101.132.148.46"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/del/lockout/q56sz0mji3"; depth:23; nocase; http.host; content:"47.93.222.32"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227848; rev:1;) alert tcp $HOME_NET any -> [206.189.206.61] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227847; rev:1;) alert tcp $HOME_NET any -> [45.155.249.164] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dofor/v7.66/lkcfceuyz8j3"; depth:25; nocase; http.host; content:"45.155.249.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"110.42.213.232"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"tybytimemunutere.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227841/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"stanystarysturu.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227839/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"thethuthe3.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227840/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"sinuptinulium.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227838/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"sindusyndy.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227837/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"rakutenmakutern.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227836/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"opengamerstypepsy.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227835/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"lumustruoues.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227834/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"lovelyloversbouuyrs.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227833/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baykusdnamcaya.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"birigeldomisosnet.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"borabirincigelez.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"borabirinicedfores.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"borarsaborabirinci.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boryoboresbirinci.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gahyonmedsosges.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ikincipansizde.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lagelogelolsiki.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laylolsosdesike.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lofeyomefofsiki.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"logaloledsossiki.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loledosiki.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lolforfaysike.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myidtelstra.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sedoesdomanecomanes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sedaborabirinciel.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227738; rev:1;) alert tcp $HOME_NET any -> [83.85.165.190] 1604 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sp1oorat.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kineticwing.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/get.php"; depth:15; nocase; http.host; content:"kineticwing.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/qzwewmrqqgqnaww.php"; depth:26; nocase; http.host; content:"kineticwing.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227749; rev:1;) alert tcp $HOME_NET any -> [109.123.227.104] 2221 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227753; rev:1;) alert tcp $HOME_NET any -> [192.248.174.52] 5631 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227752; rev:1;) alert tcp $HOME_NET any -> [152.89.218.212] 443 (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227756; rev:1;) alert tcp $HOME_NET any -> [187.224.3.146] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_04; classtype:trojan-activity; sid:91227832; rev:1;) alert tcp $HOME_NET any -> [149.109.140.235] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_04; classtype:trojan-activity; sid:91227831; rev:1;) alert tcp $HOME_NET any -> [74.12.145.184] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227830/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_04; classtype:trojan-activity; sid:91227830; rev:1;) alert tcp $HOME_NET any -> [190.28.114.195] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227829/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_04; classtype:trojan-activity; sid:91227829; rev:1;) alert tcp $HOME_NET any -> [119.156.27.89] 8843 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227828/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_04; classtype:trojan-activity; sid:91227828; rev:1;) alert tcp $HOME_NET any -> [54.233.207.223] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227827/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227827; rev:1;) alert tcp $HOME_NET any -> [186.13.27.51] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227818; rev:1;) alert tcp $HOME_NET any -> [79.107.158.59] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227817; rev:1;) alert tcp $HOME_NET any -> [187.135.122.222] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227816; rev:1;) alert tcp $HOME_NET any -> [187.135.122.222] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227815; rev:1;) alert tcp $HOME_NET any -> [187.135.122.222] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227813; rev:1;) alert tcp $HOME_NET any -> [187.135.122.222] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227814; rev:1;) alert tcp $HOME_NET any -> [187.135.122.222] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227811; rev:1;) alert tcp $HOME_NET any -> [187.135.122.222] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227812; rev:1;) alert tcp $HOME_NET any -> [187.135.122.222] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227810; rev:1;) alert tcp $HOME_NET any -> [187.135.122.222] 1622 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227808; rev:1;) alert tcp $HOME_NET any -> [187.135.122.222] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227809; rev:1;) alert tcp $HOME_NET any -> [65.108.17.222] 8080 (msg:"ThreatFox Octopus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227807; rev:1;) alert tcp $HOME_NET any -> [104.168.24.196] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227806; rev:1;) alert tcp $HOME_NET any -> [193.200.149.111] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227805; rev:1;) alert tcp $HOME_NET any -> [34.122.61.85] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227804; rev:1;) alert tcp $HOME_NET any -> [49.12.233.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227803; rev:1;) alert tcp $HOME_NET any -> [118.25.19.201] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227802; rev:1;) alert tcp $HOME_NET any -> [85.31.234.246] 1723 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gettymefondeploy.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227800; rev:1;) alert tcp $HOME_NET any -> [39.107.95.199] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227799; rev:1;) alert tcp $HOME_NET any -> [146.190.112.135] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-201-97-6.compute-1.amazonaws.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227797; rev:1;) alert tcp $HOME_NET any -> [45.42.45.10] 8080 (msg:"ThreatFox Bandit Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stupefied-germain.45-141-215-173.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227795; rev:1;) alert tcp $HOME_NET any -> [45.93.20.207] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227793; rev:1;) alert tcp $HOME_NET any -> [85.192.63.57] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227794; rev:1;) alert tcp $HOME_NET any -> [27.74.166.36] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227791; rev:1;) alert tcp $HOME_NET any -> [27.74.166.36] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227792; rev:1;) alert tcp $HOME_NET any -> [176.29.69.108] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.msservice.workers.dev"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227789; rev:1;) alert tcp $HOME_NET any -> [64.156.192.19] 2222 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helpdesktops.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227788; rev:1;) alert tcp $HOME_NET any -> [146.190.236.181] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1502954.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227785; rev:1;) alert tcp $HOME_NET any -> [70.34.252.163] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"my-package-tracking.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flintton.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rb-an-clk.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227781; rev:1;) alert tcp $HOME_NET any -> [91.107.124.12] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vigilant-elbakyan.159-89-8-28.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227779; rev:1;) alert tcp $HOME_NET any -> [136.243.151.21] 78 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227778; rev:1;) alert tcp $HOME_NET any -> [213.195.119.8] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227777; rev:1;) alert tcp $HOME_NET any -> [23.94.62.136] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227776; rev:1;) alert tcp $HOME_NET any -> [20.52.118.210] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227775/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_04; classtype:trojan-activity; sid:91227775; rev:1;) alert tcp $HOME_NET any -> [39.107.102.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227774; rev:1;) alert tcp $HOME_NET any -> [45.207.47.21] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227772; rev:1;) alert tcp $HOME_NET any -> [123.57.77.11] 8992 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227773; rev:1;) alert tcp $HOME_NET any -> [121.40.233.196] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227771; rev:1;) alert tcp $HOME_NET any -> [117.50.179.195] 4436 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227770; rev:1;) alert tcp $HOME_NET any -> [20.231.208.182] 3080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227769; rev:1;) alert tcp $HOME_NET any -> [64.176.82.16] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227768; rev:1;) alert tcp $HOME_NET any -> [110.40.213.80] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227766; rev:1;) alert tcp $HOME_NET any -> [8.134.219.118] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227767; rev:1;) alert tcp $HOME_NET any -> [154.9.255.242] 48084 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227765; rev:1;) alert tcp $HOME_NET any -> [103.146.179.104] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227763; rev:1;) alert tcp $HOME_NET any -> [146.56.234.203] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227764; rev:1;) alert tcp $HOME_NET any -> [43.128.54.51] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227762; rev:1;) alert tcp $HOME_NET any -> [172.111.218.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227761; rev:1;) alert tcp $HOME_NET any -> [114.115.210.125] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dracumi.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-116-205-161-207.compute.hwclouds-dns.com"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227757; rev:1;) alert tcp $HOME_NET any -> [124.221.235.147] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227758; rev:1;) alert tcp $HOME_NET any -> [103.13.209.45] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227754/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227754; rev:1;) alert tcp $HOME_NET any -> [167.160.90.93] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227751/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227751; rev:1;) alert tcp $HOME_NET any -> [45.88.186.145] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"120.48.58.156"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227746; rev:1;) alert tcp $HOME_NET any -> [193.168.141.241] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227742/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_03; classtype:trojan-activity; sid:91227742; rev:1;) alert tcp $HOME_NET any -> [193.233.202.4] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227743/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_03; classtype:trojan-activity; sid:91227743; rev:1;) alert tcp $HOME_NET any -> [91.229.239.230] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227741/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_03; classtype:trojan-activity; sid:91227741; rev:1;) alert tcp $HOME_NET any -> [47.253.43.163] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227740/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0899944.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"194.36.190.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"216.158.225.153"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"185.84.140.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"185.156.172.64"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"101.99.95.144"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"159.100.9.207"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"91.197.1.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"94.242.53.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"94.242.53.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"77.73.70.71"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"91.92.248.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"77.73.69.251"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"77.73.70.10"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"77.73.69.95"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.141.37.139"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.155.250.54"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"77.73.69.80"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.8.159.34"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.11.182.116"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.230.68.152"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"31.13.195.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.230.68.85"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.230.40.118"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.230.46.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/split/d/7473220op"; depth:18; nocase; http.host; content:"39.100.128.2"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227687; rev:1;) alert tcp $HOME_NET any -> [39.100.128.2] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/basepollimage/3_/requestpacket2/tempdb/7pipe2/temporarypipe/providervideolinephprequestprocesslinuxtraffictemp.php"; depth:115; nocase; http.host; content:"185.106.94.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227721; rev:1;) alert tcp $HOME_NET any -> [37.210.32.140] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227720/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227720; rev:1;) alert tcp $HOME_NET any -> [86.98.8.79] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227719; rev:1;) alert tcp $HOME_NET any -> [78.101.91.145] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227718; rev:1;) alert tcp $HOME_NET any -> [184.70.132.254] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227717; rev:1;) alert tcp $HOME_NET any -> [37.27.27.94] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227716; rev:1;) alert tcp $HOME_NET any -> [179.96.164.30] 445 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227715; rev:1;) alert tcp $HOME_NET any -> [194.190.152.81] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.103.90.193"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227713; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 15020 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227686; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 15020 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227685; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 15020 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227684; rev:1;) alert tcp $HOME_NET any -> [116.202.180.148] 2024 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227682; rev:1;) alert tcp $HOME_NET any -> [5.75.215.64] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.215.64"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.180.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gayretoploforeztolezkoz.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"111.231.22.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tayhonkolimbinesos.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raygovalizrobinezcomez.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rayrovelemanze.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sevcikconcikdomilezdolerez.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sevdalimdolemezdidos.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teygolfaygoldoleriz.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zaryedtormentosco.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227677; rev:1;) alert tcp $HOME_NET any -> [95.217.82.39] 19000 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227627; rev:1;) alert tcp $HOME_NET any -> [185.209.161.162] 19000 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227628; rev:1;) alert tcp $HOME_NET any -> [91.92.253.3] 19000 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227629/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227629; rev:1;) alert tcp $HOME_NET any -> [91.92.242.217] 19000 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227630; rev:1;) alert tcp $HOME_NET any -> [91.92.253.159] 19000 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227631; rev:1;) alert tcp $HOME_NET any -> [188.54.123.236] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227670; rev:1;) alert tcp $HOME_NET any -> [160.179.104.109] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227669; rev:1;) alert tcp $HOME_NET any -> [187.135.122.175] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227668; rev:1;) alert tcp $HOME_NET any -> [187.135.122.175] 2003 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227667; rev:1;) alert tcp $HOME_NET any -> [187.135.122.175] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227665; rev:1;) alert tcp $HOME_NET any -> [187.135.122.175] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227666; rev:1;) alert tcp $HOME_NET any -> [187.135.122.175] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227663; rev:1;) alert tcp $HOME_NET any -> [187.135.122.175] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227664; rev:1;) alert tcp $HOME_NET any -> [187.135.122.175] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227662; rev:1;) alert tcp $HOME_NET any -> [187.135.122.175] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227661; rev:1;) alert tcp $HOME_NET any -> [187.135.122.175] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227659; rev:1;) alert tcp $HOME_NET any -> [187.135.122.175] 1701 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227660; rev:1;) alert tcp $HOME_NET any -> [187.135.122.175] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227658; rev:1;) alert tcp $HOME_NET any -> [187.135.122.175] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227657; rev:1;) alert tcp $HOME_NET any -> [47.7.145.133] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227656/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_03; classtype:trojan-activity; sid:91227656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.736631.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1518644.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigscreenthrills.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227653; rev:1;) alert tcp $HOME_NET any -> [104.168.24.196] 9000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227652; rev:1;) alert tcp $HOME_NET any -> [104.193.111.38] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227651; rev:1;) alert tcp $HOME_NET any -> [13.42.177.28] 5723 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227650; rev:1;) alert tcp $HOME_NET any -> [18.135.30.45] 4431 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227649; rev:1;) alert tcp $HOME_NET any -> [18.135.30.45] 4449 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227648; rev:1;) alert tcp $HOME_NET any -> [18.135.30.45] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227647; rev:1;) alert tcp $HOME_NET any -> [18.135.30.45] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227646; rev:1;) alert tcp $HOME_NET any -> [34.247.168.187] 5723 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227645; rev:1;) alert tcp $HOME_NET any -> [64.227.130.150] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227644; rev:1;) alert tcp $HOME_NET any -> [13.42.163.200] 5723 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227643; rev:1;) alert tcp $HOME_NET any -> [3.35.8.177] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227642; rev:1;) alert tcp $HOME_NET any -> [80.85.154.199] 4578 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"logs.customerportalverify.store"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smetrics.customerportalverify.store"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads.customerportalverify.store"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227638; rev:1;) alert tcp $HOME_NET any -> [59.110.9.127] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227637; rev:1;) alert tcp $HOME_NET any -> [121.196.193.21] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227636; rev:1;) alert tcp $HOME_NET any -> [103.145.191.118] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227635; rev:1;) alert tcp $HOME_NET any -> [38.181.34.201] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227634; rev:1;) alert tcp $HOME_NET any -> [39.104.226.130] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmrpool.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-224-145-107.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227626; rev:1;) alert tcp $HOME_NET any -> [35.169.28.72] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227625; rev:1;) alert tcp $HOME_NET any -> [77.105.146.152] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227624; rev:1;) alert tcp $HOME_NET any -> [91.103.253.184] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227623; rev:1;) alert tcp $HOME_NET any -> [75.130.243.162] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227622; rev:1;) alert tcp $HOME_NET any -> [99.103.131.181] 2222 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227621; rev:1;) alert tcp $HOME_NET any -> [91.92.250.110] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"walbuschgruppe.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.achiversacademy.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"activelifes.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2202311142188246753.nicesrv.de"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227617; rev:1;) alert tcp $HOME_NET any -> [216.238.78.129] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vistc.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"174.151.189.35.bc.googleusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227613; rev:1;) alert tcp $HOME_NET any -> [47.93.42.113] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227612; rev:1;) alert tcp $HOME_NET any -> [62.234.61.157] 6000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.123.87.21.65.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"avtokuba.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ladyrai.site"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceifador.benzetacil.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227607; rev:1;) alert tcp $HOME_NET any -> [34.203.226.105] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"invadersec.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227606; rev:1;) alert tcp $HOME_NET any -> [37.230.112.206] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"139-162-33-94.ip.linodeusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227603; rev:1;) alert tcp $HOME_NET any -> [91.92.255.30] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227602; rev:1;) alert tcp $HOME_NET any -> [80.87.197.162] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227600; rev:1;) alert tcp $HOME_NET any -> [181.215.49.105] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227601; rev:1;) alert tcp $HOME_NET any -> [181.215.49.104] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.159-89-8-28.cprapid.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"137-184-80-125.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227597; rev:1;) alert tcp $HOME_NET any -> [47.95.197.160] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227596; rev:1;) alert tcp $HOME_NET any -> [37.1.214.209] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227595; rev:1;) alert tcp $HOME_NET any -> [91.92.251.62] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227594; rev:1;) alert tcp $HOME_NET any -> [91.92.254.36] 4747 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227592; rev:1;) alert tcp $HOME_NET any -> [190.213.184.38] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227593; rev:1;) alert tcp $HOME_NET any -> [135.125.27.218] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227591; rev:1;) alert tcp $HOME_NET any -> [14.234.25.153] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227590; rev:1;) alert tcp $HOME_NET any -> [194.116.191.150] 88 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227589/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_03; classtype:trojan-activity; sid:91227589; rev:1;) alert tcp $HOME_NET any -> [159.203.149.148] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227588/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_03; classtype:trojan-activity; sid:91227588; rev:1;) alert tcp $HOME_NET any -> [194.190.152.81] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227587/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_03; classtype:trojan-activity; sid:91227587; rev:1;) alert tcp $HOME_NET any -> [165.227.210.49] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227586/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_03; classtype:trojan-activity; sid:91227586; rev:1;) alert tcp $HOME_NET any -> [45.8.158.71] 2082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227585; rev:1;) alert tcp $HOME_NET any -> [77.91.100.228] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227584; rev:1;) alert tcp $HOME_NET any -> [101.132.182.180] 5111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227582; rev:1;) alert tcp $HOME_NET any -> [38.47.106.38] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227583; rev:1;) alert tcp $HOME_NET any -> [47.236.28.58] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227581; rev:1;) alert tcp $HOME_NET any -> [43.204.108.99] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227580; rev:1;) alert tcp $HOME_NET any -> [122.51.41.5] 5677 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227579; rev:1;) alert tcp $HOME_NET any -> [155.94.140.13] 61259 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227578; rev:1;) alert tcp $HOME_NET any -> [8.130.116.89] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227576; rev:1;) alert tcp $HOME_NET any -> [116.204.89.237] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227577; rev:1;) alert tcp $HOME_NET any -> [43.129.187.60] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227575; rev:1;) alert tcp $HOME_NET any -> [45.207.47.21] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227574; rev:1;) alert tcp $HOME_NET any -> [45.121.48.43] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227572; rev:1;) alert tcp $HOME_NET any -> [103.229.54.221] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227573; rev:1;) alert tcp $HOME_NET any -> [101.200.120.13] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227571; rev:1;) alert tcp $HOME_NET any -> [51.250.16.184] 8011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227569; rev:1;) alert tcp $HOME_NET any -> [47.115.220.95] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227570; rev:1;) alert tcp $HOME_NET any -> [46.17.104.221] 54545 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227568; rev:1;) alert tcp $HOME_NET any -> [94.74.105.131] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227567; rev:1;) alert tcp $HOME_NET any -> [38.12.28.100] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227565; rev:1;) alert tcp $HOME_NET any -> [38.12.28.100] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227566; rev:1;) alert tcp $HOME_NET any -> [120.48.58.156] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227564; rev:1;) alert tcp $HOME_NET any -> [8.134.172.115] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227563; rev:1;) alert tcp $HOME_NET any -> [124.220.163.73] 65009 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227561; rev:1;) alert tcp $HOME_NET any -> [39.106.226.198] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227562; rev:1;) alert tcp $HOME_NET any -> [111.67.195.164] 40000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227560; rev:1;) alert tcp $HOME_NET any -> [74.48.19.156] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227559; rev:1;) alert tcp $HOME_NET any -> [121.40.233.196] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227557; rev:1;) alert tcp $HOME_NET any -> [82.157.167.178] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227558; rev:1;) alert tcp $HOME_NET any -> [147.78.47.15] 65235 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227556; rev:1;) alert tcp $HOME_NET any -> [111.231.22.61] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.linxun.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227554; rev:1;) alert tcp $HOME_NET any -> [45.61.162.107] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227552; rev:1;) alert tcp $HOME_NET any -> [110.40.213.71] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"tracker.web-cockpit.jp"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"passenger210.bar"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"bus527.cfd"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"follow707.cloud"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"war740.engineer"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"block714.mobi"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"bind853.me"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"temple321.bar"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"earn454.live"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"heavy689.immo"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"door111.network"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"blind227.boutique"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"salt204.me"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"lynxer.monster"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"dig159.digital"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"gymorning.cyou"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"hovr.monster"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"strimmr.buzz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"7raven.uno"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"depth305.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"2blu.cloud"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"slavery588.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"reduction925.cc"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"supper728.gifts"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"mn-vps.art"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"literature539.space"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"gxmod.pics"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"secures-tool.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227523; rev:1;) alert tcp $HOME_NET any -> [88.214.27.53] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227524/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ba.css"; depth:7; nocase; http.host; content:"dzxngxmlsim3.cloudfront.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"gonamph.com"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1227488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asalamakolemezdoes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rahlokezdolepizdomer.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rahmetdolezdolirmolipdom.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saygabolemezdomenezcom.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saygoodfoledopel.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taytoplopidolep.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"chaojimanyi.com"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1227486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"chaojimanyi.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0899050.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceptolezcominezcoydez.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cevapveremezdolemereszoes2.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cevapveremezdolemezdolirezdoremifadso.net"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"domlezcomlezdomdenyomegdo.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haygodfolmoldol.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haytoplokezdolezdominec.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hepgeldomkelzdomezforez.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nededlokezdolerezsos3.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raceptoplumdemezdey.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saydornolicezdome.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sayfedkolyegelme.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saygakolbalabana.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saygaydolezlomiedco.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saygolezdolemeze.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahriyedsolemezdolerede2.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahtalidoleredominezdolez.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"caygadholemerezdolez.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"capcanboylokemez.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cayferelokimizedolem.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.250.214"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1227445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahridyolezdolemez.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saygedyolezdomezdominez.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahtalokezdolemrezced5.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahtalidyolezdoliezdominez.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahtalimcominezdoles.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahtaravilazdolerez.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahtatgoblindomlin.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahtaydomlokezdoleriz.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahyolezdolemezdo.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tarafdalimezdolemezdolerez.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tarhanelokezdol.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tayfederlokizdolerizne.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tayfundolemezdo.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tayhadlokezdolereme.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tayrepcanogelmezo.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taytoreztoleztomelez.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tufankolfodemolezdor.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tuftoflokezdoriez.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yathohkolfaledtosun.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yayfolezdolemenegidiyo.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"arpa.viewdns.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"arpa.viewdns.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"arpa.viewdns.net"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1227434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"172.111.218.107"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1227435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.45.83.223"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1227439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.252.177.247"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1227440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.1.213.121"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1227441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.252.1.225"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1227442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.153.48.176"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1227443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"66.11.117.40"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1227444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227444; rev:1;) alert tcp $HOME_NET any -> [154.3.2.253] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227438/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"88.214.27.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"39.105.31.188"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227436; rev:1;) alert tcp $HOME_NET any -> [109.248.144.199] 1333 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"110.42.213.232"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227430; rev:1;) alert tcp $HOME_NET any -> [1.12.36.65] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.153.206.194"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.236.19.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"110.42.213.232"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"service-pgxnje5g-1307231181.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"193.201.9.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227424; rev:1;) alert tcp $HOME_NET any -> [107.182.190.222] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227423/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.116.17.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227422; rev:1;) alert tcp $HOME_NET any -> [185.222.58.113] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227421; rev:1;) alert tcp $HOME_NET any -> [46.190.144.131] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227417; rev:1;) alert tcp $HOME_NET any -> [185.250.210.93] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227418; rev:1;) alert tcp $HOME_NET any -> [91.92.244.42] 9087 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227419; rev:1;) alert tcp $HOME_NET any -> [165.232.153.139] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227420; rev:1;) alert tcp $HOME_NET any -> [123.20.56.214] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227416/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/56f47e918c5386bf.php"; depth:21; nocase; http.host; content:"77.105.132.216"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227415; rev:1;) alert tcp $HOME_NET any -> [47.95.213.55] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227414/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227414; rev:1;) alert tcp $HOME_NET any -> [187.135.122.175] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227413/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227413; rev:1;) alert tcp $HOME_NET any -> [101.43.30.194] 89 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227412/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalrequestgeobaseflowertrack.php"; depth:37; nocase; http.host; content:"882584cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227411; rev:1;) alert tcp $HOME_NET any -> [38.180.60.28] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227410; rev:1;) alert tcp $HOME_NET any -> [141.255.151.226] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227409; rev:1;) alert tcp $HOME_NET any -> [196.77.31.193] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227408/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227408; rev:1;) alert tcp $HOME_NET any -> [142.154.17.8] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227407; rev:1;) alert tcp $HOME_NET any -> [24.46.78.214] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227406; rev:1;) alert tcp $HOME_NET any -> [41.96.91.45] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227405/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227405; rev:1;) alert tcp $HOME_NET any -> [34.245.141.209] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227404/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227404; rev:1;) alert tcp $HOME_NET any -> [172.232.36.73] 10443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227403/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227403; rev:1;) alert tcp $HOME_NET any -> [159.223.92.16] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227402/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227402; rev:1;) alert tcp $HOME_NET any -> [35.173.234.124] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227401; rev:1;) alert tcp $HOME_NET any -> [213.183.56.95] 8085 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227400; rev:1;) alert tcp $HOME_NET any -> [20.38.38.53] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227399; rev:1;) alert tcp $HOME_NET any -> [192.169.6.122] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aybedosgaledsos.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227393; rev:1;) alert tcp $HOME_NET any -> [206.119.171.125] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227397/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227397; rev:1;) alert tcp $HOME_NET any -> [43.136.122.174] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227396/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227396; rev:1;) alert tcp $HOME_NET any -> [41.102.92.209] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227395/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227395; rev:1;) alert tcp $HOME_NET any -> [5.42.64.9] 37471 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227394; rev:1;) alert tcp $HOME_NET any -> [34.95.43.129] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227392/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227392; rev:1;) alert tcp $HOME_NET any -> [91.215.85.66] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227391; rev:1;) alert tcp $HOME_NET any -> [185.222.58.115] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"106.54.209.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227389; rev:1;) alert tcp $HOME_NET any -> [195.85.250.247] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227388/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227388; rev:1;) alert tcp $HOME_NET any -> [35.80.38.180] 8443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227387/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"proekt8.ru"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227386/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_02; classtype:trojan-activity; sid:91227386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"mth.com.ua"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227385/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_02; classtype:trojan-activity; sid:91227385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"gxutc2c.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227384/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_02; classtype:trojan-activity; sid:91227384; rev:1;) alert tcp $HOME_NET any -> [34.143.170.184] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227383/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227383; rev:1;) alert tcp $HOME_NET any -> [95.219.196.30] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227382/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227382; rev:1;) alert tcp $HOME_NET any -> [2.50.16.89] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227381/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227381; rev:1;) alert tcp $HOME_NET any -> [87.223.94.2] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227380/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227380; rev:1;) alert tcp $HOME_NET any -> [72.27.144.58] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227379/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227379; rev:1;) alert tcp $HOME_NET any -> [78.100.225.8] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227378/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227378; rev:1;) alert tcp $HOME_NET any -> [2.91.186.255] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227377/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227377; rev:1;) alert tcp $HOME_NET any -> [193.36.15.247] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227376/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227376; rev:1;) alert tcp $HOME_NET any -> [74.119.194.110] 8888 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227375/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227375; rev:1;) alert tcp $HOME_NET any -> [85.215.215.94] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227374/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227374; rev:1;) alert tcp $HOME_NET any -> [37.152.179.33] 2023 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227373/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227373; rev:1;) alert tcp $HOME_NET any -> [38.47.180.5] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227372/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227372; rev:1;) alert tcp $HOME_NET any -> [93.123.85.19] 6281 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227371/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_02; classtype:trojan-activity; sid:91227371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ready.apk"; depth:10; nocase; http.host; content:"91.92.244.19"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a101.apk"; depth:9; nocase; http.host; content:"91.92.244.19"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bahislion.apk"; depth:14; nocase; http.host; content:"91.92.244.19"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227269; rev:1;) alert tcp $HOME_NET any -> [91.92.244.19] 80 (msg:"ThreatFox SpyNote payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/get.php"; depth:15; nocase; http.host; content:"jennifergalvin.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/qzwewmrqqgqnaww.php"; depth:26; nocase; http.host; content:"jennifergalvin.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getdata.php"; depth:12; nocase; http.host; content:"jesusanaya.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"technologgies.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jenshol.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"simorten.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"investmentgblog.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"protectionek.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"jennifergalvin.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"jesusanaya.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227369; rev:1;) alert tcp $HOME_NET any -> [141.255.145.138] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227370/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227370; rev:1;) alert tcp $HOME_NET any -> [154.40.43.130] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227367/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199592921038"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mcfuture"; depth:9; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.3.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227364; rev:1;) alert tcp $HOME_NET any -> [116.203.3.205] 2024 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.90.247.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"101.37.14.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2.94.223.87.dynamic.jazztel.es"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227354; rev:1;) alert tcp $HOME_NET any -> [105.102.20.203] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227353; rev:1;) alert tcp $HOME_NET any -> [67.131.57.133] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227352/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_02; classtype:trojan-activity; sid:91227352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.recruitment61.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conferencecenters.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.levellivingfield.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227350; rev:1;) alert tcp $HOME_NET any -> [3.126.219.65] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227348; rev:1;) alert tcp $HOME_NET any -> [3.126.219.65] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227347; rev:1;) alert tcp $HOME_NET any -> [20.67.252.59] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227346; rev:1;) alert tcp $HOME_NET any -> [52.152.137.179] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227345; rev:1;) alert tcp $HOME_NET any -> [13.71.92.195] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227344; rev:1;) alert tcp $HOME_NET any -> [191.104.13.54] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227343; rev:1;) alert tcp $HOME_NET any -> [146.190.145.47] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227342; rev:1;) alert tcp $HOME_NET any -> [52.47.125.228] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227341; rev:1;) alert tcp $HOME_NET any -> [35.156.172.252] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227340; rev:1;) alert tcp $HOME_NET any -> [195.201.128.148] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227339; rev:1;) alert tcp $HOME_NET any -> [16.16.55.90] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227338; rev:1;) alert tcp $HOME_NET any -> [157.245.108.186] 9090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227337; rev:1;) alert tcp $HOME_NET any -> [104.193.111.41] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227336; rev:1;) alert tcp $HOME_NET any -> [116.62.4.161] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227335; rev:1;) alert tcp $HOME_NET any -> [14.225.8.224] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227333; rev:1;) alert tcp $HOME_NET any -> [14.225.8.224] 8081 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227334; rev:1;) alert tcp $HOME_NET any -> [192.227.146.253] 8080 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227332; rev:1;) alert tcp $HOME_NET any -> [3.235.217.21] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227331; rev:1;) alert tcp $HOME_NET any -> [37.114.37.86] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227330; rev:1;) alert tcp $HOME_NET any -> [139.84.172.20] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227329; rev:1;) alert tcp $HOME_NET any -> [185.216.117.91] 6666 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.authenticateoffice.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.authenticateoffice.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.activelifes.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227325; rev:1;) alert tcp $HOME_NET any -> [118.69.101.91] 38353 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227324; rev:1;) alert tcp $HOME_NET any -> [85.239.53.165] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227323; rev:1;) alert tcp $HOME_NET any -> [35.189.151.174] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conspiracynomad.fvds.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.undiny.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s-paketverfolgung.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"undiny.ru"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227318; rev:1;) alert tcp $HOME_NET any -> [149.28.73.166] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227317; rev:1;) alert tcp $HOME_NET any -> [173.249.46.253] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.137-184-80-125.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227314; rev:1;) alert tcp $HOME_NET any -> [159.89.8.28] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227315; rev:1;) alert tcp $HOME_NET any -> [47.95.197.160] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227313; rev:1;) alert tcp $HOME_NET any -> [185.81.157.160] 777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227312; rev:1;) alert tcp $HOME_NET any -> [135.125.27.218] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227310; rev:1;) alert tcp $HOME_NET any -> [23.225.40.139] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227311; rev:1;) alert tcp $HOME_NET any -> [34.29.228.84] 1998 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227309; rev:1;) alert tcp $HOME_NET any -> [192.3.1.204] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227308; rev:1;) alert tcp $HOME_NET any -> [110.40.139.46] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227307; rev:1;) alert tcp $HOME_NET any -> [45.67.34.151] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227306/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_02; classtype:trojan-activity; sid:91227306; rev:1;) alert tcp $HOME_NET any -> [121.196.214.125] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227305; rev:1;) alert tcp $HOME_NET any -> [43.155.146.23] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227304; rev:1;) alert tcp $HOME_NET any -> [101.37.117.0] 10101 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227303; rev:1;) alert tcp $HOME_NET any -> [107.175.206.29] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227302; rev:1;) alert tcp $HOME_NET any -> [148.135.4.219] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227301; rev:1;) alert tcp $HOME_NET any -> [142.171.26.166] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227300; rev:1;) alert tcp $HOME_NET any -> [49.235.118.128] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227299; rev:1;) alert tcp $HOME_NET any -> [121.43.43.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227298; rev:1;) alert tcp $HOME_NET any -> [107.173.198.230] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227296; rev:1;) alert tcp $HOME_NET any -> [106.54.209.36] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227297; rev:1;) alert tcp $HOME_NET any -> [123.57.85.206] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227295; rev:1;) alert tcp $HOME_NET any -> [47.110.253.157] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227294; rev:1;) alert tcp $HOME_NET any -> [39.105.51.11] 28100 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227292; rev:1;) alert tcp $HOME_NET any -> [42.192.7.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227293; rev:1;) alert tcp $HOME_NET any -> [172.111.218.146] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227291; rev:1;) alert tcp $HOME_NET any -> [43.128.108.176] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227290; rev:1;) alert tcp $HOME_NET any -> [47.113.227.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227289; rev:1;) alert tcp $HOME_NET any -> [171.5.177.161] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227285/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227285; rev:1;) alert tcp $HOME_NET any -> [47.90.247.182] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227284/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"1.15.189.30"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.180.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.3.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.123.207"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"142.132.232.235"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.215.64"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227277; rev:1;) alert tcp $HOME_NET any -> [116.202.180.148] 3001 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227276; rev:1;) alert tcp $HOME_NET any -> [65.109.242.109] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227274; rev:1;) alert tcp $HOME_NET any -> [116.203.3.205] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227275; rev:1;) alert tcp $HOME_NET any -> [142.132.232.235] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227272; rev:1;) alert tcp $HOME_NET any -> [116.203.123.207] 3001 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227273; rev:1;) alert tcp $HOME_NET any -> [5.75.215.64] 3001 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux0/line3processor/async3process/7bigload/uploads/generatorvideosql/flowerjavascriptprotonexternal/js9javascriptwp/tempsecurelinux/auth/1tempmariadb/1traffic/6/windows2windows/eternalvideocpuprocessasyncpublictempcdntemporary.php"; depth:233; nocase; http.host; content:"212.60.21.225"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227266; rev:1;) alert tcp $HOME_NET any -> [35.72.79.151] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nris-d.mqpslop.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227264; rev:1;) alert tcp $HOME_NET any -> [38.181.2.11] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227263; rev:1;) alert tcp $HOME_NET any -> [91.224.92.130] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227262/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227262; rev:1;) alert tcp $HOME_NET any -> [54.94.248.37] 13352 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227261; rev:1;) alert tcp $HOME_NET any -> [18.229.146.63] 13352 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227260; rev:1;) alert tcp $HOME_NET any -> [101.37.14.112] 8989 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227259/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227259; rev:1;) alert tcp $HOME_NET any -> [43.139.66.18] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227258/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227258; rev:1;) alert tcp $HOME_NET any -> [175.27.191.226] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227212; rev:1;) alert tcp $HOME_NET any -> [122.254.94.69] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227213; rev:1;) alert tcp $HOME_NET any -> [45.74.6.175] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227214; rev:1;) alert tcp $HOME_NET any -> [8.212.157.140] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227215; rev:1;) alert tcp $HOME_NET any -> [185.189.241.254] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227216; rev:1;) alert tcp $HOME_NET any -> [8.212.157.140] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227217; rev:1;) alert tcp $HOME_NET any -> [45.74.6.14] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227218; rev:1;) alert tcp $HOME_NET any -> [45.74.6.175] 21 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227219; rev:1;) alert tcp $HOME_NET any -> [107.148.73.109] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227220; rev:1;) alert tcp $HOME_NET any -> [23.225.71.115] 8888 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227221; rev:1;) alert tcp $HOME_NET any -> [8.130.26.42] 12345 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227223; rev:1;) alert tcp $HOME_NET any -> [8.130.26.42] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227222; rev:1;) alert tcp $HOME_NET any -> [141.98.212.38] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227224; rev:1;) alert tcp $HOME_NET any -> [107.148.73.109] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227226; rev:1;) alert tcp $HOME_NET any -> [23.225.71.115] 12345 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227225; rev:1;) alert tcp $HOME_NET any -> [141.98.212.38] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227227; rev:1;) alert tcp $HOME_NET any -> [143.92.60.54] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227228; rev:1;) alert tcp $HOME_NET any -> [185.189.241.209] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227229; rev:1;) alert tcp $HOME_NET any -> [52.128.229.101] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227230; rev:1;) alert tcp $HOME_NET any -> [34.92.30.54] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227231; rev:1;) alert tcp $HOME_NET any -> [20.6.82.79] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227232; rev:1;) alert tcp $HOME_NET any -> [194.246.114.4] 21 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227233; rev:1;) alert tcp $HOME_NET any -> [52.128.229.102] 12345 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227235; rev:1;) alert tcp $HOME_NET any -> [35.77.99.82] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227234; rev:1;) alert tcp $HOME_NET any -> [194.246.114.4] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227236; rev:1;) alert tcp $HOME_NET any -> [156.59.168.116] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227237; rev:1;) alert tcp $HOME_NET any -> [156.59.168.116] 1688 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227238; rev:1;) alert tcp $HOME_NET any -> [43.135.1.200] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227239; rev:1;) alert tcp $HOME_NET any -> [34.96.231.241] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227240; rev:1;) alert tcp $HOME_NET any -> [52.128.229.99] 12345 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227241; rev:1;) alert tcp $HOME_NET any -> [52.128.229.98] 12345 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227242; rev:1;) alert tcp $HOME_NET any -> [34.81.45.231] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227243; rev:1;) alert tcp $HOME_NET any -> [34.96.231.241] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227244; rev:1;) alert tcp $HOME_NET any -> [52.128.229.102] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227245; rev:1;) alert tcp $HOME_NET any -> [103.86.45.200] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227246; rev:1;) alert tcp $HOME_NET any -> [103.86.45.200] 2096 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227247; rev:1;) alert tcp $HOME_NET any -> [156.255.3.7] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227248; rev:1;) alert tcp $HOME_NET any -> [149.28.136.218] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227249; rev:1;) alert tcp $HOME_NET any -> [107.148.45.172] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227250; rev:1;) alert tcp $HOME_NET any -> [43.132.173.7] 12345 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227210; rev:1;) alert tcp $HOME_NET any -> [110.173.53.162] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227211; rev:1;) alert tcp $HOME_NET any -> [52.128.229.100] 12345 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227207; rev:1;) alert tcp $HOME_NET any -> [194.246.114.4] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227209; rev:1;) alert tcp $HOME_NET any -> [110.173.53.162] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227206; rev:1;) alert tcp $HOME_NET any -> [45.117.102.174] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227208; rev:1;) alert tcp $HOME_NET any -> [185.189.241.254] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227204; rev:1;) alert tcp $HOME_NET any -> [8.130.26.42] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227203; rev:1;) alert tcp $HOME_NET any -> [185.189.241.209] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ct93ynsipaklqbk2/"; depth:18; nocase; http.host; content:"kinonlisplazmaoplayor.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227138/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ct93ynsipaklqbk2/"; depth:18; nocase; http.host; content:"kinonlisplazmaoplayor.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227139/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ct93ynsipaklqbk2/"; depth:18; nocase; http.host; content:"kinonlisplazmaoplayor.xyz"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227140/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ct93ynsipaklqbk2/"; depth:18; nocase; http.host; content:"kinonlisplazmaoplayor.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227141/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yji0ztqxmwi2zjmw/"; depth:18; nocase; http.host; content:"83.97.73.246"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227142/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yji0ztqxmwi2zjmw/"; depth:18; nocase; http.host; content:"hppynweyreadaddies.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227143/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yji0ztqxmwi2zjmw/"; depth:18; nocase; http.host; content:"hppynweyreadaddies.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227144/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yji0ztqxmwi2zjmw/"; depth:18; nocase; http.host; content:"hppynweyreadaddies.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227145/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yji0ztqxmwi2zjmw/"; depth:18; nocase; http.host; content:"hppynweyreadaddies9.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227146/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yji0ztqxmwi2zjmw/"; depth:18; nocase; http.host; content:"hppynweyreadaddies9.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227148/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yji0ztqxmwi2zjmw/"; depth:18; nocase; http.host; content:"hppynweyreadaddies9.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227147/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yji0ztqxmwi2zjmw/"; depth:18; nocase; http.host; content:"hppynweyreadaddies10.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227149/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yji0ztqxmwi2zjmw/"; depth:18; nocase; http.host; content:"hppynweyreadaddies10.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227150/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"reviveincapablewew.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mountainlegislaturel.pw"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"solomaddomededsosfed.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"haklolgelemezdodses.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227196; rev:1;) alert tcp $HOME_NET any -> [141.98.10.19] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227199/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_02; classtype:trojan-activity; sid:91227199; rev:1;) alert tcp $HOME_NET any -> [91.92.249.101] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"botnet.bydgoszcz.pl"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227200/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_02; classtype:trojan-activity; sid:91227200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ct93ynsipaklqbk2/"; depth:18; nocase; http.host; content:"62.233.50.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227137/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"insertrichdedicatewa.pw"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"thinkforce.com.br"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1227131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"209.145.55.141"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1227132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227132; rev:1;) alert tcp $HOME_NET any -> [138.207.139.80] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227257/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227257; rev:1;) alert tcp $HOME_NET any -> [78.19.226.168] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227256/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227256; rev:1;) alert tcp $HOME_NET any -> [79.131.126.152] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227255/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227255; rev:1;) alert tcp $HOME_NET any -> [141.164.133.197] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227254/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227254; rev:1;) alert tcp $HOME_NET any -> [109.152.118.186] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227253/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227253; rev:1;) alert tcp $HOME_NET any -> [146.198.234.107] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227252/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227252; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 13328 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externaleternalsecureauthgameapilinuxasynctest.php"; depth:51; nocase; http.host; content:"718146m.dccrk.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/icrm/gate.php"; depth:14; nocase; http.host; content:"mnpupdate.sytes.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227201; rev:1;) alert tcp $HOME_NET any -> [185.206.184.51] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227198/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227198; rev:1;) alert tcp $HOME_NET any -> [101.201.209.38] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227197/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"us.notfound.my.id"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ffvpn.vip"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toblo3.balad.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ffvpn.vip"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"163.227.29.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.shuxh888.cc"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.1319551.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.duckfoundation.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"canna-oil.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.handsofgodfoundation.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227185; rev:1;) alert tcp $HOME_NET any -> [13.229.69.42] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227184; rev:1;) alert tcp $HOME_NET any -> [20.195.227.175] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227183; rev:1;) alert tcp $HOME_NET any -> [15.161.202.93] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227182; rev:1;) alert tcp $HOME_NET any -> [35.156.172.252] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.facebook.secureapp.tools"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notifications.google.secureapp.tools"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myaccount.google.secureapp.tools"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bumbiz.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227177; rev:1;) alert tcp $HOME_NET any -> [194.15.36.31] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227176; rev:1;) alert tcp $HOME_NET any -> [20.106.201.109] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rb-an-clk.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227174; rev:1;) alert tcp $HOME_NET any -> [91.107.127.226] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227173; rev:1;) alert tcp $HOME_NET any -> [139.162.33.94] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227172; rev:1;) alert tcp $HOME_NET any -> [185.81.157.154] 2302 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227171; rev:1;) alert tcp $HOME_NET any -> [23.26.147.185] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227170; rev:1;) alert tcp $HOME_NET any -> [103.87.10.185] 8084 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ynzxck.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227168; rev:1;) alert tcp $HOME_NET any -> [38.181.2.105] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227167; rev:1;) alert tcp $HOME_NET any -> [195.20.16.173] 7323 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227166; rev:1;) alert tcp $HOME_NET any -> [47.97.1.177] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227165/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_01; classtype:trojan-activity; sid:91227165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.223.6.67"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"45.93.20.242"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"198.44.166.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"local.navybd-gov.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227158; rev:1;) alert tcp $HOME_NET any -> [188.166.39.71] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"local.navybd-gov.info"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"148.135.67.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"116.205.161.207"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.220.224.87"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"150.158.139.244"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227153; rev:1;) alert tcp $HOME_NET any -> [40.66.41.222] 1024 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227135/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_01; classtype:trojan-activity; sid:91227135; rev:1;) alert tcp $HOME_NET any -> [41.98.238.116] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_01; classtype:trojan-activity; sid:91227134; rev:1;) alert tcp $HOME_NET any -> [188.26.232.74] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_01; classtype:trojan-activity; sid:91227133; rev:1;) alert tcp $HOME_NET any -> [213.238.176.154] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227130/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_01; classtype:trojan-activity; sid:91227130; rev:1;) alert tcp $HOME_NET any -> [212.60.21.144] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227129; rev:1;) alert tcp $HOME_NET any -> [23.26.77.14] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227100; rev:1;) alert tcp $HOME_NET any -> [157.254.237.188] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227101; rev:1;) alert tcp $HOME_NET any -> [163.5.169.209] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227103; rev:1;) alert tcp $HOME_NET any -> [23.26.77.112] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227104; rev:1;) alert tcp $HOME_NET any -> [157.254.237.150] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23-26-77-112.acedatacenter.com"; depth:30; nocase; reference:url, threatfox.abuse.ch/ioc/1227120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23-26-77-100.acedatacenter.com"; depth:30; nocase; reference:url, threatfox.abuse.ch/ioc/1227121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227121; rev:1;) alert tcp $HOME_NET any -> [23.26.76.78] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227122; rev:1;) alert tcp $HOME_NET any -> [23.26.77.16] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227123; rev:1;) alert tcp $HOME_NET any -> [51.81.161.6] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227124; rev:1;) alert tcp $HOME_NET any -> [83.147.55.55] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227125; rev:1;) alert tcp $HOME_NET any -> [205.234.181.183] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227126; rev:1;) alert tcp $HOME_NET any -> [205.234.181.236] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227127; rev:1;) alert tcp $HOME_NET any -> [23.26.76.186] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227102; rev:1;) alert tcp $HOME_NET any -> [205.234.181.244] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227128; rev:1;) alert tcp $HOME_NET any -> [23.26.77.145] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227099; rev:1;) alert tcp $HOME_NET any -> [205.234.181.211] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227097; rev:1;) alert tcp $HOME_NET any -> [157.254.236.160] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227098; rev:1;) alert tcp $HOME_NET any -> [157.254.165.254] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227096; rev:1;) alert tcp $HOME_NET any -> [83.147.55.74] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227095; rev:1;) alert tcp $HOME_NET any -> [157.254.237.94] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227094; rev:1;) alert tcp $HOME_NET any -> [5.249.163.45] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227091; rev:1;) alert tcp $HOME_NET any -> [78.178.154.228] 3003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227092; rev:1;) alert tcp $HOME_NET any -> [23.26.77.100] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227093; rev:1;) alert tcp $HOME_NET any -> [185.81.157.218] 1010 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227088; rev:1;) alert tcp $HOME_NET any -> [109.230.238.165] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227089; rev:1;) alert tcp $HOME_NET any -> [185.16.38.41] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227090; rev:1;) alert tcp $HOME_NET any -> [181.214.240.179] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227086; rev:1;) alert tcp $HOME_NET any -> [27.64.172.13] 257 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227087; rev:1;) alert tcp $HOME_NET any -> [172.96.172.69] 1002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227084; rev:1;) alert tcp $HOME_NET any -> [185.81.157.103] 3333 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227085; rev:1;) alert tcp $HOME_NET any -> [94.130.130.51] 9909 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/annotate/project/48q040ijc"; depth:27; nocase; http.host; content:"septcntr.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/annotate/project/48q040ijc"; depth:27; nocase; http.host; content:"septcntr.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/account/kdikpcoywu"; depth:28; nocase; http.host; content:"erihudeg.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/account/kdikpcoywu"; depth:28; nocase; http.host; content:"erihudeg.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reactivate/robotics/6jmnbrxrqkfk"; depth:33; nocase; http.host; content:"conectmeto.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/v3.56/nj4pfeosigf"; depth:23; nocase; http.host; content:"lindacolor.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/v3.56/nj4pfeosigf"; depth:23; nocase; http.host; content:"lindacolor.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"www.bisongdamall.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1227073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"log.bisongdamall.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1227074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227074; rev:1;) alert tcp $HOME_NET any -> [193.34.212.163] 4545 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227076; rev:1;) alert tcp $HOME_NET any -> [91.92.244.15] 6969 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227079; rev:1;) alert tcp $HOME_NET any -> [46.8.52.208] 49160 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227080; rev:1;) alert tcp $HOME_NET any -> [5.78.108.0] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227081; rev:1;) alert tcp $HOME_NET any -> [172.233.153.107] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227075; rev:1;) alert tcp $HOME_NET any -> [143.198.228.15] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227078/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227078; rev:1;) alert tcp $HOME_NET any -> [172.233.153.107] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227059; rev:1;) alert tcp $HOME_NET any -> [193.34.212.163] 7777 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227060; rev:1;) alert tcp $HOME_NET any -> [45.235.49.52] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227061; rev:1;) alert tcp $HOME_NET any -> [43.248.140.96] 4520 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227062; rev:1;) alert tcp $HOME_NET any -> [91.92.241.198] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227063; rev:1;) alert tcp $HOME_NET any -> [172.105.87.78] 5555 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_01; classtype:trojan-activity; sid:91227064; rev:1;) alert tcp $HOME_NET any -> [130.61.188.252] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227065/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_01; classtype:trojan-activity; sid:91227065; rev:1;) alert tcp $HOME_NET any -> [78.180.246.192] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peninsula3.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mynd5.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227117; rev:1;) alert tcp $HOME_NET any -> [44.214.107.87] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227116; rev:1;) alert tcp $HOME_NET any -> [128.1.46.182] 6333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227115; rev:1;) alert tcp $HOME_NET any -> [52.39.30.145] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227114; rev:1;) alert tcp $HOME_NET any -> [20.201.119.163] 1026 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2202002114563109588.megasrv.de"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"movil-bancsabadell.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x-paketverfolgung.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227110; rev:1;) alert tcp $HOME_NET any -> [69.197.142.85] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227109; rev:1;) alert tcp $HOME_NET any -> [87.121.87.101] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227108; rev:1;) alert tcp $HOME_NET any -> [87.121.87.92] 6699 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227107; rev:1;) alert tcp $HOME_NET any -> [111.67.194.181] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227106; rev:1;) alert tcp $HOME_NET any -> [147.189.169.67] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"124.71.205.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227058; rev:1;) alert tcp $HOME_NET any -> [103.61.225.186] 80 (msg:"ThreatFox Scarab Ransomware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227054/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227054; rev:1;) alert tcp $HOME_NET any -> [154.61.74.33] 80 (msg:"ThreatFox Scarab Ransomware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227053/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227053; rev:1;) alert tcp $HOME_NET any -> [24.144.120.189] 80 (msg:"ThreatFox Scarab Ransomware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227055/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"us.notfound.my.id"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1227056/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227056; rev:1;) alert tcp $HOME_NET any -> [105.102.47.192] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227057; rev:1;) alert tcp $HOME_NET any -> [129.226.148.34] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91226698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/chrmeziiia.exe"; depth:25; nocase; http.host; content:"dsoi.info"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91226819; rev:1;) alert tcp $HOME_NET any -> [14.224.174.212] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226911/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226911; rev:1;) alert tcp $HOME_NET any -> [139.144.79.120] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226912/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226912; rev:1;) alert tcp $HOME_NET any -> [103.99.186.113] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226908; rev:1;) alert tcp $HOME_NET any -> [221.194.78.221] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226909/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226909; rev:1;) alert tcp $HOME_NET any -> [121.41.5.68] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226910/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226910; rev:1;) alert tcp $HOME_NET any -> [103.71.154.48] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226904/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226904; rev:1;) alert tcp $HOME_NET any -> [143.92.61.243] 7777 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226906/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226906; rev:1;) alert tcp $HOME_NET any -> [91.92.252.64] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226907/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226907; rev:1;) alert tcp $HOME_NET any -> [51.20.164.68] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226905/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226905; rev:1;) alert tcp $HOME_NET any -> [37.220.121.42] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226901/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226901; rev:1;) alert tcp $HOME_NET any -> [222.253.182.185] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226902/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226902; rev:1;) alert tcp $HOME_NET any -> [107.150.23.151] 31337 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226903/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226903; rev:1;) alert tcp $HOME_NET any -> [91.92.246.130] 3333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226900/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226900; rev:1;) alert tcp $HOME_NET any -> [194.26.135.232] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226913/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226913; rev:1;) alert tcp $HOME_NET any -> [114.115.172.223] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226914/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226914; rev:1;) alert tcp $HOME_NET any -> [78.46.212.67] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226915; rev:1;) alert tcp $HOME_NET any -> [3.138.131.175] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226916; rev:1;) alert tcp $HOME_NET any -> [45.76.110.190] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226917/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226917; rev:1;) alert tcp $HOME_NET any -> [54.39.132.191] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226899/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226899; rev:1;) alert tcp $HOME_NET any -> [94.131.101.86] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226897/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226897; rev:1;) alert tcp $HOME_NET any -> [104.218.54.245] 1604 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226898/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226898; rev:1;) alert tcp $HOME_NET any -> [77.91.122.22] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226896/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226896; rev:1;) alert tcp $HOME_NET any -> [45.141.27.187] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226895/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226895; rev:1;) alert tcp $HOME_NET any -> [51.81.170.216] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226894; rev:1;) alert tcp $HOME_NET any -> [82.64.82.74] 1604 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226893/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226893; rev:1;) alert tcp $HOME_NET any -> [185.209.22.155] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226891/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226891; rev:1;) alert tcp $HOME_NET any -> [51.81.105.237] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226892/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226892; rev:1;) alert tcp $HOME_NET any -> [51.178.91.192] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226888/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226888; rev:1;) alert tcp $HOME_NET any -> [3.236.102.180] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226889/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226889; rev:1;) alert tcp $HOME_NET any -> [192.36.57.216] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226890/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226890; rev:1;) alert tcp $HOME_NET any -> [80.232.245.48] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226886/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226886; rev:1;) alert tcp $HOME_NET any -> [65.20.67.1] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226887/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226887; rev:1;) alert tcp $HOME_NET any -> [181.215.229.195] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226868/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226868; rev:1;) alert tcp $HOME_NET any -> [91.92.252.152] 8084 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226869/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226869; rev:1;) alert tcp $HOME_NET any -> [36.134.54.228] 8088 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226870/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226870; rev:1;) alert tcp $HOME_NET any -> [217.122.155.51] 4783 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226871/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226871; rev:1;) alert tcp $HOME_NET any -> [1.117.42.60] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226872/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226872; rev:1;) alert tcp $HOME_NET any -> [211.62.168.220] 587 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226873/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226873; rev:1;) alert tcp $HOME_NET any -> [121.4.103.222] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226874/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226874; rev:1;) alert tcp $HOME_NET any -> [116.97.240.228] 9981 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226875/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226875; rev:1;) alert tcp $HOME_NET any -> [50.60.8.72] 1337 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226876/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226876; rev:1;) alert tcp $HOME_NET any -> [13.127.185.18] 4783 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226878/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226878; rev:1;) alert tcp $HOME_NET any -> [45.77.3.60] 82 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226877/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226877; rev:1;) alert tcp $HOME_NET any -> [94.156.66.76] 6969 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226879/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226879; rev:1;) alert tcp $HOME_NET any -> [143.92.61.248] 7777 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226880/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226880; rev:1;) alert tcp $HOME_NET any -> [61.136.187.248] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226881/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226881; rev:1;) alert tcp $HOME_NET any -> [191.82.201.157] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226882/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226882; rev:1;) alert tcp $HOME_NET any -> [43.136.181.103] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226883/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226883; rev:1;) alert tcp $HOME_NET any -> [143.92.61.241] 7777 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226884/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226884; rev:1;) alert tcp $HOME_NET any -> [37.59.174.109] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226885/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226885; rev:1;) alert tcp $HOME_NET any -> [85.215.230.244] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226866/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226866; rev:1;) alert tcp $HOME_NET any -> [47.99.65.37] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226867/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226867; rev:1;) alert tcp $HOME_NET any -> [218.200.147.248] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226863/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226863; rev:1;) alert tcp $HOME_NET any -> [8.212.132.182] 5001 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226864/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226864; rev:1;) alert tcp $HOME_NET any -> [47.99.65.37] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226865/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226865; rev:1;) alert tcp $HOME_NET any -> [188.52.168.200] 1337 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226860/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226860; rev:1;) alert tcp $HOME_NET any -> [74.234.34.236] 1337 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226861/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226861; rev:1;) alert tcp $HOME_NET any -> [195.3.220.71] 1337 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226862/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226862; rev:1;) alert tcp $HOME_NET any -> [20.120.176.135] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226940/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226940; rev:1;) alert tcp $HOME_NET any -> [163.172.232.19] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226938/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226938; rev:1;) alert tcp $HOME_NET any -> [34.28.126.114] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226939/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226939; rev:1;) alert tcp $HOME_NET any -> [91.92.244.59] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226935/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226935; rev:1;) alert tcp $HOME_NET any -> [43.138.222.204] 3133 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226936/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226936; rev:1;) alert tcp $HOME_NET any -> [140.246.157.86] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226937/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226937; rev:1;) alert tcp $HOME_NET any -> [94.198.53.143] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226933/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226933; rev:1;) alert tcp $HOME_NET any -> [207.148.78.124] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226934/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226934; rev:1;) alert tcp $HOME_NET any -> [172.245.9.15] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226929/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226929; rev:1;) alert tcp $HOME_NET any -> [103.143.40.219] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226932/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226932; rev:1;) alert tcp $HOME_NET any -> [80.66.79.129] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226930/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226930; rev:1;) alert tcp $HOME_NET any -> [45.155.249.148] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226931/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226931; rev:1;) alert tcp $HOME_NET any -> [47.122.10.149] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226928; rev:1;) alert tcp $HOME_NET any -> [124.156.173.75] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226926/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226926; rev:1;) alert tcp $HOME_NET any -> [119.91.210.217] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226927/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226927; rev:1;) alert tcp $HOME_NET any -> [185.78.76.19] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226924; rev:1;) alert tcp $HOME_NET any -> [139.180.203.46] 8444 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226925/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226925; rev:1;) alert tcp $HOME_NET any -> [101.35.197.155] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226922; rev:1;) alert tcp $HOME_NET any -> [134.175.125.207] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226923/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226923; rev:1;) alert tcp $HOME_NET any -> [64.227.24.147] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226920/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226920; rev:1;) alert tcp $HOME_NET any -> [192.52.166.9] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226921; rev:1;) alert tcp $HOME_NET any -> [103.253.43.237] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226918/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226918; rev:1;) alert tcp $HOME_NET any -> [80.78.22.209] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226919/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226919; rev:1;) alert tcp $HOME_NET any -> [118.195.245.120] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226941/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226941; rev:1;) alert tcp $HOME_NET any -> [188.166.69.51] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226942/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226942; rev:1;) alert tcp $HOME_NET any -> [37.156.216.76] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226943/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226943; rev:1;) alert tcp $HOME_NET any -> [101.43.12.116] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226944/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226944; rev:1;) alert tcp $HOME_NET any -> [198.12.121.19] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226945/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226945; rev:1;) alert tcp $HOME_NET any -> [47.242.66.37] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226947/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226947; rev:1;) alert tcp $HOME_NET any -> [52.91.148.84] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226946/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226946; rev:1;) alert tcp $HOME_NET any -> [192.71.26.247] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226948/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226948; rev:1;) alert tcp $HOME_NET any -> [20.9.130.225] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226949/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226949; rev:1;) alert tcp $HOME_NET any -> [94.241.142.71] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226950/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226950; rev:1;) alert tcp $HOME_NET any -> [95.182.121.24] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226951/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226951; rev:1;) alert tcp $HOME_NET any -> [148.113.182.51] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226952/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226952; rev:1;) alert tcp $HOME_NET any -> [92.38.241.93] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226953/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226953; rev:1;) alert tcp $HOME_NET any -> [107.172.143.68] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226954/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226954; rev:1;) alert tcp $HOME_NET any -> [13.48.105.28] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226955/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226955; rev:1;) alert tcp $HOME_NET any -> [210.16.65.156] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226956/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226956; rev:1;) alert tcp $HOME_NET any -> [193.36.119.250] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226957/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226957; rev:1;) alert tcp $HOME_NET any -> [167.172.2.185] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226958/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226958; rev:1;) alert tcp $HOME_NET any -> [5.230.68.164] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226959/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226959; rev:1;) alert tcp $HOME_NET any -> [203.25.119.141] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226960/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226960; rev:1;) alert tcp $HOME_NET any -> [104.248.80.162] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226961/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226961; rev:1;) alert tcp $HOME_NET any -> [159.223.234.164] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226962/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226962; rev:1;) alert tcp $HOME_NET any -> [91.212.166.31] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226963/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226963; rev:1;) alert tcp $HOME_NET any -> [159.89.96.72] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226964/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226964; rev:1;) alert tcp $HOME_NET any -> [109.94.176.74] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226965/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226965; rev:1;) alert tcp $HOME_NET any -> [193.142.58.126] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226966/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226966; rev:1;) alert tcp $HOME_NET any -> [38.132.122.178] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226967/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226967; rev:1;) alert tcp $HOME_NET any -> [18.234.231.155] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226968/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226968; rev:1;) alert tcp $HOME_NET any -> [146.70.106.171] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226969/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226969; rev:1;) alert tcp $HOME_NET any -> [157.245.205.105] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226970/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226970; rev:1;) alert tcp $HOME_NET any -> [167.99.16.48] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226971/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226971; rev:1;) alert tcp $HOME_NET any -> [81.68.198.185] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226972/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226972; rev:1;) alert tcp $HOME_NET any -> [185.172.128.97] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226973/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226973; rev:1;) alert tcp $HOME_NET any -> [109.234.35.14] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226974/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226974; rev:1;) alert tcp $HOME_NET any -> [49.12.7.88] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226975/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226975; rev:1;) alert tcp $HOME_NET any -> [20.9.129.205] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226976/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226976; rev:1;) alert tcp $HOME_NET any -> [107.174.180.233] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226977/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226977; rev:1;) alert tcp $HOME_NET any -> [18.217.25.229] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226978/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226978; rev:1;) alert tcp $HOME_NET any -> [4.196.229.99] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226979/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226979; rev:1;) alert tcp $HOME_NET any -> [129.146.41.173] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226981/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226981; rev:1;) alert tcp $HOME_NET any -> [20.121.62.185] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226980/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226980; rev:1;) alert tcp $HOME_NET any -> [188.120.229.81] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226982/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226982; rev:1;) alert tcp $HOME_NET any -> [107.172.218.140] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226983/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226983; rev:1;) alert tcp $HOME_NET any -> [23.94.3.91] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226984/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226984; rev:1;) alert tcp $HOME_NET any -> [144.202.125.45] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226985/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226985; rev:1;) alert tcp $HOME_NET any -> [94.102.215.183] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226986/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226986; rev:1;) alert tcp $HOME_NET any -> [47.109.57.38] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226987/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226987; rev:1;) alert tcp $HOME_NET any -> [20.211.145.94] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226988/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226988; rev:1;) alert tcp $HOME_NET any -> [194.233.165.208] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226989/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226989; rev:1;) alert tcp $HOME_NET any -> [47.245.93.141] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226990/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226990; rev:1;) alert tcp $HOME_NET any -> [134.122.80.175] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226991/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226991; rev:1;) alert tcp $HOME_NET any -> [49.12.211.146] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226992/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226992; rev:1;) alert tcp $HOME_NET any -> [172.234.49.149] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226993/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226993; rev:1;) alert tcp $HOME_NET any -> [144.126.192.123] 8087 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226994/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226994; rev:1;) alert tcp $HOME_NET any -> [185.130.44.125] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226995/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226995; rev:1;) alert tcp $HOME_NET any -> [188.166.125.71] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226996/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226996; rev:1;) alert tcp $HOME_NET any -> [89.116.72.113] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226997/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226997; rev:1;) alert tcp $HOME_NET any -> [38.147.172.79] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226998/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226998; rev:1;) alert tcp $HOME_NET any -> [149.102.252.161] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226999/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91226999; rev:1;) alert tcp $HOME_NET any -> [15.235.155.147] 22122 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227000/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227000; rev:1;) alert tcp $HOME_NET any -> [5.75.155.39] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227001/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227001; rev:1;) alert tcp $HOME_NET any -> [77.83.246.107] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227002/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227002; rev:1;) alert tcp $HOME_NET any -> [170.187.190.139] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227003/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227003; rev:1;) alert tcp $HOME_NET any -> [217.195.153.129] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227004/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227004; rev:1;) alert tcp $HOME_NET any -> [62.109.22.162] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227005/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227005; rev:1;) alert tcp $HOME_NET any -> [107.173.148.15] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227006/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227006; rev:1;) alert tcp $HOME_NET any -> [88.80.148.57] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227007/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227007; rev:1;) alert tcp $HOME_NET any -> [13.215.191.59] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227008/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227008; rev:1;) alert tcp $HOME_NET any -> [159.65.236.136] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227009/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227009; rev:1;) alert tcp $HOME_NET any -> [18.183.203.131] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227010/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227010; rev:1;) alert tcp $HOME_NET any -> [46.29.166.80] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227011/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227011; rev:1;) alert tcp $HOME_NET any -> [167.99.62.1] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227012/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227012; rev:1;) alert tcp $HOME_NET any -> [38.180.17.215] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227013/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227013; rev:1;) alert tcp $HOME_NET any -> [43.154.25.56] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227014/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227014; rev:1;) alert tcp $HOME_NET any -> [104.245.107.19] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227015/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227015; rev:1;) alert tcp $HOME_NET any -> [66.42.61.31] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227016/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227016; rev:1;) alert tcp $HOME_NET any -> [198.244.174.214] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227017/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227017; rev:1;) alert tcp $HOME_NET any -> [46.101.140.228] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227018/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227018; rev:1;) alert tcp $HOME_NET any -> [121.127.33.67] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227019/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227019; rev:1;) alert tcp $HOME_NET any -> [107.189.2.194] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227020/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227020; rev:1;) alert tcp $HOME_NET any -> [148.135.119.4] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227021/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227021; rev:1;) alert tcp $HOME_NET any -> [128.140.75.140] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227022/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227022; rev:1;) alert tcp $HOME_NET any -> [212.98.224.124] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227023/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227023; rev:1;) alert tcp $HOME_NET any -> [54.175.17.220] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227024/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227024; rev:1;) alert tcp $HOME_NET any -> [65.109.141.212] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227025/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227025; rev:1;) alert tcp $HOME_NET any -> [54.149.39.123] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227026/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_01; classtype:trojan-activity; sid:91227026; rev:1;) alert tcp $HOME_NET any -> [109.107.182.6] 28042 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227052; rev:1;) alert tcp $HOME_NET any -> [166.0.244.185] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227051; rev:1;) alert tcp $HOME_NET any -> [198.27.125.124] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227050; rev:1;) alert tcp $HOME_NET any -> [191.104.13.54] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227049; rev:1;) alert tcp $HOME_NET any -> [50.16.9.145] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227048; rev:1;) alert tcp $HOME_NET any -> [170.64.196.251] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227047; rev:1;) alert tcp $HOME_NET any -> [123.60.223.196] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227046; rev:1;) alert tcp $HOME_NET any -> [120.46.70.223] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rico.gradingran.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227044; rev:1;) alert tcp $HOME_NET any -> [91.229.76.199] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227043; rev:1;) alert tcp $HOME_NET any -> [172.233.153.107] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-15-188-15-165.eu-west-3.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c-paketverfolgung.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaaaaaa.linx.contact"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227039; rev:1;) alert tcp $HOME_NET any -> [130.51.21.247] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227038; rev:1;) alert tcp $HOME_NET any -> [20.11.200.213] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227037; rev:1;) alert tcp $HOME_NET any -> [91.107.127.201] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227036; rev:1;) alert tcp $HOME_NET any -> [37.1.214.209] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227035; rev:1;) alert tcp $HOME_NET any -> [31.220.103.103] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227034; rev:1;) alert tcp $HOME_NET any -> [135.125.27.218] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227033; rev:1;) alert tcp $HOME_NET any -> [87.121.87.195] 6699 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227032; rev:1;) alert tcp $HOME_NET any -> [1.14.206.144] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227031; rev:1;) alert tcp $HOME_NET any -> [8.130.96.218] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227030; rev:1;) alert tcp $HOME_NET any -> [43.139.74.167] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"38.6.188.39.shuyingbaofu.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jcalli.cyberlnerv.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91227027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cpu/flower7/cdnrequest_downloads/geo/datalife7packetuploads/packet4linuxexternal/datalifepipedefault/1windowsto/process/universalprivatehttp/eternalvideosecureflowerpublic.php"; depth:176; nocase; http.host; content:"37.220.86.148"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91226859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cw27296.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91226858; rev:1;) alert tcp $HOME_NET any -> [102.113.211.99] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226857/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_01; classtype:trojan-activity; sid:91226857; rev:1;) alert tcp $HOME_NET any -> [75.130.194.238] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_01; classtype:trojan-activity; sid:91226856; rev:1;) alert tcp $HOME_NET any -> [151.64.219.23] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_01; classtype:trojan-activity; sid:91226855; rev:1;) alert tcp $HOME_NET any -> [41.99.143.53] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_01; classtype:trojan-activity; sid:91226854; rev:1;) alert tcp $HOME_NET any -> [201.124.131.54] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_01; classtype:trojan-activity; sid:91226853; rev:1;) alert tcp $HOME_NET any -> [34.241.215.169] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226852/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_01; classtype:trojan-activity; sid:91226852; rev:1;) alert tcp $HOME_NET any -> [42.190.109.178] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226851/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_01; classtype:trojan-activity; sid:91226851; rev:1;) alert tcp $HOME_NET any -> [94.98.244.216] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226850/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_01; classtype:trojan-activity; sid:91226850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"wefwe23f2m.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91226849; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 12064 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91226848; rev:1;) alert tcp $HOME_NET any -> [3.67.62.142] 12064 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91226847; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 12064 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_01; classtype:trojan-activity; sid:91226846; rev:1;) alert tcp $HOME_NET any -> [5.75.214.47] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226845; rev:1;) alert tcp $HOME_NET any -> [62.1.238.73] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.4280678.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.babyeona.cc"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"736626.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"736627.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trkkpxjzglxoqtrk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slqypioqnivnxmyl.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hgxxfucdlxpzkvtk.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226804/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226804; rev:1;) alert tcp $HOME_NET any -> [149.28.132.132] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226802; rev:1;) alert tcp $HOME_NET any -> [3.66.183.194] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226801; rev:1;) alert tcp $HOME_NET any -> [54.38.97.234] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226800; rev:1;) alert tcp $HOME_NET any -> [68.183.255.81] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226799; rev:1;) alert tcp $HOME_NET any -> [85.214.66.227] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226798; rev:1;) alert tcp $HOME_NET any -> [3.15.154.124] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226797; rev:1;) alert tcp $HOME_NET any -> [167.99.220.215] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226796; rev:1;) alert tcp $HOME_NET any -> [202.83.17.58] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226795; rev:1;) alert tcp $HOME_NET any -> [119.17.200.114] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226793; rev:1;) alert tcp $HOME_NET any -> [35.244.40.209] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226792; rev:1;) alert tcp $HOME_NET any -> [13.247.35.221] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226791; rev:1;) alert tcp $HOME_NET any -> [45.76.118.77] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226790; rev:1;) alert tcp $HOME_NET any -> [85.215.123.13] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226789; rev:1;) alert tcp $HOME_NET any -> [34.22.96.116] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226788; rev:1;) alert tcp $HOME_NET any -> [44.209.113.188] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226787; rev:1;) alert tcp $HOME_NET any -> [45.77.173.110] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226786; rev:1;) alert tcp $HOME_NET any -> [121.196.200.132] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226785; rev:1;) alert tcp $HOME_NET any -> [177.67.71.17] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226784; rev:1;) alert tcp $HOME_NET any -> [161.35.209.15] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226783; rev:1;) alert tcp $HOME_NET any -> [34.101.151.51] 9443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226782; rev:1;) alert tcp $HOME_NET any -> [52.23.170.126] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226781; rev:1;) alert tcp $HOME_NET any -> [18.229.138.192] 2053 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226780; rev:1;) alert tcp $HOME_NET any -> [52.14.131.70] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226779; rev:1;) alert tcp $HOME_NET any -> [44.195.218.100] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226778; rev:1;) alert tcp $HOME_NET any -> [117.72.45.207] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226777; rev:1;) alert tcp $HOME_NET any -> [98.159.100.118] 8080 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226776; rev:1;) alert tcp $HOME_NET any -> [119.6.239.82] 888 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226775/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-214-25-23.compute-1.amazonaws.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-157-161-18.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-194-79-16.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-220-152-159.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226771; rev:1;) alert tcp $HOME_NET any -> [54.157.161.18] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226769/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226769; rev:1;) alert tcp $HOME_NET any -> [3.214.25.23] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226770/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226770; rev:1;) alert tcp $HOME_NET any -> [54.224.145.107] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226768; rev:1;) alert tcp $HOME_NET any -> [34.194.79.16] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226767; rev:1;) alert tcp $HOME_NET any -> [91.92.248.223] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226766/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226766; rev:1;) alert tcp $HOME_NET any -> [91.92.240.153] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226765; rev:1;) alert tcp $HOME_NET any -> [91.92.240.152] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226764; rev:1;) alert tcp $HOME_NET any -> [154.244.157.117] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226763; rev:1;) alert tcp $HOME_NET any -> [39.44.128.21] 8888 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226762/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226762; rev:1;) alert tcp $HOME_NET any -> [54.255.204.248] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226761/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226761; rev:1;) alert tcp $HOME_NET any -> [176.107.190.41] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226760; rev:1;) alert tcp $HOME_NET any -> [176.107.190.41] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226759; rev:1;) alert tcp $HOME_NET any -> [185.181.10.240] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226757/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226757; rev:1;) alert tcp $HOME_NET any -> [20.188.113.132] 9099 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226758; rev:1;) alert tcp $HOME_NET any -> [176.107.190.42] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226756/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226756; rev:1;) alert tcp $HOME_NET any -> [176.107.190.44] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226755; rev:1;) alert tcp $HOME_NET any -> [176.107.190.44] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226754; rev:1;) alert tcp $HOME_NET any -> [103.42.30.19] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226753; rev:1;) alert tcp $HOME_NET any -> [20.201.112.166] 5522 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226752; rev:1;) alert tcp $HOME_NET any -> [51.79.196.122] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226751; rev:1;) alert tcp $HOME_NET any -> [90.255.118.25] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lastpass.passwordsecurity.cloud"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-216-147-202.us-east-2.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226747; rev:1;) alert tcp $HOME_NET any -> [45.133.181.42] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.agdetails.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"db.harmlesskouprey-f4f67ad9.swizzle-test.com"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226744; rev:1;) alert tcp $HOME_NET any -> [146.190.144.131] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226743; rev:1;) alert tcp $HOME_NET any -> [91.107.125.247] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226742; rev:1;) alert tcp $HOME_NET any -> [102.37.219.190] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226741; rev:1;) alert tcp $HOME_NET any -> [65.21.87.123] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226740; rev:1;) alert tcp $HOME_NET any -> [212.224.93.252] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226739; rev:1;) alert tcp $HOME_NET any -> [38.54.94.129] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226737; rev:1;) alert tcp $HOME_NET any -> [91.92.249.6] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226738; rev:1;) alert tcp $HOME_NET any -> [167.172.97.111] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226736; rev:1;) alert tcp $HOME_NET any -> [37.1.214.209] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226735; rev:1;) alert tcp $HOME_NET any -> [37.1.214.209] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226734; rev:1;) alert tcp $HOME_NET any -> [37.1.214.209] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226733; rev:1;) alert tcp $HOME_NET any -> [47.95.197.160] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226732; rev:1;) alert tcp $HOME_NET any -> [31.220.103.103] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226731; rev:1;) alert tcp $HOME_NET any -> [46.1.103.124] 9876 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226729; rev:1;) alert tcp $HOME_NET any -> [34.71.108.66] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226730; rev:1;) alert tcp $HOME_NET any -> [88.201.16.151] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226728; rev:1;) alert tcp $HOME_NET any -> [135.125.27.218] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226727; rev:1;) alert tcp $HOME_NET any -> [185.22.155.92] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226726/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_31; classtype:trojan-activity; sid:91226726; rev:1;) alert tcp $HOME_NET any -> [173.255.226.84] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226725/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_31; classtype:trojan-activity; sid:91226725; rev:1;) alert tcp $HOME_NET any -> [106.14.83.3] 40000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226724; rev:1;) alert tcp $HOME_NET any -> [172.245.88.133] 4430 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226723; rev:1;) alert tcp $HOME_NET any -> [194.135.104.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226722; rev:1;) alert tcp $HOME_NET any -> [123.14.151.193] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226721; rev:1;) alert tcp $HOME_NET any -> [47.108.89.235] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226720; rev:1;) alert tcp $HOME_NET any -> [198.44.173.218] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226719; rev:1;) alert tcp $HOME_NET any -> [91.92.254.115] 2000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226718/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226718; rev:1;) alert tcp $HOME_NET any -> [8.142.24.92] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226717; rev:1;) alert tcp $HOME_NET any -> [43.139.118.172] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226716/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226716; rev:1;) alert tcp $HOME_NET any -> [121.199.166.71] 64443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226715/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226715; rev:1;) alert tcp $HOME_NET any -> [39.105.51.11] 28103 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226714; rev:1;) alert tcp $HOME_NET any -> [172.203.216.206] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226713; rev:1;) alert tcp $HOME_NET any -> [45.155.249.250] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226712/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/v3.56/nj4pfeosigf"; depth:23; nocase; http.host; content:"lindacolor.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226711/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226711; rev:1;) alert tcp $HOME_NET any -> [38.181.2.162] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226710/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"38.181.2.11"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.92.246.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226708/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pipejs_updatebasetesttrack.php"; depth:31; nocase; http.host; content:"890113cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226707/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temporary5/request/packetlongpollpoll/providerexternal/cdnbigloadwordpress/protonupdatedbvideo/7testpipe/0/poll/protect/6central3bigload/downloads5/0imageexternalasync/multidatalifesql/uploads5/processor7processor/pythonbigloadlinux.php"; depth:237; nocase; http.host; content:"89.104.66.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226706/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226706; rev:1;) alert tcp $HOME_NET any -> [18.218.207.82] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226705/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_31; classtype:trojan-activity; sid:91226705; rev:1;) alert tcp $HOME_NET any -> [67.205.154.243] 48303 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226704/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_31; classtype:trojan-activity; sid:91226704; rev:1;) alert tcp $HOME_NET any -> [2.6.65.183] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226703/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_31; classtype:trojan-activity; sid:91226703; rev:1;) alert tcp $HOME_NET any -> [41.99.251.214] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226702/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_31; classtype:trojan-activity; sid:91226702; rev:1;) alert tcp $HOME_NET any -> [190.134.40.100] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226701/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_31; classtype:trojan-activity; sid:91226701; rev:1;) alert tcp $HOME_NET any -> [54.77.46.252] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226700/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_31; classtype:trojan-activity; sid:91226700; rev:1;) alert tcp $HOME_NET any -> [3.254.151.76] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226699/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_31; classtype:trojan-activity; sid:91226699; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 14776 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226697; rev:1;) alert tcp $HOME_NET any -> [15.235.3.1] 2001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226696/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_31; classtype:trojan-activity; sid:91226696; rev:1;) alert tcp $HOME_NET any -> [13.112.86.223] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226695/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_31; classtype:trojan-activity; sid:91226695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ebooks.ferrelljoe.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226693/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.155.249.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"vdsvsdvsdfgsd.xyz"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1226677/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"recrutamento7.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1226678/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cdn.jquerycodes.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226679/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cdn.jscriptstore.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226680/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"vpn637782190.softether.net"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1226681/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"shuyingbaofu.com"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1226682/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pop3.shuyingbaofu.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1226683/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cqvip888.com"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1226686/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"smtp.shuyingbaofu.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1226685/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"imap.shuyingbaofu.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1226684/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"www.missingu.space"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1226687/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"www.helpcats.net"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1226688/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"www.lx17.love"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1226689/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"45.14.66.194"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226690/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"103.143.248.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226691/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"120.46.132.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226692/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226692; rev:1;) alert tcp $HOME_NET any -> [150.158.139.244] 7788 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226676/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_31; classtype:trojan-activity; sid:91226676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"43.138.72.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"192.3.255.42"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1226645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.71.165.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226640/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"35.240.254.70"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226641/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"43.138.72.70"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1226642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.138.72.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"124.71.165.5"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1226638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.71.165.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"47.242.203.102"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1226634/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"43.138.72.70"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1226635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.138.72.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226636/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"91.92.254.115"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"8.212.44.149"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1226632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"81.69.221.247"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1226633/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"91.92.254.115"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"8.212.49.116"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1226631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"152.70.80.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226624/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226624; rev:1;) alert tcp $HOME_NET any -> [91.92.254.115] 2001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226625/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.254.115"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1226626/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226626; rev:1;) alert tcp $HOME_NET any -> [152.70.80.120] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226621/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"152.70.80.120"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1226622/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"152.70.80.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226623/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"149.88.75.218"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226618/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"149.88.75.218"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226619/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226619; rev:1;) alert tcp $HOME_NET any -> [149.88.75.218] 8077 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226620/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"43.138.72.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"192.3.255.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"101.43.165.220"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1226647/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"101.35.141.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"101.35.141.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"107.148.163.83"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1226650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"107.148.163.83"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"107.148.163.83"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"35.240.254.70"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226659/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"192.3.255.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226660/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226660; rev:1;) alert tcp $HOME_NET any -> [124.71.165.5] 18433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226656; rev:1;) alert tcp $HOME_NET any -> [35.240.254.70] 9443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226657/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226657; rev:1;) alert tcp $HOME_NET any -> [107.148.163.83] 4430 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"vilscloud.link"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226653; rev:1;) alert tcp $HOME_NET any -> [43.138.72.70] 8012 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"vilscloud.link"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226654/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"js.yalafix.com"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1226662/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/checkin"; depth:8; nocase; http.host; content:"js.yalafix.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"3se9ewodke339f0e83.connectivitytests.com"; depth:40; nocase; reference:url, threatfox.abuse.ch/ioc/1226664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"3se9ewodke339f0e83.connectivitytests.com"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226665/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"3se9ewodke339f0e83.connectivitytests.com"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226666/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"max.solitarymc.top"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1226667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"maxmc.top"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"www.goodljlagfhssss.live"; depth:24; nocase; reference:url, threatfox.abuse.ch/ioc/1226669/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"www.goodljlagfhssss.live"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"vataotao.com"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1226671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"www.vataotao.com"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1226672/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"niuweb.haowusong.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1226673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"api.niuwxt.haowusong.com"; depth:24; nocase; reference:url, threatfox.abuse.ch/ioc/1226674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"test.niuwxt.haowusong.com"; depth:25; nocase; reference:url, threatfox.abuse.ch/ioc/1226675/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226675; rev:1;) alert tcp $HOME_NET any -> [8.130.113.224] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226630/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_31; classtype:trojan-activity; sid:91226630; rev:1;) alert tcp $HOME_NET any -> [116.213.40.102] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226629/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_31; classtype:trojan-activity; sid:91226629; rev:1;) alert tcp $HOME_NET any -> [157.90.236.202] 27049 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.139.235.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226616/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"103.143.248.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226615/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"103.143.248.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226614; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 56591 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226612/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.108.175.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.108.175.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226610/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226610; rev:1;) alert tcp $HOME_NET any -> [14.232.108.148] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226609/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_31; classtype:trojan-activity; sid:91226609; rev:1;) alert tcp $HOME_NET any -> [190.232.148.52] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226608/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_31; classtype:trojan-activity; sid:91226608; rev:1;) alert tcp $HOME_NET any -> [167.172.86.60] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226607/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/level/aol/5pn095pye"; depth:20; nocase; http.host; content:"167.172.86.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226606; rev:1;) alert tcp $HOME_NET any -> [84.54.51.49] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226605/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_31; classtype:trojan-activity; sid:91226605; rev:1;) alert tcp $HOME_NET any -> [47.108.175.149] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226604/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_31; classtype:trojan-activity; sid:91226604; rev:1;) alert tcp $HOME_NET any -> [142.171.27.92] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226603/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_31; classtype:trojan-activity; sid:91226603; rev:1;) alert tcp $HOME_NET any -> [8.140.34.198] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226602/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_31; classtype:trojan-activity; sid:91226602; rev:1;) alert tcp $HOME_NET any -> [38.147.188.137] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226601/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_31; classtype:trojan-activity; sid:91226601; rev:1;) alert tcp $HOME_NET any -> [106.52.109.40] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226600/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_31; classtype:trojan-activity; sid:91226600; rev:1;) alert tcp $HOME_NET any -> [105.96.221.14] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226599/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_31; classtype:trojan-activity; sid:91226599; rev:1;) alert tcp $HOME_NET any -> [78.16.207.101] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226598/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_31; classtype:trojan-activity; sid:91226598; rev:1;) alert tcp $HOME_NET any -> [176.143.232.60] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226597/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_31; classtype:trojan-activity; sid:91226597; rev:1;) alert tcp $HOME_NET any -> [156.224.24.144] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226596/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_31; classtype:trojan-activity; sid:91226596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"192.168.10.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226594/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_31; classtype:trojan-activity; sid:91226594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"192.168.110.86"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226595/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_31; classtype:trojan-activity; sid:91226595; rev:1;) alert tcp $HOME_NET any -> [47.108.175.149] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226593/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_31; classtype:trojan-activity; sid:91226593; rev:1;) alert tcp $HOME_NET any -> [15.235.3.1] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226592/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_31; classtype:trojan-activity; sid:91226592; rev:1;) alert tcp $HOME_NET any -> [13.201.166.74] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226591/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_31; classtype:trojan-activity; sid:91226591; rev:1;) alert tcp $HOME_NET any -> [194.116.191.226] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226590/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_31; classtype:trojan-activity; sid:91226590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226589/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226588; rev:1;) alert tcp $HOME_NET any -> [86.218.240.44] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226587/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_30; classtype:trojan-activity; sid:91226587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"lahwgu64.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226586/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226586; rev:1;) alert tcp $HOME_NET any -> [3.127.181.115] 19866 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226585/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226585; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 19866 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226584/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226584; rev:1;) alert tcp $HOME_NET any -> [124.220.224.87] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226583/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_30; classtype:trojan-activity; sid:91226583; rev:1;) alert tcp $HOME_NET any -> [74.12.146.165] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226582/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_30; classtype:trojan-activity; sid:91226582; rev:1;) alert tcp $HOME_NET any -> [5.163.160.142] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226581/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_30; classtype:trojan-activity; sid:91226581; rev:1;) alert tcp $HOME_NET any -> [78.180.86.46] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226580/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_30; classtype:trojan-activity; sid:91226580; rev:1;) alert tcp $HOME_NET any -> [34.87.162.94] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226578/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_30; classtype:trojan-activity; sid:91226578; rev:1;) alert tcp $HOME_NET any -> [38.242.21.22] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226577/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_30; classtype:trojan-activity; sid:91226577; rev:1;) alert tcp $HOME_NET any -> [193.233.255.91] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226576/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226576; rev:1;) alert tcp $HOME_NET any -> [91.161.14.130] 5555 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226575/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226575; rev:1;) alert tcp $HOME_NET any -> [43.159.143.214] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226574/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_30; classtype:trojan-activity; sid:91226574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"loop.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"loop.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"loop.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"loop.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"loop.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"loop.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"loop.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"loop.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"loop.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"loop.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"still.topteamlife.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"still.topteamlife.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"still.topteamlife.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"still.topteamlife.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"still.topteamlife.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"still.topteamlife.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"still.topteamlife.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"still.topteamlife.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"still.topteamlife.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"still.topteamlife.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"still.topteamlife.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"still.topteamlife.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"zen.topteamlife.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"zen.topteamlife.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"zen.topteamlife.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"zen.topteamlife.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"zen.topteamlife.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226554/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"zen.topteamlife.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"zen.topteamlife.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226556/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"zen.topteamlife.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226557/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"zen.topteamlife.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"zen.topteamlife.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226559/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"zen.topteamlife.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226560/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"zen.topteamlife.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226561/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"lang.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226562/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"lang.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"lang.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"lang.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226565/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"lang.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226566/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"lang.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226567/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"lang.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226568/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"lang.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226569/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"lang.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226570/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"lang.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226571/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"lang.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226572/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"lang.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"loop.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"still.topteamlife.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"loop.topteamlife.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"loop.topteamlife.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lang.topteamlife.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zen.topteamlife.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226524; rev:1;) alert tcp $HOME_NET any -> [80.87.199.249] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226514; rev:1;) alert tcp $HOME_NET any -> [176.9.47.240] 2023 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226521; rev:1;) alert tcp $HOME_NET any -> [27.124.6.249] 7777 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226496/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_30; classtype:trojan-activity; sid:91226496; rev:1;) alert tcp $HOME_NET any -> [14.0.24.177] 7004 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226497/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_30; classtype:trojan-activity; sid:91226497; rev:1;) alert tcp $HOME_NET any -> [27.124.6.253] 7777 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226498/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_30; classtype:trojan-activity; sid:91226498; rev:1;) alert tcp $HOME_NET any -> [193.233.255.34] 4848 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226499/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_30; classtype:trojan-activity; sid:91226499; rev:1;) alert tcp $HOME_NET any -> [72.140.185.189] 8092 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226500/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_30; classtype:trojan-activity; sid:91226500; rev:1;) alert tcp $HOME_NET any -> [51.79.247.142] 12000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226501/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_30; classtype:trojan-activity; sid:91226501; rev:1;) alert tcp $HOME_NET any -> [27.124.6.248] 7777 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226502/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_30; classtype:trojan-activity; sid:91226502; rev:1;) alert tcp $HOME_NET any -> [8.210.77.104] 9443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226503/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_30; classtype:trojan-activity; sid:91226503; rev:1;) alert tcp $HOME_NET any -> [47.99.65.37] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226504/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_30; classtype:trojan-activity; sid:91226504; rev:1;) alert tcp $HOME_NET any -> [185.81.157.119] 1020 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226505/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_30; classtype:trojan-activity; sid:91226505; rev:1;) alert tcp $HOME_NET any -> [222.211.73.134] 5566 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226506/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_30; classtype:trojan-activity; sid:91226506; rev:1;) alert tcp $HOME_NET any -> [27.124.2.230] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226512/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_30; classtype:trojan-activity; sid:91226512; rev:1;) alert tcp $HOME_NET any -> [194.147.140.154] 8889 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226513/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_30; classtype:trojan-activity; sid:91226513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info__testge"; depth:13; nocase; http.host; content:"202.103.198.67"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"117.72.36.189"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.43.49.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"122.51.68.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3886d2276f6914c4.php"; depth:21; nocase; http.host; content:"185.172.128.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonauthprotectuploads.php"; depth:29; nocase; http.host; content:"847702cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226515; rev:1;) alert tcp $HOME_NET any -> [159.75.97.169] 8086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226511/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_30; classtype:trojan-activity; sid:91226511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"116.198.46.64"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/43protect4/9httpprovider/to2windowsprotect/pollpipe/cpupublicpublic/generatorsqlexternalvideo/_javascript2bigload/dlelinuxhttp/phpprivatewpprotect/dlegeneratorbaselongpoll/external4dump/3external/processwordpress.php"; depth:217; nocase; http.host; content:"80.87.199.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"163.5.169.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"137.175.19.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226507; rev:1;) alert tcp $HOME_NET any -> [142.171.42.174] 7890 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"142.171.42.174"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226472; rev:1;) alert tcp $HOME_NET any -> [103.199.16.143] 3443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226473; rev:1;) alert tcp $HOME_NET any -> [124.71.184.133] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226474; rev:1;) alert tcp $HOME_NET any -> [91.92.254.204] 772 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"103.199.16.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"103.199.16.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.71.184.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"124.71.184.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"91.92.254.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"8.138.104.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"91.92.254.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"8.138.104.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226482; rev:1;) alert tcp $HOME_NET any -> [124.221.171.136] 4445 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226484/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.221.171.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"107.148.49.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226489/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"124.221.171.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"107.148.49.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/syncupd.exe"; depth:12; nocase; http.host; content:"185.172.128.53"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"146.70.87.134"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226493; rev:1;) alert tcp $HOME_NET any -> [185.172.128.53] 80 (msg:"ThreatFox Stealc payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"146.70.87.134"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226494; rev:1;) alert tcp $HOME_NET any -> [5.42.64.41] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"astra4512.startdedicated.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"astra4512.startdedicated.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"0nedriveup.com"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1226438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"upgrad3.cc"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1226439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"api.upgrad3.cc"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"doc.bluework.ink"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"doc.bluework.ink"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1226441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"micrusroft.com"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1226443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"uhtincswa.cf"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1226444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"newstatisc.googleinfo.se"; depth:24; nocase; reference:url, threatfox.abuse.ch/ioc/1226445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"ccs.zz9.mom"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"ccs.zz9.mom"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ternocorg.cf"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1226448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cdn-014.epsonupdate.uk"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1226451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cyberwf.cf"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1226449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"www.domainsec.club"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1226450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"epsonupdate.uk"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"cdn-014.epsonupdate.uk"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"cdn-014.epsonupdate.uk"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"lagrcloud.link"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1226455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"htl502.tech"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1226463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"101.43.165.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"springcloud.top"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1226461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"hongtong502.cn"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1226462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fvia.id.vn"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"59.110.172.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.43.165.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.exe"; depth:11; nocase; http.host; content:"fvia.id.vn"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"test.htl502.tech"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1226464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"hongtong502.cc"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1226465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226465; rev:1;) alert tcp $HOME_NET any -> [171.247.57.232] 4444 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot6268868985:aah9dzap5ho85p3bvfyfthyvshydlp_r9bu"; depth:50; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226468; rev:1;) alert tcp $HOME_NET any -> [83.97.20.86] 80 (msg:"ThreatFox LaplasClipper botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226469/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_30; classtype:trojan-activity; sid:91226469; rev:1;) alert tcp $HOME_NET any -> [185.209.161.89] 80 (msg:"ThreatFox LaplasClipper botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226470/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_30; classtype:trojan-activity; sid:91226470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"sviacloud.link"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1226432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"lagrcloud.link"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"js.msedgeupdate.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.gif"; depth:10; nocase; http.host; content:"api.taipowers.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/code.gif"; depth:9; nocase; http.host; content:"api.taipowers.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226436; rev:1;) alert tcp $HOME_NET any -> [103.146.50.208] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226437/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_30; classtype:trojan-activity; sid:91226437; rev:1;) alert tcp $HOME_NET any -> [139.180.191.240] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"139.180.191.240"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226430; rev:1;) alert tcp $HOME_NET any -> [176.124.193.48] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226429/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_30; classtype:trojan-activity; sid:91226429; rev:1;) alert tcp $HOME_NET any -> [2.50.16.116] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226428/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_30; classtype:trojan-activity; sid:91226428; rev:1;) alert tcp $HOME_NET any -> [38.147.188.61] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226427/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_30; classtype:trojan-activity; sid:91226427; rev:1;) alert tcp $HOME_NET any -> [3.249.24.64] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226426/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_30; classtype:trojan-activity; sid:91226426; rev:1;) alert tcp $HOME_NET any -> [151.101.135.221] 9031 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226425/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_30; classtype:trojan-activity; sid:91226425; rev:1;) alert tcp $HOME_NET any -> [43.206.199.216] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226424/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_30; classtype:trojan-activity; sid:91226424; rev:1;) alert tcp $HOME_NET any -> [139.162.3.239] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226423/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_30; classtype:trojan-activity; sid:91226423; rev:1;) alert tcp $HOME_NET any -> [18.118.177.107] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226422/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_30; classtype:trojan-activity; sid:91226422; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 19354 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226421; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 19354 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226420; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 19354 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226419; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 19354 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"nemicata.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"politefrightenpowoa.pw"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226335/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_30; classtype:trojan-activity; sid:91226335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"recessionconceptjetwe.pw"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226336/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_30; classtype:trojan-activity; sid:91226336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fitnescivilianquesw.pw"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226333/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_30; classtype:trojan-activity; sid:91226333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"playerweighmailydailew.pw"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226334/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_30; classtype:trojan-activity; sid:91226334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1da263bff25c8346.php"; depth:21; nocase; http.host; content:"176.124.198.17"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"opposesicknessopw.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226331/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_30; classtype:trojan-activity; sid:91226331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"carstirgapcheatdeposwte.pw"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226332/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_30; classtype:trojan-activity; sid:91226332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"blastechohackopeower.pw"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226337/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_30; classtype:trojan-activity; sid:91226337; rev:1;) alert tcp $HOME_NET any -> [176.124.198.17] 80 (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s.zip"; depth:6; nocase; http.host; content:"amotel.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"amotel.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"representrecyclere.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226341/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_30; classtype:trojan-activity; sid:91226341; rev:1;) alert tcp $HOME_NET any -> [195.20.16.199] 11247 (msg:"ThreatFox MetaStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.100.249.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.100.249.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"154.204.60.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"154.204.60.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226352; rev:1;) alert tcp $HOME_NET any -> [154.204.60.179] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226353; rev:1;) alert tcp $HOME_NET any -> [89.190.156.140] 1663 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226354; rev:1;) alert tcp $HOME_NET any -> [171.247.47.66] 4444 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226355/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_30; classtype:trojan-activity; sid:91226355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bypass/bypass.bat"; depth:18; nocase; http.host; content:"fvia.id.vn"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"010532cm.nyashcrack.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226416; rev:1;) alert tcp $HOME_NET any -> [41.129.6.69] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226415; rev:1;) alert tcp $HOME_NET any -> [13.232.118.175] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226414; rev:1;) alert tcp $HOME_NET any -> [47.113.196.31] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226413; rev:1;) alert tcp $HOME_NET any -> [134.119.180.88] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226411; rev:1;) alert tcp $HOME_NET any -> [3.68.253.79] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226412; rev:1;) alert tcp $HOME_NET any -> [52.87.75.155] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226410; rev:1;) alert tcp $HOME_NET any -> [159.223.146.12] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226409; rev:1;) alert tcp $HOME_NET any -> [31.41.221.107] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226407; rev:1;) alert tcp $HOME_NET any -> [23.227.186.213] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226408; rev:1;) alert tcp $HOME_NET any -> [185.48.180.176] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226406; rev:1;) alert tcp $HOME_NET any -> [106.75.233.211] 8181 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226405; rev:1;) alert tcp $HOME_NET any -> [159.223.244.83] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226404; rev:1;) alert tcp $HOME_NET any -> [3.0.34.254] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226403; rev:1;) alert tcp $HOME_NET any -> [54.93.204.191] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226401; rev:1;) alert tcp $HOME_NET any -> [99.81.163.152] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226402; rev:1;) alert tcp $HOME_NET any -> [54.93.204.191] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226400; rev:1;) alert tcp $HOME_NET any -> [20.82.130.121] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226399; rev:1;) alert tcp $HOME_NET any -> [5.182.87.248] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226398; rev:1;) alert tcp $HOME_NET any -> [54.152.117.40] 6432 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226397; rev:1;) alert tcp $HOME_NET any -> [18.153.140.104] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226396; rev:1;) alert tcp $HOME_NET any -> [3.85.95.171] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226395; rev:1;) alert tcp $HOME_NET any -> [43.143.56.152] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226394; rev:1;) alert tcp $HOME_NET any -> [211.97.157.57] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226393; rev:1;) alert tcp $HOME_NET any -> [119.3.215.198] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226391; rev:1;) alert tcp $HOME_NET any -> [220.173.26.197] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226392; rev:1;) alert tcp $HOME_NET any -> [104.192.83.246] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226390; rev:1;) alert tcp $HOME_NET any -> [93.123.85.122] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226389; rev:1;) alert tcp $HOME_NET any -> [197.119.113.44] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226388; rev:1;) alert tcp $HOME_NET any -> [91.92.254.119] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226387; rev:1;) alert tcp $HOME_NET any -> [82.146.54.42] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226386; rev:1;) alert tcp $HOME_NET any -> [20.102.111.125] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226384; rev:1;) alert tcp $HOME_NET any -> [87.121.87.53] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226385; rev:1;) alert tcp $HOME_NET any -> [18.234.193.16] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226383; rev:1;) alert tcp $HOME_NET any -> [190.213.184.38] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226381; rev:1;) alert tcp $HOME_NET any -> [78.178.154.228] 3004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226382; rev:1;) alert tcp $HOME_NET any -> [91.109.178.6] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226380; rev:1;) alert tcp $HOME_NET any -> [89.116.48.227] 18188 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226379; rev:1;) alert tcp $HOME_NET any -> [82.153.68.86] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226378; rev:1;) alert tcp $HOME_NET any -> [174.138.7.112] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226377/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_30; classtype:trojan-activity; sid:91226377; rev:1;) alert tcp $HOME_NET any -> [121.41.0.213] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226376; rev:1;) alert tcp $HOME_NET any -> [159.75.97.169] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226375; rev:1;) alert tcp $HOME_NET any -> [154.197.161.59] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226374; rev:1;) alert tcp $HOME_NET any -> [47.108.89.235] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226372; rev:1;) alert tcp $HOME_NET any -> [150.158.57.120] 156 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226373; rev:1;) alert tcp $HOME_NET any -> [123.253.108.226] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226371; rev:1;) alert tcp $HOME_NET any -> [47.93.216.2] 8055 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226369; rev:1;) alert tcp $HOME_NET any -> [148.113.3.181] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226370; rev:1;) alert tcp $HOME_NET any -> [124.223.6.67] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226368; rev:1;) alert tcp $HOME_NET any -> [137.175.19.153] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226367; rev:1;) alert tcp $HOME_NET any -> [47.109.58.205] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226366; rev:1;) alert tcp $HOME_NET any -> [47.99.151.68] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226365; rev:1;) alert tcp $HOME_NET any -> [114.132.238.70] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226364/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_30; classtype:trojan-activity; sid:91226364; rev:1;) alert tcp $HOME_NET any -> [121.36.97.135] 13579 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226363/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_30; classtype:trojan-activity; sid:91226363; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 12816 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226362; rev:1;) alert tcp $HOME_NET any -> [3.67.112.102] 12816 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226361; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 12816 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0896387.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226359; rev:1;) alert tcp $HOME_NET any -> [23.88.53.166] 35910 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_30; classtype:trojan-activity; sid:91226358; rev:1;) alert tcp $HOME_NET any -> [134.175.241.75] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226357/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_30; classtype:trojan-activity; sid:91226357; rev:1;) alert tcp $HOME_NET any -> [139.180.197.154] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226348/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_29; classtype:trojan-activity; sid:91226348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bac.acs551.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"23.105.214.104"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/level/printenv/d2udlm17"; depth:24; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/level/printenv/d2udlm17"; depth:24; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226343; rev:1;) alert tcp $HOME_NET any -> [111.230.244.43] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226342; rev:1;) alert tcp $HOME_NET any -> [202.103.198.67] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226329/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_29; classtype:trojan-activity; sid:91226329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/redtail.arm8"; depth:22; nocase; http.host; content:"45.95.147.236"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/redtail.arm7"; depth:22; nocase; http.host; content:"45.95.147.236"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pool.supportxmr.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pool-fr.supportxmr.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226327; rev:1;) alert tcp $HOME_NET any -> [45.88.186.145] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226328; rev:1;) alert tcp $HOME_NET any -> [45.95.147.236] 80 (msg:"ThreatFox xmrig payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/redtail.i686"; depth:22; nocase; http.host; content:"45.95.147.236"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/redtail.x86_64"; depth:24; nocase; http.host; content:"45.95.147.236"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dw.ohuyal.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cnc.ohuyal.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmr.ohuyal.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226322; rev:1;) alert tcp $HOME_NET any -> [91.107.137.176] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226319/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_29; classtype:trojan-activity; sid:91226319; rev:1;) alert tcp $HOME_NET any -> [3.109.153.33] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226318/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_29; classtype:trojan-activity; sid:91226318; rev:1;) alert tcp $HOME_NET any -> [193.92.72.247] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226315/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91226315; rev:1;) alert tcp $HOME_NET any -> [38.147.188.28] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226314/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91226314; rev:1;) alert tcp $HOME_NET any -> [208.117.87.83] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226313/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91226313; rev:1;) alert tcp $HOME_NET any -> [193.209.137.23] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226312/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91226312; rev:1;) alert tcp $HOME_NET any -> [109.206.246.130] 30003 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226311/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91226311; rev:1;) alert tcp $HOME_NET any -> [185.141.24.220] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226310/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91226310; rev:1;) alert tcp $HOME_NET any -> [103.143.80.140] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226222/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226222; rev:1;) alert tcp $HOME_NET any -> [38.59.124.16] 6666 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226223/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226223; rev:1;) alert tcp $HOME_NET any -> [128.199.66.119] 56789 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226224/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226224; rev:1;) alert tcp $HOME_NET any -> [103.17.185.70] 5555 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226225/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226225; rev:1;) alert tcp $HOME_NET any -> [193.84.248.185] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226226/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226226; rev:1;) alert tcp $HOME_NET any -> [38.59.124.49] 6666 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226227/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226227; rev:1;) alert tcp $HOME_NET any -> [156.245.19.81] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226228/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226228; rev:1;) alert tcp $HOME_NET any -> [202.162.109.198] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226229/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226229; rev:1;) alert tcp $HOME_NET any -> [91.107.200.181] 8890 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226230/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226230; rev:1;) alert tcp $HOME_NET any -> [193.143.1.136] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226231/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226231; rev:1;) alert tcp $HOME_NET any -> [38.59.124.49] 5555 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226232/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226232; rev:1;) alert tcp $HOME_NET any -> [156.245.19.73] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226233/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226233; rev:1;) alert tcp $HOME_NET any -> [47.94.83.202] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226234/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226234; rev:1;) alert tcp $HOME_NET any -> [87.251.67.215] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226235/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226235; rev:1;) alert tcp $HOME_NET any -> [42.192.132.36] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226236/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226236; rev:1;) alert tcp $HOME_NET any -> [156.245.19.71] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226237/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226237; rev:1;) alert tcp $HOME_NET any -> [64.176.217.187] 5555 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226238/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226238; rev:1;) alert tcp $HOME_NET any -> [47.94.241.76] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226239/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226239; rev:1;) alert tcp $HOME_NET any -> [27.147.169.101] 3333 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226240/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226240; rev:1;) alert tcp $HOME_NET any -> [124.220.49.140] 8000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226241/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226241; rev:1;) alert tcp $HOME_NET any -> [8.210.131.175] 65503 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226242/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226242; rev:1;) alert tcp $HOME_NET any -> [107.148.13.223] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226243/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226243; rev:1;) alert tcp $HOME_NET any -> [45.11.47.195] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226244/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226244; rev:1;) alert tcp $HOME_NET any -> [123.207.75.205] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226245/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226245; rev:1;) alert tcp $HOME_NET any -> [38.59.124.16] 5555 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226246/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226246; rev:1;) alert tcp $HOME_NET any -> [139.155.92.118] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226248/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226248; rev:1;) alert tcp $HOME_NET any -> [185.213.25.37] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226247/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226247; rev:1;) alert tcp $HOME_NET any -> [111.173.89.100] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226249/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226249; rev:1;) alert tcp $HOME_NET any -> [120.78.139.3] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226250/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226250; rev:1;) alert tcp $HOME_NET any -> [91.198.66.47] 2023 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226251/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226251; rev:1;) alert tcp $HOME_NET any -> [192.99.152.153] 4449 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226252/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226252; rev:1;) alert tcp $HOME_NET any -> [66.135.26.66] 9095 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226253/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226253; rev:1;) alert tcp $HOME_NET any -> [45.11.77.54] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226254/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226254; rev:1;) alert tcp $HOME_NET any -> [91.92.242.235] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226255/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226255; rev:1;) alert tcp $HOME_NET any -> [193.112.79.150] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226256/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226256; rev:1;) alert tcp $HOME_NET any -> [91.92.252.194] 4449 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226257/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226257; rev:1;) alert tcp $HOME_NET any -> [27.102.134.120] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226258/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226258; rev:1;) alert tcp $HOME_NET any -> [150.158.169.143] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226259/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226259; rev:1;) alert tcp $HOME_NET any -> [37.1.208.55] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226260/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226260; rev:1;) alert tcp $HOME_NET any -> [113.207.105.200] 5501 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226261/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226261; rev:1;) alert tcp $HOME_NET any -> [107.151.240.126] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226262/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226262; rev:1;) alert tcp $HOME_NET any -> [113.207.49.39] 4001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226263/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226263; rev:1;) alert tcp $HOME_NET any -> [103.82.26.41] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226264/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226264; rev:1;) alert tcp $HOME_NET any -> [197.146.76.15] 52224 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226265/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226265; rev:1;) alert tcp $HOME_NET any -> [197.146.76.15] 7474 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226266/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226266; rev:1;) alert tcp $HOME_NET any -> [197.146.76.15] 7801 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226267/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226267; rev:1;) alert tcp $HOME_NET any -> [47.96.68.247] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226268/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226268; rev:1;) alert tcp $HOME_NET any -> [103.74.106.117] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226269/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226269; rev:1;) alert tcp $HOME_NET any -> [206.238.199.163] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226270/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226270; rev:1;) alert tcp $HOME_NET any -> [38.165.8.185] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226271/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226271; rev:1;) alert tcp $HOME_NET any -> [51.38.57.226] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226272/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226272; rev:1;) alert tcp $HOME_NET any -> [113.207.49.50] 4004 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226273/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226273; rev:1;) alert tcp $HOME_NET any -> [8.130.84.209] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226274/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226274; rev:1;) alert tcp $HOME_NET any -> [103.145.253.245] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226275/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226275; rev:1;) alert tcp $HOME_NET any -> [111.92.241.2] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226276/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226276; rev:1;) alert tcp $HOME_NET any -> [43.153.109.213] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226277/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226277; rev:1;) alert tcp $HOME_NET any -> [104.194.11.45] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226278/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226278; rev:1;) alert tcp $HOME_NET any -> [5.182.87.154] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226279/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226279; rev:1;) alert tcp $HOME_NET any -> [206.238.199.163] 2022 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226280/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226280; rev:1;) alert tcp $HOME_NET any -> [34.70.203.199] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226281/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226281; rev:1;) alert tcp $HOME_NET any -> [43.156.51.101] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226282/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226282; rev:1;) alert tcp $HOME_NET any -> [43.140.194.203] 2233 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226283/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226283; rev:1;) alert tcp $HOME_NET any -> [113.207.105.229] 4002 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226284/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226284; rev:1;) alert tcp $HOME_NET any -> [185.16.38.93] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226285/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226285; rev:1;) alert tcp $HOME_NET any -> [185.196.8.237] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226286/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226286; rev:1;) alert tcp $HOME_NET any -> [113.207.49.53] 4002 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226287/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226287; rev:1;) alert tcp $HOME_NET any -> [207.32.217.117] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226288/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226288; rev:1;) alert tcp $HOME_NET any -> [91.92.253.13] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226289/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226289; rev:1;) alert tcp $HOME_NET any -> [91.92.251.81] 5001 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226290/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226290; rev:1;) alert tcp $HOME_NET any -> [91.92.241.170] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226291/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226291; rev:1;) alert tcp $HOME_NET any -> [83.220.164.2] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226292/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226292; rev:1;) alert tcp $HOME_NET any -> [83.220.164.105] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226293/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226293; rev:1;) alert tcp $HOME_NET any -> [83.220.164.11] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226294/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226294; rev:1;) alert tcp $HOME_NET any -> [83.220.164.114] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226295/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226295; rev:1;) alert tcp $HOME_NET any -> [85.209.176.158] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226296/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226296; rev:1;) alert tcp $HOME_NET any -> [45.155.249.230] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226297/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226297; rev:1;) alert tcp $HOME_NET any -> [124.70.154.188] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226298/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226298; rev:1;) alert tcp $HOME_NET any -> [172.247.132.3] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226299/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226299; rev:1;) alert tcp $HOME_NET any -> [207.32.217.107] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226300/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226300; rev:1;) alert tcp $HOME_NET any -> [91.92.246.52] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226301/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226301; rev:1;) alert tcp $HOME_NET any -> [3.22.97.180] 8848 (msg:"ThreatFox Borat RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226302/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226302; rev:1;) alert tcp $HOME_NET any -> [18.209.171.232] 80 (msg:"ThreatFox Borat RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226303/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"166.4.81.34.bc.googleusercontent.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"34.81.4.166"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1226305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226305; rev:1;) alert tcp $HOME_NET any -> [35.81.4.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"updates.adobe-soft.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"updates.adobe-soft.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226308; rev:1;) alert tcp $HOME_NET any -> [34.81.4.166] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"www.yingmala.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226218/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91226218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"www.yingmala.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226219/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91226219; rev:1;) alert tcp $HOME_NET any -> [78.16.207.251] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226221/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_29; classtype:trojan-activity; sid:91226221; rev:1;) alert tcp $HOME_NET any -> [91.199.147.204] 5655 (msg:"ThreatFox RMS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226220; rev:1;) alert tcp $HOME_NET any -> [107.182.190.222] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226217/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_29; classtype:trojan-activity; sid:91226217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/videopipecpuwindowsasyncwordpressdatalife.php"; depth:46; nocase; http.host; content:"79.174.94.220"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226216/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"bac.acs551.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"bac.acs551.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"152.136.55.237"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"213.252.246.175"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"216.128.149.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"213.252.246.175"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"45.134.225.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"45.134.225.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"45.134.225.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"45.134.225.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"140.83.59.220"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"140.83.59.220"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"152.136.55.237"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226202; rev:1;) alert tcp $HOME_NET any -> [43.163.204.20] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226203; rev:1;) alert tcp $HOME_NET any -> [152.136.55.237] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226204; rev:1;) alert tcp $HOME_NET any -> [216.128.149.75] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226205; rev:1;) alert tcp $HOME_NET any -> [213.252.246.175] 24413 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226206; rev:1;) alert tcp $HOME_NET any -> [45.134.225.243] 54141 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226207; rev:1;) alert tcp $HOME_NET any -> [45.134.225.243] 48520 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226208; rev:1;) alert tcp $HOME_NET any -> [140.83.59.220] 802 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"149.88.66.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"149.88.66.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226210; rev:1;) alert tcp $HOME_NET any -> [149.88.66.173] 2788 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226212; rev:1;) alert tcp $HOME_NET any -> [114.115.220.199] 7711 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"114.115.220.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"114.115.220.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226215; rev:1;) alert tcp $HOME_NET any -> [221.154.107.221] 8080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"106.14.83.3"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"194.87.218.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226187; rev:1;) alert tcp $HOME_NET any -> [18.218.18.183] 80 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3886d2276f6914c4.php"; depth:21; nocase; http.host; content:"5.42.66.57"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/qzwewmrqqgqnaww.php"; depth:26; nocase; http.host; content:"ratingsentry.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1226184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226184; rev:1;) alert tcp $HOME_NET any -> [65.0.107.118] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226183/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_29; classtype:trojan-activity; sid:91226183; rev:1;) alert tcp $HOME_NET any -> [143.110.242.123] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226182; rev:1;) alert tcp $HOME_NET any -> [18.222.163.128] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"autodiscover.staging.axile.su"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dashboard.www.staging.axile.su"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.www.ns1.www.staging.axile.su"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webdisk.axile.su"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"admin.www.ns1.www.staging.axile.su"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fr.v2survivalist.cms.axile.su"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226174/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.www.www.dev.axile.su"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gitlab.whm.cloud.localhost.axile.su"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whm.cloud.localhost.axile.su"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.www.www.staging.axile.su"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"old.owa.axile.su"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cms.img.cms.axile.su"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dashboard.www.staging.axile.su"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.ns1.cms.axile.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chat.cms.axile.su"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"img.cms.axile.su"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ns1.www.staging.axile.su"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.chat.localhost.axile.su"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.webmail.www.en.autodiscover.staging.axile.su"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hostmaster.img.cms.axile.su"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.localhost.staging.cms.axile.su"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.whm.cloud.localhost.axile.su"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gitlab.axile.su"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.www.admin.www.ns1.www.staging.axile.su"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.axile.su"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.media.img.cms.axile.su"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"host-91-142-74-67.hosted-by-vdsina.ru"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.www.secure.www.dashboard.www.staging.axile.su"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lyncdiscover.www.dashboard.www.staging.axile.su"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.phpmyadmin.en.cloud.localhost.axile.su"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.secure.www.dashboard.www.staging.axile.su"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.blog.www.dashboard.www.staging.axile.su"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"localhost.axile.su"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chat.localhost.axile.su"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.www.staging.axile.su"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"media.cpanel.staging.axile.su"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcontacts.test.ns1.cms.axile.su"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.static.chat.localhost.axile.su"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.support.ns2.cms.axile.su"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phpmyadmin.axile.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.wap.axile.su"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.webmail.autodiscover.staging.axile.su"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ns1.cms.axile.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.www.staging.axile.su"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.media.en.autodiscover.staging.axile.su"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.phpmyadmin.dev.phpmyadmin.axile.su"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.www.webmail.autodiscover.staging.axile.su"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226134/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.ww1.img.cms.axile.su"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.webdisk.axile.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226133/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.www.store.www.ns1.www.staging.axile.su"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.lyncdiscover.www.staging.axile.su"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cpanel.cloud.localhost.axile.su"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.old.ns2.cms.axile.su"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226129/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.www.cms.www.staging.axile.su"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dev.axile.su"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.media.cpanel.staging.axile.su"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226126/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whm.en.cloud.localhost.axile.su"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.www.staging.axile.su"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.smtp.dashboard.ns1.cms.axile.su"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sitemap.www.staging.axile.su"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.axile.su"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"files.axile.su"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ww1.www.en.autodiscover.staging.axile.su"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"new.axile.su"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cpanel.staging.axile.su"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pay.axile.su"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ns2.pay.axile.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.localhost.www.staging.axile.su"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"media.www.en.autodiscover.staging.axile.su"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.www.lyncdiscover.www.dashboard.www.staging.axile.su"; depth:55; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"img.www.dashboard.www.staging.axile.su"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226109/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.store.www.ns1.www.staging.axile.su"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226110/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"admin.pay.axile.su"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.wiki.cpanel.staging.axile.su"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.www.lyncdiscover.www.staging.axile.su"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gitlab.dev.phpmyadmin.axile.su"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cms.axile.su"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226103/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"autoconfig.autodiscover.staging.axile.su"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hostmaster.img.cms.axile.su"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226102/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cpcalendars.ww1.img.cms.axile.su"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"forum.cpanel.staging.axile.su"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app.autodiscover.staging.axile.su"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"store.chat.localhost.axile.su"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.pop3.webmail.ns1.cms.axile.su"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.autodiscover.staging.axile.su"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whm.axile.su"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.autoconfig.autodiscover.staging.axile.su"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226093/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.media.www.en.autodiscover.staging.axile.su"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"docs.axile.su"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226092/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"demo.wap.axile.su"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226090/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn.www.wap.axile.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226091/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.www.dev.axile.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dashboard.ns1.cms.axile.su"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226089/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.webmail.v2survivalist.cms.axile.su"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226087/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.www.webdisk.axile.su"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.www.api.www.staging.axile.su"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.en.autodiscover.staging.axile.su"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.old.axile.su"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226082/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.img.en.autodiscover.staging.axile.su"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.demo.pay.axile.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.lyncdiscover.axile.su"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.admin.www.ns1.www.staging.axile.su"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226079/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.en.ww1.img.cms.axile.su"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cms.www.staging.axile.su"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226078/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.v2survivalist.cms.axile.su"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226075/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cpanel.ww1.img.cms.axile.su"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226076/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev.axile.su"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226074/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cms.img.cms.axile.su"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226072/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.wiki.axile.su"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hostmaster.chat.localhost.axile.su"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.www.en.autodiscover.staging.axile.su"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"remote.img.cms.axile.su"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chat.pay.axile.su"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"forums.ww1.img.cms.axile.su"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auth.cpanel.staging.axile.su"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.localhost.img.cms.axile.su"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.sitemap.www.staging.axile.su"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftp.autodiscover.staging.axile.su"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.api.media.cpanel.staging.axile.su"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.www.wap.axile.su"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.chat.localhost.axile.su"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226059/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cms.pay.axile.su"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226060/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"old.axile.su"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226058/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"store.www.ns1.www.staging.axile.su"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226056/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dashboard.demo.pay.axile.su"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226057/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.media.cpanel.staging.axile.su"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226054/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"git.ww1.img.cms.axile.su"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226055/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.static.www.wap.axile.su"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226052/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.www.ns1.www.staging.axile.su"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226053/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.autodiscover.staging.axile.su"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dashboard.ns1.cms.axile.su"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ssh.webmail.autodiscover.staging.axile.su"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226050/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app.ww1.img.cms.axile.su"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support.autodiscover.staging.axile.su"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226048/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.shop.chat.pay.axile.su"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.www.www.webdisk.axile.su"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226046/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.new.axile.su"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.phpmyadmin.axile.su"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226042/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.img.www.dashboard.www.staging.axile.su"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226043/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axile.su"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"localhost.img.cms.axile.su"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226041/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.cms.axile.su"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226038/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssh.webmail.autodiscover.staging.axile.su"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226039/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.api.axile.su"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.forum.cpanel.staging.axile.su"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226037/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lyncdiscover.axile.su"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gitlab.whm.cloud.localhost.axile.su"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dev.phpmyadmin.axile.su"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.www.dashboard.www.staging.axile.su"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"autodiscover.www.staging.axile.su"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dashboard.demo.pay.axile.su"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.lyncdiscover.www.dashboard.www.staging.axile.su"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.store.chat.localhost.axile.su"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lyncdiscover.www.staging.axile.su"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.dev.axile.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.m.autodiscover.staging.axile.su"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure.www.dashboard.www.staging.axile.su"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.whm.axile.su"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure.cms.pay.axile.su"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gitlab.axile.su"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"img.en.autodiscover.staging.axile.su"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226020; rev:1;) alert tcp $HOME_NET any -> [66.85.27.144] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.canna-oil.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1226018/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226018; rev:1;) alert tcp $HOME_NET any -> [206.189.22.238] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226017/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226017; rev:1;) alert tcp $HOME_NET any -> [20.125.149.120] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226016/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226016; rev:1;) alert tcp $HOME_NET any -> [182.254.135.149] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226015/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226015; rev:1;) alert tcp $HOME_NET any -> [138.197.148.237] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226014/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226014; rev:1;) alert tcp $HOME_NET any -> [3.144.119.174] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226013/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226013; rev:1;) alert tcp $HOME_NET any -> [18.169.186.31] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226012/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226012; rev:1;) alert tcp $HOME_NET any -> [190.60.28.248] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226011/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226011; rev:1;) alert tcp $HOME_NET any -> [47.94.140.172] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226010/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226010; rev:1;) alert tcp $HOME_NET any -> [52.66.220.254] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226009/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226009; rev:1;) alert tcp $HOME_NET any -> [3.135.63.136] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226008/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226008; rev:1;) alert tcp $HOME_NET any -> [176.34.203.56] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226007/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226007; rev:1;) alert tcp $HOME_NET any -> [46.151.214.204] 1115 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226006/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226006; rev:1;) alert tcp $HOME_NET any -> [16.16.147.179] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226005/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226005; rev:1;) alert tcp $HOME_NET any -> [157.55.162.85] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226003/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226003; rev:1;) alert tcp $HOME_NET any -> [20.232.34.30] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226004/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226004; rev:1;) alert tcp $HOME_NET any -> [20.25.231.20] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226002/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226002; rev:1;) alert tcp $HOME_NET any -> [52.59.44.244] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226000/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226000; rev:1;) alert tcp $HOME_NET any -> [52.59.44.244] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1226001/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91226001; rev:1;) alert tcp $HOME_NET any -> [52.191.61.78] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225999; rev:1;) alert tcp $HOME_NET any -> [103.104.204.184] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blogger.customerportalverify.store"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225997/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bank.customerportalverify.store"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225995/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myaccount.customerportalverify.store"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225996/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.customerportalverify.store"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.microsoft.fom-dev1.bloemer-net.de"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225992/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogs.customerportalverify.store"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"global.customerportalverify.store"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225991/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225991; rev:1;) alert tcp $HOME_NET any -> [106.32.9.72] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225990/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gradingran.de"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225989/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225989; rev:1;) alert tcp $HOME_NET any -> [118.195.245.162] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225988/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225988; rev:1;) alert tcp $HOME_NET any -> [104.143.46.9] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225987/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225987; rev:1;) alert tcp $HOME_NET any -> [194.26.192.11] 10137 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225986/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225986; rev:1;) alert tcp $HOME_NET any -> [191.17.4.199] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225985/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"o-sendungsverfolgung.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225984/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225984; rev:1;) alert tcp $HOME_NET any -> [91.92.254.200] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225982/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225982; rev:1;) alert tcp $HOME_NET any -> [91.92.244.38] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225983/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225983; rev:1;) alert tcp $HOME_NET any -> [154.3.2.209] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225980; rev:1;) alert tcp $HOME_NET any -> [104.161.27.4] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225981/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225981; rev:1;) alert tcp $HOME_NET any -> [20.42.60.45] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225979/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_29; classtype:trojan-activity; sid:91225979; rev:1;) alert tcp $HOME_NET any -> [124.220.215.195] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225978; rev:1;) alert tcp $HOME_NET any -> [154.197.161.50] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225977; rev:1;) alert tcp $HOME_NET any -> [91.149.237.145] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225976/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225976; rev:1;) alert tcp $HOME_NET any -> [8.137.54.33] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"siegemachine.cn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225974/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225974; rev:1;) alert tcp $HOME_NET any -> [185.196.9.234] 9443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225973/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_29; classtype:trojan-activity; sid:91225973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2/gate.php"; depth:11; nocase; http.host; content:"couriercare.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225972/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"103.143.248.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"103.143.248.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225970/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"10.10.12.165"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225969/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.108.137.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"103.36.196.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225967; rev:1;) alert tcp $HOME_NET any -> [38.47.101.244] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"118.31.114.23"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225965/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225964/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225963/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"58.218.215.156"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225962/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"124.238.243.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225961/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"58.218.215.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"140.207.247.233"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"117.135.134.82"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225958/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"124.238.243.237"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"220.181.164.253"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"list.xcb.one"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"list.xcb.one"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225954/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"188.116.22.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225953/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225953; rev:1;) alert tcp $HOME_NET any -> [47.100.99.191] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225952/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2023/12/21/update-2f2gfio2fj208fugi3g3.cab"; depth:70; nocase; http.host; content:"47.100.99.191"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225951/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"121.41.0.213"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225950; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 10298 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225949; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 10298 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225948; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 10298 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225947/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225947; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 10298 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.203.12"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225945/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225945; rev:1;) alert tcp $HOME_NET any -> [5.42.92.88] 80 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225944/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"110.42.214.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"110.42.214.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225821/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"d20tk7ygz8ugsj.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/get.php"; depth:15; nocase; http.host; content:"ratingsentry.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225823/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"rhcsa.linux-shared-pkgs.de"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225824/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"rhcsa.linux-shared-pkgs.de"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225825/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225825; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tahtalidoleredominezdolez.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compare/v1.44/vxk7p0gbe8"; depth:25; nocase; http.host; content:"91.92.245.54"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225924/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225924; rev:1;) alert tcp $HOME_NET any -> [20.79.30.95] 13856 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"45.207.47.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"45.207.47.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"kayido.com"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1225927/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91225927; rev:1;) alert tcp $HOME_NET any -> [74.12.146.61] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225943/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91225943; rev:1;) alert tcp $HOME_NET any -> [94.49.217.34] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225942/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91225942; rev:1;) alert tcp $HOME_NET any -> [50.35.138.241] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225941/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91225941; rev:1;) alert tcp $HOME_NET any -> [41.96.56.81] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225940/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91225940; rev:1;) alert tcp $HOME_NET any -> [192.46.227.201] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225939/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91225939; rev:1;) alert tcp $HOME_NET any -> [86.105.18.111] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225938/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91225938; rev:1;) alert tcp $HOME_NET any -> [113.176.107.216] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225937/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91225937; rev:1;) alert tcp $HOME_NET any -> [109.206.246.130] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225935/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91225935; rev:1;) alert tcp $HOME_NET any -> [109.206.246.130] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225936/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91225936; rev:1;) alert tcp $HOME_NET any -> [8.212.128.240] 59873 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225934/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91225934; rev:1;) alert tcp $HOME_NET any -> [2.57.122.119] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225933/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91225933; rev:1;) alert tcp $HOME_NET any -> [2.57.122.119] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225932/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_29; classtype:trojan-activity; sid:91225932; rev:1;) alert tcp $HOME_NET any -> [91.92.246.10] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225931/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_29; classtype:trojan-activity; sid:91225931; rev:1;) alert tcp $HOME_NET any -> [3.110.171.18] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225930/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_29; classtype:trojan-activity; sid:91225930; rev:1;) alert tcp $HOME_NET any -> [106.14.83.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225929/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_29; classtype:trojan-activity; sid:91225929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/external2dumplinux/httppacketserverprotectasynclocal.php"; depth:57; nocase; http.host; content:"101.99.93.85"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225928; rev:1;) alert tcp $HOME_NET any -> [192.99.101.72] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225923/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_29; classtype:trojan-activity; sid:91225923; rev:1;) alert tcp $HOME_NET any -> [34.92.56.1] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225922/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_29; classtype:trojan-activity; sid:91225922; rev:1;) alert tcp $HOME_NET any -> [79.107.151.192] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225921; rev:1;) alert tcp $HOME_NET any -> [171.244.62.209] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225920/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225920; rev:1;) alert tcp $HOME_NET any -> [95.216.200.17] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225919; rev:1;) alert tcp $HOME_NET any -> [3.66.183.194] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225917/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225917; rev:1;) alert tcp $HOME_NET any -> [20.46.49.165] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225918/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225918; rev:1;) alert tcp $HOME_NET any -> [174.138.6.218] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225916/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225916; rev:1;) alert tcp $HOME_NET any -> [3.75.237.109] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225915/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225915; rev:1;) alert tcp $HOME_NET any -> [18.194.72.225] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225913/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225913; rev:1;) alert tcp $HOME_NET any -> [18.194.72.225] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225914/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225914; rev:1;) alert tcp $HOME_NET any -> [34.128.110.49] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225912/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225912; rev:1;) alert tcp $HOME_NET any -> [35.209.221.3] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225911/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225911; rev:1;) alert tcp $HOME_NET any -> [3.6.55.99] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225910/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225910; rev:1;) alert tcp $HOME_NET any -> [69.48.163.74] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225909/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225909; rev:1;) alert tcp $HOME_NET any -> [167.71.248.226] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225908/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225908; rev:1;) alert tcp $HOME_NET any -> [37.205.13.44] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225907/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225907; rev:1;) alert tcp $HOME_NET any -> [54.206.46.122] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225906; rev:1;) alert tcp $HOME_NET any -> [54.164.14.232] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225905; rev:1;) alert tcp $HOME_NET any -> [191.101.234.152] 59623 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225904/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225904; rev:1;) alert tcp $HOME_NET any -> [174.138.29.229] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225903; rev:1;) alert tcp $HOME_NET any -> [144.126.234.77] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225902/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225902; rev:1;) alert tcp $HOME_NET any -> [35.232.55.185] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225901/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225901; rev:1;) alert tcp $HOME_NET any -> [192.236.160.232] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225900/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225900; rev:1;) alert tcp $HOME_NET any -> [18.217.146.195] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225899; rev:1;) alert tcp $HOME_NET any -> [149.28.173.71] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225897; rev:1;) alert tcp $HOME_NET any -> [123.60.159.165] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225898; rev:1;) alert tcp $HOME_NET any -> [54.183.91.164] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225896; rev:1;) alert tcp $HOME_NET any -> [18.202.233.222] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225895; rev:1;) alert tcp $HOME_NET any -> [85.195.72.182] 4446 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225893; rev:1;) alert tcp $HOME_NET any -> [3.22.32.238] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225894; rev:1;) alert tcp $HOME_NET any -> [85.195.72.182] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225892; rev:1;) alert tcp $HOME_NET any -> [85.195.72.182] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225891/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225891; rev:1;) alert tcp $HOME_NET any -> [34.78.103.0] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225890/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225890; rev:1;) alert tcp $HOME_NET any -> [204.152.203.78] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225889; rev:1;) alert tcp $HOME_NET any -> [34.234.235.89] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225888/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225888; rev:1;) alert tcp $HOME_NET any -> [95.0.207.138] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225887/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225887; rev:1;) alert tcp $HOME_NET any -> [85.195.88.85] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225886/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225886; rev:1;) alert tcp $HOME_NET any -> [85.195.88.85] 2222 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225885/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225885; rev:1;) alert tcp $HOME_NET any -> [16.171.47.253] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225884/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225884; rev:1;) alert tcp $HOME_NET any -> [146.190.173.139] 43333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225883/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t.customerportalverify.store"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225882/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225882; rev:1;) alert tcp $HOME_NET any -> [49.113.78.5] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225881/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225881; rev:1;) alert tcp $HOME_NET any -> [47.108.191.153] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225880/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225880; rev:1;) alert tcp $HOME_NET any -> [121.40.61.32] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225879/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-92-206-177.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225878/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225878; rev:1;) alert tcp $HOME_NET any -> [118.107.7.237] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225877/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225877; rev:1;) alert tcp $HOME_NET any -> [185.196.10.32] 6004 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225876/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225876; rev:1;) alert tcp $HOME_NET any -> [209.250.254.13] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225875; rev:1;) alert tcp $HOME_NET any -> [197.146.76.15] 52407 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225874/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225874; rev:1;) alert tcp $HOME_NET any -> [197.146.76.15] 20086 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225873/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225873; rev:1;) alert tcp $HOME_NET any -> [197.146.76.15] 54564 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225871/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225871; rev:1;) alert tcp $HOME_NET any -> [197.146.76.15] 2990 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225872/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225872; rev:1;) alert tcp $HOME_NET any -> [197.146.76.15] 54488 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225870/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225870; rev:1;) alert tcp $HOME_NET any -> [197.146.76.15] 8159 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225868/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225868; rev:1;) alert tcp $HOME_NET any -> [197.146.76.15] 11029 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225869/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225869; rev:1;) alert tcp $HOME_NET any -> [197.146.76.15] 5902 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225867; rev:1;) alert tcp $HOME_NET any -> [197.146.76.15] 37747 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225866; rev:1;) alert tcp $HOME_NET any -> [43.248.100.54] 9881 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225865/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tracktheway.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"achiversacademy.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225863/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225863; rev:1;) alert tcp $HOME_NET any -> [195.214.251.131] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225862/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225862; rev:1;) alert tcp $HOME_NET any -> [154.7.177.155] 9999 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225861/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abonnement-ferroviaire.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225860/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e-paketverfolgung.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225859/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225859; rev:1;) alert tcp $HOME_NET any -> [82.146.63.254] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225858/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225858; rev:1;) alert tcp $HOME_NET any -> [91.92.241.133] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225857/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225857; rev:1;) alert tcp $HOME_NET any -> [143.198.72.108] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225856/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225856; rev:1;) alert tcp $HOME_NET any -> [78.178.154.228] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225855/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225855; rev:1;) alert tcp $HOME_NET any -> [8.134.207.212] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225854/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225854; rev:1;) alert tcp $HOME_NET any -> [58.20.44.195] 13702 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225853/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_29; classtype:trojan-activity; sid:91225853; rev:1;) alert tcp $HOME_NET any -> [45.67.34.151] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225852/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_29; classtype:trojan-activity; sid:91225852; rev:1;) alert tcp $HOME_NET any -> [159.65.236.136] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225851/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_29; classtype:trojan-activity; sid:91225851; rev:1;) alert tcp $HOME_NET any -> [2.57.122.119] 36037 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225850/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_29; classtype:trojan-activity; sid:91225850; rev:1;) alert tcp $HOME_NET any -> [154.3.2.253] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225849/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225849; rev:1;) alert tcp $HOME_NET any -> [116.205.161.207] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225848; rev:1;) alert tcp $HOME_NET any -> [116.205.161.207] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225847; rev:1;) alert tcp $HOME_NET any -> [62.133.60.223] 61300 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225846; rev:1;) alert tcp $HOME_NET any -> [188.116.22.196] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225845; rev:1;) alert tcp $HOME_NET any -> [91.149.236.82] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225844/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225844; rev:1;) alert tcp $HOME_NET any -> [101.33.220.94] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225843; rev:1;) alert tcp $HOME_NET any -> [39.101.135.210] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225842; rev:1;) alert tcp $HOME_NET any -> [8.138.104.161] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225841; rev:1;) alert tcp $HOME_NET any -> [81.71.15.38] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_29; classtype:trojan-activity; sid:91225840; rev:1;) alert tcp $HOME_NET any -> [20.196.198.116] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225838/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_29; classtype:trojan-activity; sid:91225838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9b366b94.php"; depth:13; nocase; http.host; content:"a0900918.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225836; rev:1;) alert tcp $HOME_NET any -> [141.255.153.155] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225835/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0899956.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225834; rev:1;) alert tcp $HOME_NET any -> [110.42.213.232] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225833; rev:1;) alert tcp $HOME_NET any -> [62.138.6.20] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225832; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/divide/carofthemonth/dobacwl6pz"; depth:32; nocase; http.host; content:"d2ll6bzzm7brny.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d2ll6bzzm7brny.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225831; rev:1;) alert tcp $HOME_NET any -> [111.230.244.43] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"111.229.187.212"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225828; rev:1;) alert tcp $HOME_NET any -> [47.109.104.24] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.109.104.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225826/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225826; rev:1;) alert tcp $HOME_NET any -> [117.72.36.189] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225819/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225819; rev:1;) alert tcp $HOME_NET any -> [188.116.22.196] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225818/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"80.66.89.68"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"80.66.89.68"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225816; rev:1;) alert tcp $HOME_NET any -> [80.66.89.68] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225817/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.736632.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225814/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225814; rev:1;) alert tcp $HOME_NET any -> [134.119.180.92] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225813/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225813; rev:1;) alert tcp $HOME_NET any -> [75.119.154.154] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225812/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225812; rev:1;) alert tcp $HOME_NET any -> [54.38.97.233] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225811/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225811; rev:1;) alert tcp $HOME_NET any -> [190.94.251.194] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225810; rev:1;) alert tcp $HOME_NET any -> [20.111.41.168] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225809; rev:1;) alert tcp $HOME_NET any -> [20.216.46.144] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225808; rev:1;) alert tcp $HOME_NET any -> [13.42.123.151] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225806; rev:1;) alert tcp $HOME_NET any -> [8.213.33.187] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225807; rev:1;) alert tcp $HOME_NET any -> [159.89.100.33] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225805; rev:1;) alert tcp $HOME_NET any -> [172.190.223.7] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225804/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225804; rev:1;) alert tcp $HOME_NET any -> [172.190.223.7] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225803; rev:1;) alert tcp $HOME_NET any -> [4.227.186.151] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225802; rev:1;) alert tcp $HOME_NET any -> [52.162.33.214] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225801; rev:1;) alert tcp $HOME_NET any -> [141.94.246.124] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225799; rev:1;) alert tcp $HOME_NET any -> [149.202.70.35] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225800; rev:1;) alert tcp $HOME_NET any -> [144.126.198.215] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225798; rev:1;) alert tcp $HOME_NET any -> [20.23.248.14] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225797; rev:1;) alert tcp $HOME_NET any -> [3.140.199.253] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225795; rev:1;) alert tcp $HOME_NET any -> [114.115.138.209] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225796; rev:1;) alert tcp $HOME_NET any -> [197.248.7.6] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225794; rev:1;) alert tcp $HOME_NET any -> [66.94.101.14] 8044 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225793; rev:1;) alert tcp $HOME_NET any -> [66.94.101.14] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225792; rev:1;) alert tcp $HOME_NET any -> [18.194.227.157] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225791; rev:1;) alert tcp $HOME_NET any -> [18.194.227.157] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225790; rev:1;) alert tcp $HOME_NET any -> [13.228.103.4] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225788; rev:1;) alert tcp $HOME_NET any -> [103.176.145.162] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225789; rev:1;) alert tcp $HOME_NET any -> [179.43.127.184] 2087 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225787; rev:1;) alert tcp $HOME_NET any -> [43.128.12.149] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225786; rev:1;) alert tcp $HOME_NET any -> [104.236.9.95] 4207 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225784; rev:1;) alert tcp $HOME_NET any -> [104.236.9.95] 4211 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225785; rev:1;) alert tcp $HOME_NET any -> [146.59.225.183] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225783; rev:1;) alert tcp $HOME_NET any -> [3.128.180.220] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225782; rev:1;) alert tcp $HOME_NET any -> [35.77.82.50] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225781; rev:1;) alert tcp $HOME_NET any -> [18.158.191.160] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225779; rev:1;) alert tcp $HOME_NET any -> [45.15.24.88] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225778; rev:1;) alert tcp $HOME_NET any -> [54.38.164.244] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225777; rev:1;) alert tcp $HOME_NET any -> [200.69.21.128] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225776; rev:1;) alert tcp $HOME_NET any -> [146.59.15.238] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225775/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225775; rev:1;) alert tcp $HOME_NET any -> [58.87.159.120] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225774; rev:1;) alert tcp $HOME_NET any -> [18.195.162.231] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225773; rev:1;) alert tcp $HOME_NET any -> [18.195.162.231] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225772; rev:1;) alert tcp $HOME_NET any -> [139.59.32.234] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225771; rev:1;) alert tcp $HOME_NET any -> [39.98.35.188] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225770/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225770; rev:1;) alert tcp $HOME_NET any -> [139.180.166.17] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225769/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225769; rev:1;) alert tcp $HOME_NET any -> [157.245.218.19] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225768; rev:1;) alert tcp $HOME_NET any -> [134.122.10.103] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225767; rev:1;) alert tcp $HOME_NET any -> [20.89.234.236] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225766/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225766; rev:1;) alert tcp $HOME_NET any -> [178.62.5.246] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225765; rev:1;) alert tcp $HOME_NET any -> [210.12.133.133] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225764; rev:1;) alert tcp $HOME_NET any -> [49.234.51.229] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225763; rev:1;) alert tcp $HOME_NET any -> [24.199.66.213] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225762/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225762; rev:1;) alert tcp $HOME_NET any -> [18.212.170.172] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225761/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225761; rev:1;) alert tcp $HOME_NET any -> [135.181.254.99] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225760; rev:1;) alert tcp $HOME_NET any -> [52.220.228.151] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225759; rev:1;) alert tcp $HOME_NET any -> [193.70.0.22] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225758; rev:1;) alert tcp $HOME_NET any -> [82.156.140.143] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225757/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225757; rev:1;) alert tcp $HOME_NET any -> [159.203.72.93] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225755; rev:1;) alert tcp $HOME_NET any -> [18.190.91.186] 2052 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225756/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225756; rev:1;) alert tcp $HOME_NET any -> [128.199.92.38] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225754; rev:1;) alert tcp $HOME_NET any -> [149.88.77.202] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225753; rev:1;) alert tcp $HOME_NET any -> [181.32.156.49] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225751; rev:1;) alert tcp $HOME_NET any -> [181.32.156.49] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225752; rev:1;) alert tcp $HOME_NET any -> [51.68.228.224] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225750; rev:1;) alert tcp $HOME_NET any -> [34.250.204.69] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225749; rev:1;) alert tcp $HOME_NET any -> [13.234.79.110] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225748; rev:1;) alert tcp $HOME_NET any -> [65.109.118.86] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225746; rev:1;) alert tcp $HOME_NET any -> [162.243.165.216] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225747; rev:1;) alert tcp $HOME_NET any -> [34.227.101.173] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225745; rev:1;) alert tcp $HOME_NET any -> [131.188.31.125] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225744; rev:1;) alert tcp $HOME_NET any -> [178.62.41.221] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225743; rev:1;) alert tcp $HOME_NET any -> [103.102.234.58] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225741; rev:1;) alert tcp $HOME_NET any -> [134.122.20.237] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225742; rev:1;) alert tcp $HOME_NET any -> [66.11.18.140] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225740; rev:1;) alert tcp $HOME_NET any -> [81.70.79.31] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225739; rev:1;) alert tcp $HOME_NET any -> [13.39.25.217] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225738; rev:1;) alert tcp $HOME_NET any -> [13.39.25.217] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225737; rev:1;) alert tcp $HOME_NET any -> [13.39.25.217] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225736; rev:1;) alert tcp $HOME_NET any -> [20.241.99.208] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225735; rev:1;) alert tcp $HOME_NET any -> [178.79.181.61] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225734; rev:1;) alert tcp $HOME_NET any -> [52.29.207.161] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225733; rev:1;) alert tcp $HOME_NET any -> [52.29.207.161] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225732; rev:1;) alert tcp $HOME_NET any -> [116.233.73.59] 8090 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225731; rev:1;) alert tcp $HOME_NET any -> [54.38.97.235] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225730; rev:1;) alert tcp $HOME_NET any -> [13.233.109.136] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225729; rev:1;) alert tcp $HOME_NET any -> [144.126.137.167] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225728; rev:1;) alert tcp $HOME_NET any -> [18.119.61.195] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225726/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225726; rev:1;) alert tcp $HOME_NET any -> [52.15.149.93] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225727; rev:1;) alert tcp $HOME_NET any -> [34.243.235.245] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225725; rev:1;) alert tcp $HOME_NET any -> [45.144.136.214] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225724; rev:1;) alert tcp $HOME_NET any -> [31.220.100.215] 33333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225723; rev:1;) alert tcp $HOME_NET any -> [20.62.235.251] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225722; rev:1;) alert tcp $HOME_NET any -> [134.119.180.90] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w1.avenueconsulting.co"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.aa.aeromexico.foundation"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sso.outlook.nerdwriter.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225718/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"okta.outlook.nerdwriter.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225717; rev:1;) alert tcp $HOME_NET any -> [47.115.203.216] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225716/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225716; rev:1;) alert tcp $HOME_NET any -> [139.155.149.246] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225715/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225715; rev:1;) alert tcp $HOME_NET any -> [182.254.222.209] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225714; rev:1;) alert tcp $HOME_NET any -> [101.35.240.162] 80 (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nano.gradingran.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225712/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225712; rev:1;) alert tcp $HOME_NET any -> [172.232.23.58] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225711/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225711; rev:1;) alert tcp $HOME_NET any -> [15.235.3.1] 2000 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225710/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"472-track.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225709; rev:1;) alert tcp $HOME_NET any -> [212.13.186.180] 40000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225708/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225708; rev:1;) alert tcp $HOME_NET any -> [88.214.56.145] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225707/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225707; rev:1;) alert tcp $HOME_NET any -> [88.214.56.145] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225706/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225706; rev:1;) alert tcp $HOME_NET any -> [31.220.103.103] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225705; rev:1;) alert tcp $HOME_NET any -> [43.156.140.241] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225704/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225704; rev:1;) alert tcp $HOME_NET any -> [124.220.101.173] 10011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225703/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225703; rev:1;) alert tcp $HOME_NET any -> [34.28.72.212] 40003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225702/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225702; rev:1;) alert tcp $HOME_NET any -> [1.15.247.249] 1356 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225700; rev:1;) alert tcp $HOME_NET any -> [38.47.106.38] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225701/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225701; rev:1;) alert tcp $HOME_NET any -> [88.214.26.19] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225699; rev:1;) alert tcp $HOME_NET any -> [74.48.77.162] 52626 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225698/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225698; rev:1;) alert tcp $HOME_NET any -> [120.76.248.226] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225697; rev:1;) alert tcp $HOME_NET any -> [23.105.214.104] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225695; rev:1;) alert tcp $HOME_NET any -> [47.92.28.109] 2011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225696; rev:1;) alert tcp $HOME_NET any -> [119.3.215.198] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scan.myappsec.eu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225693/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225693; rev:1;) alert tcp $HOME_NET any -> [43.142.130.67] 40000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225692/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225692; rev:1;) alert tcp $HOME_NET any -> [1.117.69.82] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225691/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225691; rev:1;) alert tcp $HOME_NET any -> [212.70.96.106] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225690/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_28; classtype:trojan-activity; sid:91225690; rev:1;) alert tcp $HOME_NET any -> [51.211.216.76] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225689/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_28; classtype:trojan-activity; sid:91225689; rev:1;) alert tcp $HOME_NET any -> [83.110.92.202] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225688/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_28; classtype:trojan-activity; sid:91225688; rev:1;) alert tcp $HOME_NET any -> [86.96.74.166] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225687/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_28; classtype:trojan-activity; sid:91225687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"146.70.80.25"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1225678/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"potasus000.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225679/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sbffpth/"; depth:9; nocase; http.host; content:"85.209.176.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225680/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sbffpth/"; depth:9; nocase; http.host; content:"85.209.176.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225681/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sbffpth/"; depth:9; nocase; http.host; content:"alinmamisd0main1.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225682/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sbffpth/"; depth:9; nocase; http.host; content:"alinmamisd0main2.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225683/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225683; rev:1;) alert tcp $HOME_NET any -> [43.132.69.14] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225686/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_28; classtype:trojan-activity; sid:91225686; rev:1;) alert tcp $HOME_NET any -> [222.88.56.101] 80 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225685/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_28; classtype:trojan-activity; sid:91225685; rev:1;) alert tcp $HOME_NET any -> [5.42.65.45] 50000 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225684/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_28; classtype:trojan-activity; sid:91225684; rev:1;) alert tcp $HOME_NET any -> [89.23.113.50] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225677/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225677; rev:1;) alert tcp $HOME_NET any -> [193.228.91.148] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225676/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225676; rev:1;) alert tcp $HOME_NET any -> [105.99.41.105] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225675/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225675; rev:1;) alert tcp $HOME_NET any -> [85.195.150.135] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225674; rev:1;) alert tcp $HOME_NET any -> [105.100.49.52] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1280678.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225672/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225672; rev:1;) alert tcp $HOME_NET any -> [85.209.176.178] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225670; rev:1;) alert tcp $HOME_NET any -> [195.3.223.172] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225671; rev:1;) alert tcp $HOME_NET any -> [85.209.176.178] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225669/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225669; rev:1;) alert tcp $HOME_NET any -> [194.33.191.246] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kmickejbb9.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225666/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmickejbb9.de"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ycs1zoajfcvie68akszu.de"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225665/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"32e6dwbbpg.de"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weltonfamily.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225662/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.yaaascreative.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freeframedrum.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225660/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jazyrippo.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peterdanford.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vincilounge.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225659/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2096481.hosted-by-vdsina.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225657/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gulfwindnrhs.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.drinkyourbuzz.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2201611.hosted-by-vdsina.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225654/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"getkidnected.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yahdcorp.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fervent-wright.206-166-251-52.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.rackattackrentals.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ufcmmatv.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.petiakremen.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ondrlve.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.206-166-251-52.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225647/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yaqity.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.usjapantv.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nydailytv.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.laliga77.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225641/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.tucsonphoenix.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"193-149-185-196.cprapid.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn185481911.softether.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225640/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whyrentlandcontract.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sunkpapapay.me"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shipspress.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"warrenrudman.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225636/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.193-149-185-196.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225633/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.172-86-75-66.cprapid.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225634/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.comediandatabase.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qousahaff.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mta0.agungpodomoroland.co"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"postal.hmailr.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pctprogram.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.pihe.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.wingbuffet.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225626/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.chessprize.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225625/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.uriramenperu.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225624/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myeterwallet.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225623/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.194-5-249-103.cprapid.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225622/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.5starfreelancer.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225621/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brisakelocor.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225619/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"simvion.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225620/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.45-61-136-22.cprapid.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225618/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"audio-alliance.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225616/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.193-149-185-196.cprapid.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brojizuza.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prengine.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225615/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"172-86-75-66.cprapid.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225613/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2120052.hosted-by-vdsina.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pensfast.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225612/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.oxfordlightworks.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225610/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.censormycrush.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225609/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.jjshoppingmart.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225608/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2155737.hosted-by-vdsina.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225607/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirtaulpary.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2155723.hosted-by-vdsina.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225605/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cannabisfamily.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225603/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subacademical.tk"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225604/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asymmetricpartnership.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225602/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manjuskploman.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225601/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"olimpysgamez.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225600/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bestresulth.beauty"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225599/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modest-joliot.172-86-75-163.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225597/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.uriramenperu.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225598/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chessprize.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225595/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.anaboliksteroidsatinal9.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225596/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tv1sf.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225594/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.45-61-136-22.cprapid.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225593/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sino-areing.loan"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225591/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.saigoncater.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225592/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"infin8love.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225589/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prokeen.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225590/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.besttrademarklawyers.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225588; rev:1;) alert tcp $HOME_NET any -> [159.89.255.240] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225587/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225587; rev:1;) alert tcp $HOME_NET any -> [157.245.223.91] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225586/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225586; rev:1;) alert tcp $HOME_NET any -> [154.243.252.14] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225585/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225585; rev:1;) alert tcp $HOME_NET any -> [91.92.254.174] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225584/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225584; rev:1;) alert tcp $HOME_NET any -> [179.14.8.10] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225583/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225583; rev:1;) alert tcp $HOME_NET any -> [191.82.196.250] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225582/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailer.expandtrack.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225581/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1510385.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225580/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"192-129-227-114.cprapid.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225579/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"es-bancsabadell-info.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225578/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1800747-vm37545.twc1.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225577/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.pedaret.fun"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225576/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"es-ruralvia-info.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225575/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ded959.hostwindsdns.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225574/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225574; rev:1;) alert tcp $HOME_NET any -> [91.92.248.249] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225573; rev:1;) alert tcp $HOME_NET any -> [91.109.178.9] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225572/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225572; rev:1;) alert tcp $HOME_NET any -> [217.12.200.158] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225571/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225571; rev:1;) alert tcp $HOME_NET any -> [91.92.243.45] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225570/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225570; rev:1;) alert tcp $HOME_NET any -> [88.214.56.145] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225569/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225569; rev:1;) alert tcp $HOME_NET any -> [88.214.56.145] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225568/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225568; rev:1;) alert tcp $HOME_NET any -> [211.149.165.167] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225567/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225567; rev:1;) alert tcp $HOME_NET any -> [107.189.3.214] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225566/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225566; rev:1;) alert tcp $HOME_NET any -> [4.227.189.73] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225565/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_28; classtype:trojan-activity; sid:91225565; rev:1;) alert tcp $HOME_NET any -> [146.190.211.40] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225564/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_28; classtype:trojan-activity; sid:91225564; rev:1;) alert tcp $HOME_NET any -> [47.109.55.151] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225563/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_28; classtype:trojan-activity; sid:91225563; rev:1;) alert tcp $HOME_NET any -> [91.92.254.156] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225562/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_28; classtype:trojan-activity; sid:91225562; rev:1;) alert tcp $HOME_NET any -> [134.209.244.69] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225561/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_28; classtype:trojan-activity; sid:91225561; rev:1;) alert tcp $HOME_NET any -> [167.71.135.204] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225560/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_28; classtype:trojan-activity; sid:91225560; rev:1;) alert tcp $HOME_NET any -> [159.223.221.202] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225559/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_28; classtype:trojan-activity; sid:91225559; rev:1;) alert tcp $HOME_NET any -> [47.109.104.24] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225558; rev:1;) alert tcp $HOME_NET any -> [146.70.87.134] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225557/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225557; rev:1;) alert tcp $HOME_NET any -> [114.115.248.18] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225556/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225556; rev:1;) alert tcp $HOME_NET any -> [176.32.38.205] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225555; rev:1;) alert tcp $HOME_NET any -> [23.95.197.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225554/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225554; rev:1;) alert tcp $HOME_NET any -> [202.79.168.65] 4801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225553; rev:1;) alert tcp $HOME_NET any -> [222.137.199.71] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225552; rev:1;) alert tcp $HOME_NET any -> [47.101.155.249] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-121-37-210-39.compute.hwclouds-dns.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"token-tactics-captureserver.eastus.cloudapp.azure.com"; depth:53; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"124.223.189.175"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"116.205.161.207"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.103.20.98"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"91.149.236.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"m.dwb789.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"23.95.197.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.120.50.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"43.138.41.32"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"82.157.153.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"110.42.213.232"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/mwkru-hytoycqt-hf63baudhjrkwrqbgpdf"; depth:53; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"rendnar.link"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225548/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_28; classtype:trojan-activity; sid:91225548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"154.204.60.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225535; rev:1;) alert tcp $HOME_NET any -> [154.204.60.179] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seismicsisterhood.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mynd5.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bigscreenthrills.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.team-speak.r2283.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"handsofgodfoundation.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.foodpantrybestpractices.org"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.avenueconsulting.co"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.brannptonbrick.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jebmefals.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foremostsgroup.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail10.email.gov.aisp.ps"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"autologon.huenumilla.cl"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adsmanager-graph.eyardimgov.org"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b.stats.paypal.secureapp.tools"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"employees.carlsberg.site"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fusion.ps.gov.aisp.ps"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssl.google.secureapp.tools"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"business.eyardimgov.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"office365.huenumilla.cl"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login-us.huenumilla.cl"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adsmanager.eyardimgov.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"graph.eyardimgov.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"browser.huenumilla.cl"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sso.drivevvyze.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"outlook.avenueconsulting.co"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"live.huenumilla.cl"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"106.55.186.215"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"account.avenueconsulting.co"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"collector.logins.services"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure.duevolostore.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft.huenumilla.cl"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webdisk.avenueconsulting.co"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drive.google.secureapp.tools"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c6.customerportalverify.store"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.factset.company"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225500/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smetrics.aa.aeromexico.foundation"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.carlsberg.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"github.logins.services"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225498/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.239.70.140.128.clients.your-server.de"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bitcdemo-com.huenumilla.cl"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"book.qantas.aeromexico.foundation"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"avenueconsulting.co"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcasproxy.huenumilla.cl"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.qantas.aeromexico.foundation"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"85.114.106.22.fusion.ps.gov.aisp.ps"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.aa.aeromexico.foundation"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225489/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smtc.qantas.aeromexico.foundation"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"193.227.160.130.gov.aisp.ps"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"outlook-1.huenumilla.cl"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"outlook-us.huenumilla.cl"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"passwords.dordaa.at"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.qantas.aeromexico.foundation"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225484/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"documentsigningonline.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"us.azureauth-duo.factset.company"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"isf.gov.lb.gov.aisp.ps"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.qantas.aeromexico.foundation"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"portal.carlsberg.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.mod.gov.eg.gov.aisp.ps"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fusion.os.gov.aisp.ps"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.avenueconsulting.co"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sts.securedocumentservices.ca"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-230-9-163.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"173-255-196-101.ip.linodeusercontent.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1225472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225472; rev:1;) alert tcp $HOME_NET any -> [15.235.26.137] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225471/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225471; rev:1;) alert tcp $HOME_NET any -> [103.150.10.10] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225470/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"80.66.89.157"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"80.66.89.157"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225468; rev:1;) alert tcp $HOME_NET any -> [80.66.89.157] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.100"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.100"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225465; rev:1;) alert tcp $HOME_NET any -> [213.248.43.100] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225466; rev:1;) alert tcp $HOME_NET any -> [91.149.237.145] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225463/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225463; rev:1;) alert tcp $HOME_NET any -> [88.214.27.53] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225462/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"124.71.130.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"42.51.45.241"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225460; rev:1;) alert tcp $HOME_NET any -> [185.231.153.14] 6984 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225459; rev:1;) alert tcp $HOME_NET any -> [119.91.145.178] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"119.91.145.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225457; rev:1;) alert tcp $HOME_NET any -> [172.203.164.86] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/safebrowsing/fp/vcswowebnwke13pbndskuvee8lhx54"; depth:47; nocase; http.host; content:"172.203.164.86"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225455; rev:1;) alert tcp $HOME_NET any -> [193.233.132.55] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225454; rev:1;) alert tcp $HOME_NET any -> [43.138.41.32] 7000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225453/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225453; rev:1;) alert tcp $HOME_NET any -> [46.246.82.21] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225452/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225452; rev:1;) alert tcp $HOME_NET any -> [103.30.77.88] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225451/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225451; rev:1;) alert tcp $HOME_NET any -> [198.13.36.52] 9080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225450/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225450; rev:1;) alert tcp $HOME_NET any -> [172.104.67.4] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjq5ndrmzmvlndi4/"; depth:18; nocase; http.host; content:"ruuuajajs122.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224092/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91224092; rev:1;) alert tcp $HOME_NET any -> [22.51.41.5] 5677 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224093/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224093; rev:1;) alert tcp $HOME_NET any -> [39.105.223.243] 4447 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjq5ndrmzmvlndi4/"; depth:18; nocase; http.host; content:"ccuaayay2.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224090/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91224090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjq5ndrmzmvlndi4/"; depth:18; nocase; http.host; content:"essmeel1ccc.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224091/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91224091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjq5ndrmzmvlndi4/"; depth:18; nocase; http.host; content:"194.33.191.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224088/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91224088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjq5ndrmzmvlndi4/"; depth:18; nocase; http.host; content:"babawwe2aa.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224089/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91224089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogy2ywu5otm4otq3/"; depth:18; nocase; http.host; content:"pasaoglu48abc.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224086/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91224086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogy2ywu5otm4otq3/"; depth:18; nocase; http.host; content:"bapasagkk33.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224087/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91224087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/get.php"; depth:15; nocase; http.host; content:"proexbit.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224082/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/news.php"; depth:15; nocase; http.host; content:"proexbit.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qzwewmrqqgqnaww.php"; depth:20; nocase; http.host; content:"proexbit.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224083; rev:1;) alert tcp $HOME_NET any -> [1.94.36.75] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224096; rev:1;) alert tcp $HOME_NET any -> [101.34.116.46] 32266 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"log-c9f407.biiibiiii.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224098; rev:1;) alert tcp $HOME_NET any -> [114.115.242.242] 7891 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"falsifydisappearsoaeka.pw"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/login.php"; depth:16; nocase; http.host; content:"cbinr.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"107.151.244.121"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"107.151.244.121"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225449; rev:1;) alert tcp $HOME_NET any -> [144.91.79.158] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225446/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225446; rev:1;) alert tcp $HOME_NET any -> [192.3.1.26] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225445/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225445; rev:1;) alert tcp $HOME_NET any -> [3.67.62.142] 17450 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225444; rev:1;) alert tcp $HOME_NET any -> [3.67.112.102] 17450 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225443; rev:1;) alert tcp $HOME_NET any -> [4.233.76.182] 4876 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info__testge"; depth:13; nocase; http.host; content:"159.75.97.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"144.168.60.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.222.247.225"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dist/css/bootstrap.min.css"; depth:27; nocase; http.host; content:"101.42.223.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"120.48.96.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225435; rev:1;) alert tcp $HOME_NET any -> [164.155.212.249] 8098 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"165.3.113.96"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.115.213.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"101.43.191.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225431; rev:1;) alert tcp $HOME_NET any -> [20.196.198.116] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/level/printenv/d2udlm17"; depth:24; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1225429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225429; rev:1;) alert tcp $HOME_NET any -> [140.82.20.165] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225428/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_28; classtype:trojan-activity; sid:91225428; rev:1;) alert tcp $HOME_NET any -> [195.20.16.103] 20440 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225427; rev:1;) alert tcp $HOME_NET any -> [5.135.250.44] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225426; rev:1;) alert tcp $HOME_NET any -> [134.122.85.181] 8634 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225425; rev:1;) alert tcp $HOME_NET any -> [16.16.74.155] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225424; rev:1;) alert tcp $HOME_NET any -> [15.228.245.239] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225423; rev:1;) alert tcp $HOME_NET any -> [54.144.121.169] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225422; rev:1;) alert tcp $HOME_NET any -> [20.23.141.44] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225421; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10243 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225420; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10236 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225419; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10096 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225418; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10073 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225417; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10179 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225415; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10066 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225416; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10122 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225414; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10120 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225413; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10116 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225412; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10094 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225411; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10245 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225410; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10244 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225409; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10081 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225408; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10121 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225406; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10065 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225407; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10102 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225405; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10101 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225404; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10095 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225403; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10049 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225402; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10218 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225401; rev:1;) alert tcp $HOME_NET any -> [151.80.216.146] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225399; rev:1;) alert tcp $HOME_NET any -> [159.203.185.185] 10126 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225400; rev:1;) alert tcp $HOME_NET any -> [116.203.232.85] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225398; rev:1;) alert tcp $HOME_NET any -> [194.163.161.37] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225397; rev:1;) alert tcp $HOME_NET any -> [188.42.44.214] 8078 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225396; rev:1;) alert tcp $HOME_NET any -> [34.216.241.198] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225395; rev:1;) alert tcp $HOME_NET any -> [54.37.64.66] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225394; rev:1;) alert tcp $HOME_NET any -> [172.105.83.133] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225393; rev:1;) alert tcp $HOME_NET any -> [195.35.17.92] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225392; rev:1;) alert tcp $HOME_NET any -> [18.218.253.203] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225391; rev:1;) alert tcp $HOME_NET any -> [3.16.12.37] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225389; rev:1;) alert tcp $HOME_NET any -> [54.171.73.107] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225390; rev:1;) alert tcp $HOME_NET any -> [128.199.26.6] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225388; rev:1;) alert tcp $HOME_NET any -> [140.210.94.185] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225387; rev:1;) alert tcp $HOME_NET any -> [66.70.238.186] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225386; rev:1;) alert tcp $HOME_NET any -> [45.33.30.146] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225385; rev:1;) alert tcp $HOME_NET any -> [45.77.154.69] 30007 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225384; rev:1;) alert tcp $HOME_NET any -> [45.77.154.69] 30001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225383; rev:1;) alert tcp $HOME_NET any -> [45.77.154.69] 30048 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225382; rev:1;) alert tcp $HOME_NET any -> [45.77.154.69] 30023 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225381; rev:1;) alert tcp $HOME_NET any -> [45.77.154.69] 30012 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225380; rev:1;) alert tcp $HOME_NET any -> [45.77.154.69] 30002 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225378; rev:1;) alert tcp $HOME_NET any -> [45.77.154.69] 30005 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225379; rev:1;) alert tcp $HOME_NET any -> [45.77.154.69] 30024 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225377; rev:1;) alert tcp $HOME_NET any -> [45.77.154.69] 30021 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225376; rev:1;) alert tcp $HOME_NET any -> [45.77.154.69] 30013 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225375; rev:1;) alert tcp $HOME_NET any -> [158.160.66.136] 21312 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225374; rev:1;) alert tcp $HOME_NET any -> [167.172.135.161] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225373; rev:1;) alert tcp $HOME_NET any -> [159.75.150.145] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225372; rev:1;) alert tcp $HOME_NET any -> [92.222.217.243] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225371; rev:1;) alert tcp $HOME_NET any -> [43.143.120.191] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225369; rev:1;) alert tcp $HOME_NET any -> [167.71.11.130] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225370; rev:1;) alert tcp $HOME_NET any -> [138.197.136.213] 2053 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225368; rev:1;) alert tcp $HOME_NET any -> [51.68.104.142] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225367; rev:1;) alert tcp $HOME_NET any -> [51.103.112.118] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225365; rev:1;) alert tcp $HOME_NET any -> [203.188.11.123] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225364; rev:1;) alert tcp $HOME_NET any -> [175.100.110.179] 8833 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225363; rev:1;) alert tcp $HOME_NET any -> [101.43.143.182] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225362; rev:1;) alert tcp $HOME_NET any -> [132.148.81.13] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225361; rev:1;) alert tcp $HOME_NET any -> [34.254.205.165] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225360; rev:1;) alert tcp $HOME_NET any -> [104.211.42.188] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225359; rev:1;) alert tcp $HOME_NET any -> [18.136.154.47] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225357; rev:1;) alert tcp $HOME_NET any -> [200.219.214.190] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225358; rev:1;) alert tcp $HOME_NET any -> [8.210.70.232] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225356; rev:1;) alert tcp $HOME_NET any -> [156.67.10.26] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225355; rev:1;) alert tcp $HOME_NET any -> [131.188.31.125] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225354; rev:1;) alert tcp $HOME_NET any -> [178.250.174.13] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225353; rev:1;) alert tcp $HOME_NET any -> [195.35.16.122] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225352; rev:1;) alert tcp $HOME_NET any -> [200.68.55.53] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225351; rev:1;) alert tcp $HOME_NET any -> [161.35.245.96] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225350; rev:1;) alert tcp $HOME_NET any -> [185.170.247.7] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225349; rev:1;) alert tcp $HOME_NET any -> [108.136.158.95] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225348; rev:1;) alert tcp $HOME_NET any -> [172.162.243.153] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225347; rev:1;) alert tcp $HOME_NET any -> [82.165.97.150] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225346; rev:1;) alert tcp $HOME_NET any -> [165.22.115.73] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225345; rev:1;) alert tcp $HOME_NET any -> [16.170.226.95] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225343; rev:1;) alert tcp $HOME_NET any -> [18.214.186.139] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225344; rev:1;) alert tcp $HOME_NET any -> [188.212.124.167] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225342; rev:1;) alert tcp $HOME_NET any -> [18.197.25.36] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225341; rev:1;) alert tcp $HOME_NET any -> [146.190.21.155] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225340; rev:1;) alert tcp $HOME_NET any -> [128.140.75.103] 1920 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225339; rev:1;) alert tcp $HOME_NET any -> [141.94.206.116] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225337; rev:1;) alert tcp $HOME_NET any -> [54.37.13.217] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225338; rev:1;) alert tcp $HOME_NET any -> [189.38.106.100] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225336; rev:1;) alert tcp $HOME_NET any -> [193.70.111.169] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225335/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225335; rev:1;) alert tcp $HOME_NET any -> [206.237.28.41] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225334; rev:1;) alert tcp $HOME_NET any -> [87.106.229.86] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225332; rev:1;) alert tcp $HOME_NET any -> [13.38.250.45] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225333; rev:1;) alert tcp $HOME_NET any -> [170.205.27.236] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225331/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225331; rev:1;) alert tcp $HOME_NET any -> [188.165.39.201] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225330; rev:1;) alert tcp $HOME_NET any -> [180.232.30.110] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225329; rev:1;) alert tcp $HOME_NET any -> [149.100.159.30] 3399 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225328; rev:1;) alert tcp $HOME_NET any -> [106.53.69.124] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225326; rev:1;) alert tcp $HOME_NET any -> [182.92.235.182] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225327; rev:1;) alert tcp $HOME_NET any -> [18.159.172.65] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225325; rev:1;) alert tcp $HOME_NET any -> [44.196.127.47] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225324; rev:1;) alert tcp $HOME_NET any -> [47.99.186.100] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225323; rev:1;) alert tcp $HOME_NET any -> [20.108.154.25] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225322; rev:1;) alert tcp $HOME_NET any -> [20.24.191.17] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225321; rev:1;) alert tcp $HOME_NET any -> [34.135.93.92] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225320; rev:1;) alert tcp $HOME_NET any -> [128.140.33.227] 1920 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225318; rev:1;) alert tcp $HOME_NET any -> [34.135.93.92] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225319; rev:1;) alert tcp $HOME_NET any -> [20.61.131.11] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225317; rev:1;) alert tcp $HOME_NET any -> [46.41.148.104] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225316; rev:1;) alert tcp $HOME_NET any -> [5.78.86.64] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225315; rev:1;) alert tcp $HOME_NET any -> [54.203.159.179] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225314; rev:1;) alert tcp $HOME_NET any -> [44.197.172.109] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225313; rev:1;) alert tcp $HOME_NET any -> [143.110.250.212] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225312; rev:1;) alert tcp $HOME_NET any -> [52.14.61.254] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225311; rev:1;) alert tcp $HOME_NET any -> [106.53.78.178] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225310; rev:1;) alert tcp $HOME_NET any -> [116.203.67.51] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225308; rev:1;) alert tcp $HOME_NET any -> [50.112.139.110] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225309; rev:1;) alert tcp $HOME_NET any -> [16.170.143.197] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225307; rev:1;) alert tcp $HOME_NET any -> [135.125.132.70] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225306; rev:1;) alert tcp $HOME_NET any -> [185.111.88.39] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225304; rev:1;) alert tcp $HOME_NET any -> [112.170.142.221] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225305; rev:1;) alert tcp $HOME_NET any -> [35.227.148.248] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225303; rev:1;) alert tcp $HOME_NET any -> [87.106.91.234] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225302; rev:1;) alert tcp $HOME_NET any -> [54.198.43.185] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225300; rev:1;) alert tcp $HOME_NET any -> [89.22.173.157] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225301/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225301; rev:1;) alert tcp $HOME_NET any -> [3.125.10.239] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225299/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225299; rev:1;) alert tcp $HOME_NET any -> [142.171.143.201] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225298/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225298; rev:1;) alert tcp $HOME_NET any -> [218.255.89.250] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225297/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225297; rev:1;) alert tcp $HOME_NET any -> [107.174.186.22] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225296/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225296; rev:1;) alert tcp $HOME_NET any -> [170.64.165.184] 43333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225295; rev:1;) alert tcp $HOME_NET any -> [34.175.0.236] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225294; rev:1;) alert tcp $HOME_NET any -> [190.151.54.98] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225293; rev:1;) alert tcp $HOME_NET any -> [158.160.44.131] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225292; rev:1;) alert tcp $HOME_NET any -> [3.6.90.205] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225291; rev:1;) alert tcp $HOME_NET any -> [82.165.54.120] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225289; rev:1;) alert tcp $HOME_NET any -> [20.151.117.227] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225290; rev:1;) alert tcp $HOME_NET any -> [153.127.54.124] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225288; rev:1;) alert tcp $HOME_NET any -> [46.41.148.121] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225287/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225287; rev:1;) alert tcp $HOME_NET any -> [85.72.47.140] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225286/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225286; rev:1;) alert tcp $HOME_NET any -> [85.72.47.140] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225285/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225285; rev:1;) alert tcp $HOME_NET any -> [153.126.143.55] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225283/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225283; rev:1;) alert tcp $HOME_NET any -> [20.188.118.243] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225284; rev:1;) alert tcp $HOME_NET any -> [208.167.242.223] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225282; rev:1;) alert tcp $HOME_NET any -> [35.85.54.37] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225281; rev:1;) alert tcp $HOME_NET any -> [167.99.249.106] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225280/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225280; rev:1;) alert tcp $HOME_NET any -> [35.192.3.60] 2222 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225279/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225279; rev:1;) alert tcp $HOME_NET any -> [132.148.76.116] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225278/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225278; rev:1;) alert tcp $HOME_NET any -> [132.148.76.116] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225277; rev:1;) alert tcp $HOME_NET any -> [109.168.100.166] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225276; rev:1;) alert tcp $HOME_NET any -> [51.210.101.32] 7896 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225275; rev:1;) alert tcp $HOME_NET any -> [66.228.59.25] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225273; rev:1;) alert tcp $HOME_NET any -> [18.143.227.186] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225274; rev:1;) alert tcp $HOME_NET any -> [150.158.186.157] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225272; rev:1;) alert tcp $HOME_NET any -> [128.199.78.2] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225271; rev:1;) alert tcp $HOME_NET any -> [60.204.134.213] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225270; rev:1;) alert tcp $HOME_NET any -> [192.53.122.65] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225269; rev:1;) alert tcp $HOME_NET any -> [106.52.129.78] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225267; rev:1;) alert tcp $HOME_NET any -> [45.252.182.96] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225268; rev:1;) alert tcp $HOME_NET any -> [85.215.107.70] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225266; rev:1;) alert tcp $HOME_NET any -> [52.65.255.72] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225264; rev:1;) alert tcp $HOME_NET any -> [59.110.233.165] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225265; rev:1;) alert tcp $HOME_NET any -> [138.197.224.48] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225263; rev:1;) alert tcp $HOME_NET any -> [52.139.19.227] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225262; rev:1;) alert tcp $HOME_NET any -> [44.218.165.107] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225260; rev:1;) alert tcp $HOME_NET any -> [8.210.191.142] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225261; rev:1;) alert tcp $HOME_NET any -> [8.130.21.149] 9205 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225259/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225259; rev:1;) alert tcp $HOME_NET any -> [24.105.180.16] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225258; rev:1;) alert tcp $HOME_NET any -> [147.182.188.88] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225256; rev:1;) alert tcp $HOME_NET any -> [34.174.119.129] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225257; rev:1;) alert tcp $HOME_NET any -> [34.78.103.0] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225255/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225255; rev:1;) alert tcp $HOME_NET any -> [149.56.111.55] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225254/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225254; rev:1;) alert tcp $HOME_NET any -> [184.72.6.224] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225252/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225252; rev:1;) alert tcp $HOME_NET any -> [13.79.226.215] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225253/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225253; rev:1;) alert tcp $HOME_NET any -> [137.117.173.74] 3334 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225251/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225251; rev:1;) alert tcp $HOME_NET any -> [137.117.173.74] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225250; rev:1;) alert tcp $HOME_NET any -> [178.62.22.156] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225249; rev:1;) alert tcp $HOME_NET any -> [43.139.182.57] 31220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225247; rev:1;) alert tcp $HOME_NET any -> [5.196.46.249] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225248/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225248; rev:1;) alert tcp $HOME_NET any -> [18.234.124.95] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225246; rev:1;) alert tcp $HOME_NET any -> [149.50.134.23] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225245; rev:1;) alert tcp $HOME_NET any -> [54.38.164.244] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225243/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225243; rev:1;) alert tcp $HOME_NET any -> [149.50.134.23] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225244; rev:1;) alert tcp $HOME_NET any -> [54.38.164.244] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225242/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225242; rev:1;) alert tcp $HOME_NET any -> [31.41.221.116] 10001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225241; rev:1;) alert tcp $HOME_NET any -> [37.205.13.125] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225240; rev:1;) alert tcp $HOME_NET any -> [79.98.9.72] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225239; rev:1;) alert tcp $HOME_NET any -> [18.230.76.97] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225238; rev:1;) alert tcp $HOME_NET any -> [45.56.67.148] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225237; rev:1;) alert tcp $HOME_NET any -> [34.242.217.131] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225236; rev:1;) alert tcp $HOME_NET any -> [34.197.108.140] 13333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225234/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225234; rev:1;) alert tcp $HOME_NET any -> [18.198.9.36] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225235; rev:1;) alert tcp $HOME_NET any -> [13.59.120.145] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225233; rev:1;) alert tcp $HOME_NET any -> [107.21.135.223] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225231; rev:1;) alert tcp $HOME_NET any -> [47.117.163.173] 3334 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225232; rev:1;) alert tcp $HOME_NET any -> [37.187.55.194] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225230; rev:1;) alert tcp $HOME_NET any -> [195.56.55.218] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225229; rev:1;) alert tcp $HOME_NET any -> [39.106.88.102] 64404 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225227; rev:1;) alert tcp $HOME_NET any -> [18.196.77.125] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225228; rev:1;) alert tcp $HOME_NET any -> [147.182.180.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225226; rev:1;) alert tcp $HOME_NET any -> [18.198.218.11] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225225; rev:1;) alert tcp $HOME_NET any -> [146.190.252.26] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225223/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225223; rev:1;) alert tcp $HOME_NET any -> [187.108.199.227] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225224; rev:1;) alert tcp $HOME_NET any -> [5.254.124.152] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225222; rev:1;) alert tcp $HOME_NET any -> [172.105.25.123] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225220; rev:1;) alert tcp $HOME_NET any -> [5.254.124.152] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225221; rev:1;) alert tcp $HOME_NET any -> [78.46.216.139] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225219; rev:1;) alert tcp $HOME_NET any -> [51.77.213.214] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225218; rev:1;) alert tcp $HOME_NET any -> [46.101.166.28] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225216/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225216; rev:1;) alert tcp $HOME_NET any -> [35.93.154.231] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225217; rev:1;) alert tcp $HOME_NET any -> [35.154.149.237] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225215; rev:1;) alert tcp $HOME_NET any -> [52.20.246.218] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225213; rev:1;) alert tcp $HOME_NET any -> [13.235.223.81] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225214; rev:1;) alert tcp $HOME_NET any -> [146.59.151.241] 3131 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225212; rev:1;) alert tcp $HOME_NET any -> [75.2.31.217] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225211; rev:1;) alert tcp $HOME_NET any -> [166.70.130.13] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225209; rev:1;) alert tcp $HOME_NET any -> [182.42.104.224] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225210; rev:1;) alert tcp $HOME_NET any -> [128.199.107.140] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225208; rev:1;) alert tcp $HOME_NET any -> [13.125.244.16] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225206; rev:1;) alert tcp $HOME_NET any -> [34.244.119.239] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225204; rev:1;) alert tcp $HOME_NET any -> [3.135.161.191] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225205; rev:1;) alert tcp $HOME_NET any -> [170.187.196.231] 7189 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225203; rev:1;) alert tcp $HOME_NET any -> [123.249.86.134] 13333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225202; rev:1;) alert tcp $HOME_NET any -> [43.138.225.196] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225200; rev:1;) alert tcp $HOME_NET any -> [51.250.70.65] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225201; rev:1;) alert tcp $HOME_NET any -> [51.178.16.52] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225199; rev:1;) alert tcp $HOME_NET any -> [51.124.200.117] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225198; rev:1;) alert tcp $HOME_NET any -> [47.98.101.92] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225196; rev:1;) alert tcp $HOME_NET any -> [47.98.101.92] 34332 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225197; rev:1;) alert tcp $HOME_NET any -> [54.66.160.126] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225195; rev:1;) alert tcp $HOME_NET any -> [85.99.252.122] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225193; rev:1;) alert tcp $HOME_NET any -> [49.13.81.212] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225194; rev:1;) alert tcp $HOME_NET any -> [187.72.219.2] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225192; rev:1;) alert tcp $HOME_NET any -> [164.92.223.34] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225191; rev:1;) alert tcp $HOME_NET any -> [43.138.197.33] 9205 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225190; rev:1;) alert tcp $HOME_NET any -> [82.165.110.142] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225189; rev:1;) alert tcp $HOME_NET any -> [34.92.85.53] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225187; rev:1;) alert tcp $HOME_NET any -> [159.89.206.127] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225188; rev:1;) alert tcp $HOME_NET any -> [54.254.57.196] 7109 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225186; rev:1;) alert tcp $HOME_NET any -> [4.193.117.187] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225185; rev:1;) alert tcp $HOME_NET any -> [151.80.216.145] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225183; rev:1;) alert tcp $HOME_NET any -> [18.167.137.68] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225184; rev:1;) alert tcp $HOME_NET any -> [124.222.8.31] 9205 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225182; rev:1;) alert tcp $HOME_NET any -> [148.135.4.108] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225181; rev:1;) alert tcp $HOME_NET any -> [46.101.213.152] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225179; rev:1;) alert tcp $HOME_NET any -> [107.174.241.152] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225180; rev:1;) alert tcp $HOME_NET any -> [64.226.101.32] 1616 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225178; rev:1;) alert tcp $HOME_NET any -> [34.229.241.198] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225177; rev:1;) alert tcp $HOME_NET any -> [139.59.211.188] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225176; rev:1;) alert tcp $HOME_NET any -> [196.13.125.182] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225174/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225174; rev:1;) alert tcp $HOME_NET any -> [3.93.234.195] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225175; rev:1;) alert tcp $HOME_NET any -> [3.104.224.153] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225173; rev:1;) alert tcp $HOME_NET any -> [143.198.204.54] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225172; rev:1;) alert tcp $HOME_NET any -> [159.69.187.85] 403 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225171; rev:1;) alert tcp $HOME_NET any -> [157.230.5.88] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225170; rev:1;) alert tcp $HOME_NET any -> [68.183.254.0] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225168; rev:1;) alert tcp $HOME_NET any -> [107.173.87.205] 2083 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225169; rev:1;) alert tcp $HOME_NET any -> [172.171.230.131] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225167; rev:1;) alert tcp $HOME_NET any -> [35.202.208.26] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225166; rev:1;) alert tcp $HOME_NET any -> [13.39.89.28] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225165; rev:1;) alert tcp $HOME_NET any -> [43.135.139.6] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225164; rev:1;) alert tcp $HOME_NET any -> [173.249.30.104] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225162; rev:1;) alert tcp $HOME_NET any -> [185.101.159.204] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225163; rev:1;) alert tcp $HOME_NET any -> [163.182.172.134] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225161; rev:1;) alert tcp $HOME_NET any -> [18.198.35.135] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225159; rev:1;) alert tcp $HOME_NET any -> [18.144.170.50] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225160; rev:1;) alert tcp $HOME_NET any -> [157.100.241.147] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225158; rev:1;) alert tcp $HOME_NET any -> [3.8.88.67] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225156; rev:1;) alert tcp $HOME_NET any -> [34.123.246.69] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225157; rev:1;) alert tcp $HOME_NET any -> [128.199.214.73] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225155; rev:1;) alert tcp $HOME_NET any -> [195.35.16.121] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225154; rev:1;) alert tcp $HOME_NET any -> [138.68.162.128] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225152; rev:1;) alert tcp $HOME_NET any -> [20.254.52.103] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225153; rev:1;) alert tcp $HOME_NET any -> [3.137.117.20] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225151; rev:1;) alert tcp $HOME_NET any -> [52.195.148.213] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225150; rev:1;) alert tcp $HOME_NET any -> [37.187.113.157] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225148; rev:1;) alert tcp $HOME_NET any -> [66.94.101.14] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225149; rev:1;) alert tcp $HOME_NET any -> [40.83.236.112] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225147; rev:1;) alert tcp $HOME_NET any -> [34.75.245.54] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225146; rev:1;) alert tcp $HOME_NET any -> [38.181.35.176] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225144; rev:1;) alert tcp $HOME_NET any -> [3.15.182.168] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225145; rev:1;) alert tcp $HOME_NET any -> [185.183.156.159] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225143; rev:1;) alert tcp $HOME_NET any -> [20.227.6.58] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225142; rev:1;) alert tcp $HOME_NET any -> [43.154.227.91] 63333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225141; rev:1;) alert tcp $HOME_NET any -> [20.86.59.134] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225139; rev:1;) alert tcp $HOME_NET any -> [13.233.118.13] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225140; rev:1;) alert tcp $HOME_NET any -> [165.232.145.143] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225138; rev:1;) alert tcp $HOME_NET any -> [157.230.111.223] 13333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225137; rev:1;) alert tcp $HOME_NET any -> [89.22.226.151] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225135; rev:1;) alert tcp $HOME_NET any -> [49.247.31.76] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225136; rev:1;) alert tcp $HOME_NET any -> [51.178.26.145] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225134/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225134; rev:1;) alert tcp $HOME_NET any -> [47.91.91.94] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225133/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225133; rev:1;) alert tcp $HOME_NET any -> [46.243.201.63] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225131; rev:1;) alert tcp $HOME_NET any -> [213.153.170.15] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225132; rev:1;) alert tcp $HOME_NET any -> [46.243.201.63] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225130; rev:1;) alert tcp $HOME_NET any -> [150.158.143.150] 9876 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225129/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225129; rev:1;) alert tcp $HOME_NET any -> [3.137.1.119] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225127; rev:1;) alert tcp $HOME_NET any -> [143.244.205.198] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225128; rev:1;) alert tcp $HOME_NET any -> [161.35.216.115] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225126/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225126; rev:1;) alert tcp $HOME_NET any -> [5.135.250.45] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225124; rev:1;) alert tcp $HOME_NET any -> [188.166.226.181] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225125; rev:1;) alert tcp $HOME_NET any -> [64.227.168.242] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225123; rev:1;) alert tcp $HOME_NET any -> [93.90.194.109] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225122; rev:1;) alert tcp $HOME_NET any -> [52.19.107.220] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225120; rev:1;) alert tcp $HOME_NET any -> [77.37.8.11] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225121; rev:1;) alert tcp $HOME_NET any -> [52.91.162.156] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225119; rev:1;) alert tcp $HOME_NET any -> [180.179.104.89] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225118; rev:1;) alert tcp $HOME_NET any -> [5.196.13.17] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225116; rev:1;) alert tcp $HOME_NET any -> [54.194.136.206] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225117; rev:1;) alert tcp $HOME_NET any -> [54.227.169.223] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225115; rev:1;) alert tcp $HOME_NET any -> [74.235.7.229] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225114; rev:1;) alert tcp $HOME_NET any -> [68.228.127.248] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225112; rev:1;) alert tcp $HOME_NET any -> [172.178.10.213] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225113; rev:1;) alert tcp $HOME_NET any -> [47.122.46.240] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225111; rev:1;) alert tcp $HOME_NET any -> [185.202.239.236] 92 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225109/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225109; rev:1;) alert tcp $HOME_NET any -> [148.251.38.52] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225110/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225110; rev:1;) alert tcp $HOME_NET any -> [85.214.241.229] 32770 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225108; rev:1;) alert tcp $HOME_NET any -> [45.33.6.199] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225107; rev:1;) alert tcp $HOME_NET any -> [159.65.208.15] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225106; rev:1;) alert tcp $HOME_NET any -> [82.157.47.242] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225104; rev:1;) alert tcp $HOME_NET any -> [135.125.237.120] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225105; rev:1;) alert tcp $HOME_NET any -> [83.229.82.251] 3132 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225103/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225103; rev:1;) alert tcp $HOME_NET any -> [150.95.83.81] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225101; rev:1;) alert tcp $HOME_NET any -> [71.66.189.3] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225102/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225102; rev:1;) alert tcp $HOME_NET any -> [47.100.115.24] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225100; rev:1;) alert tcp $HOME_NET any -> [149.129.235.72] 3030 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225098; rev:1;) alert tcp $HOME_NET any -> [59.79.168.200] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225099; rev:1;) alert tcp $HOME_NET any -> [4.194.241.224] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225097; rev:1;) alert tcp $HOME_NET any -> [5.75.189.189] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225096; rev:1;) alert tcp $HOME_NET any -> [82.214.84.30] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225095; rev:1;) alert tcp $HOME_NET any -> [51.81.110.248] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225093/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225093; rev:1;) alert tcp $HOME_NET any -> [120.48.24.155] 9205 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225094; rev:1;) alert tcp $HOME_NET any -> [201.234.38.193] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225092/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225092; rev:1;) alert tcp $HOME_NET any -> [1.12.36.65] 31220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225091/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225091; rev:1;) alert tcp $HOME_NET any -> [47.96.59.126] 4333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225090/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225090; rev:1;) alert tcp $HOME_NET any -> [118.194.236.203] 12000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225088; rev:1;) alert tcp $HOME_NET any -> [132.226.135.159] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225089/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225089; rev:1;) alert tcp $HOME_NET any -> [47.103.20.98] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225087/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225087; rev:1;) alert tcp $HOME_NET any -> [157.245.233.238] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225086; rev:1;) alert tcp $HOME_NET any -> [45.32.7.25] 30015 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225085; rev:1;) alert tcp $HOME_NET any -> [45.32.7.25] 30006 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225083; rev:1;) alert tcp $HOME_NET any -> [45.32.7.25] 30008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225084; rev:1;) alert tcp $HOME_NET any -> [45.32.7.25] 30028 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225082/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225082; rev:1;) alert tcp $HOME_NET any -> [45.32.7.25] 30023 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225081; rev:1;) alert tcp $HOME_NET any -> [45.32.7.25] 30021 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225080; rev:1;) alert tcp $HOME_NET any -> [165.227.165.236] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225078/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225078; rev:1;) alert tcp $HOME_NET any -> [65.108.59.175] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225079/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225079; rev:1;) alert tcp $HOME_NET any -> [13.95.86.173] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225077; rev:1;) alert tcp $HOME_NET any -> [101.43.73.253] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225076/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225076; rev:1;) alert tcp $HOME_NET any -> [3.81.252.33] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225074/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225074; rev:1;) alert tcp $HOME_NET any -> [37.205.12.203] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225075/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225075; rev:1;) alert tcp $HOME_NET any -> [52.175.22.6] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225073; rev:1;) alert tcp $HOME_NET any -> [15.222.44.103] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225072/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225072; rev:1;) alert tcp $HOME_NET any -> [3.140.236.129] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225071; rev:1;) alert tcp $HOME_NET any -> [44.211.197.71] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225069; rev:1;) alert tcp $HOME_NET any -> [47.100.69.112] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225070; rev:1;) alert tcp $HOME_NET any -> [141.94.207.160] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225068; rev:1;) alert tcp $HOME_NET any -> [3.78.227.122] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225067; rev:1;) alert tcp $HOME_NET any -> [24.140.1.207] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225065; rev:1;) alert tcp $HOME_NET any -> [54.196.97.175] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225066; rev:1;) alert tcp $HOME_NET any -> [140.143.167.218] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225064; rev:1;) alert tcp $HOME_NET any -> [47.113.188.133] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225063; rev:1;) alert tcp $HOME_NET any -> [213.136.82.213] 3334 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225061; rev:1;) alert tcp $HOME_NET any -> [213.136.82.213] 3335 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225062; rev:1;) alert tcp $HOME_NET any -> [213.136.82.213] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225060/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225060; rev:1;) alert tcp $HOME_NET any -> [31.30.82.88] 5010 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225058/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225058; rev:1;) alert tcp $HOME_NET any -> [93.185.105.96] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225059/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225059; rev:1;) alert tcp $HOME_NET any -> [139.162.185.94] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225057/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225057; rev:1;) alert tcp $HOME_NET any -> [3.86.225.236] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225056/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225056; rev:1;) alert tcp $HOME_NET any -> [45.112.178.163] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225054/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225054; rev:1;) alert tcp $HOME_NET any -> [44.209.219.169] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225055/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225055; rev:1;) alert tcp $HOME_NET any -> [34.83.73.40] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225053/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225053; rev:1;) alert tcp $HOME_NET any -> [119.91.147.98] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225052/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225052; rev:1;) alert tcp $HOME_NET any -> [178.128.122.5] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225051; rev:1;) alert tcp $HOME_NET any -> [18.177.51.82] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225049; rev:1;) alert tcp $HOME_NET any -> [178.128.122.5] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225050/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225050; rev:1;) alert tcp $HOME_NET any -> [120.55.160.6] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225048/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225048; rev:1;) alert tcp $HOME_NET any -> [45.56.119.119] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225046/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225046; rev:1;) alert tcp $HOME_NET any -> [61.238.150.123] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225047; rev:1;) alert tcp $HOME_NET any -> [51.104.229.163] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225045; rev:1;) alert tcp $HOME_NET any -> [81.23.10.114] 21312 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225044; rev:1;) alert tcp $HOME_NET any -> [209.97.184.117] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225043/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225043; rev:1;) alert tcp $HOME_NET any -> [188.166.136.28] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225042/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225042; rev:1;) alert tcp $HOME_NET any -> [159.89.82.201] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225041/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225041; rev:1;) alert tcp $HOME_NET any -> [137.74.194.210] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225040; rev:1;) alert tcp $HOME_NET any -> [3.95.131.210] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225039/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225039; rev:1;) alert tcp $HOME_NET any -> [93.95.229.133] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225038/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225038; rev:1;) alert tcp $HOME_NET any -> [34.101.107.95] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225037/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225037; rev:1;) alert tcp $HOME_NET any -> [185.233.107.15] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225036; rev:1;) alert tcp $HOME_NET any -> [52.11.1.224] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225035; rev:1;) alert tcp $HOME_NET any -> [101.33.202.104] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225034; rev:1;) alert tcp $HOME_NET any -> [54.197.166.204] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225033; rev:1;) alert tcp $HOME_NET any -> [77.88.227.30] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225032; rev:1;) alert tcp $HOME_NET any -> [145.131.218.204] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225031; rev:1;) alert tcp $HOME_NET any -> [75.119.136.75] 3332 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225030; rev:1;) alert tcp $HOME_NET any -> [20.189.74.156] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225029; rev:1;) alert tcp $HOME_NET any -> [51.38.124.63] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225028; rev:1;) alert tcp $HOME_NET any -> [51.75.253.158] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225027; rev:1;) alert tcp $HOME_NET any -> [123.249.81.231] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225026; rev:1;) alert tcp $HOME_NET any -> [209.94.79.38] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225025; rev:1;) alert tcp $HOME_NET any -> [43.204.212.75] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225024; rev:1;) alert tcp $HOME_NET any -> [54.39.49.178] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225023; rev:1;) alert tcp $HOME_NET any -> [43.139.157.126] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225022; rev:1;) alert tcp $HOME_NET any -> [101.43.145.125] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225020; rev:1;) alert tcp $HOME_NET any -> [44.206.236.115] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225021; rev:1;) alert tcp $HOME_NET any -> [18.118.123.248] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225019; rev:1;) alert tcp $HOME_NET any -> [179.124.44.173] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225018/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225018; rev:1;) alert tcp $HOME_NET any -> [62.234.220.158] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225017/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225017; rev:1;) alert tcp $HOME_NET any -> [20.227.43.194] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225015/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225015; rev:1;) alert tcp $HOME_NET any -> [128.199.165.205] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225016/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225016; rev:1;) alert tcp $HOME_NET any -> [162.14.81.142] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225014/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225014; rev:1;) alert tcp $HOME_NET any -> [172.191.13.251] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225012/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225012; rev:1;) alert tcp $HOME_NET any -> [3.106.173.149] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225013/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225013; rev:1;) alert tcp $HOME_NET any -> [82.146.48.31] 3443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225011/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225011; rev:1;) alert tcp $HOME_NET any -> [194.110.220.73] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225010/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225010; rev:1;) alert tcp $HOME_NET any -> [137.184.237.141] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225008/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225008; rev:1;) alert tcp $HOME_NET any -> [165.22.213.203] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225009/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225009; rev:1;) alert tcp $HOME_NET any -> [178.62.83.194] 1447 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225007/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225007; rev:1;) alert tcp $HOME_NET any -> [5.181.156.97] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225006/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225006; rev:1;) alert tcp $HOME_NET any -> [20.197.90.140] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225004/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225004; rev:1;) alert tcp $HOME_NET any -> [3.144.40.153] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225005/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225005; rev:1;) alert tcp $HOME_NET any -> [90.102.117.171] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225003/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225003; rev:1;) alert tcp $HOME_NET any -> [151.80.216.144] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225002/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225002; rev:1;) alert tcp $HOME_NET any -> [52.14.6.128] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225000/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225000; rev:1;) alert tcp $HOME_NET any -> [52.209.111.255] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1225001/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91225001; rev:1;) alert tcp $HOME_NET any -> [119.91.31.246] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224999; rev:1;) alert tcp $HOME_NET any -> [158.220.107.208] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224998; rev:1;) alert tcp $HOME_NET any -> [91.180.119.160] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224996/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224996; rev:1;) alert tcp $HOME_NET any -> [194.233.86.157] 3030 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224997/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224997; rev:1;) alert tcp $HOME_NET any -> [3.72.225.117] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224995/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224995; rev:1;) alert tcp $HOME_NET any -> [144.126.204.161] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224993; rev:1;) alert tcp $HOME_NET any -> [23.88.61.20] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224994; rev:1;) alert tcp $HOME_NET any -> [47.243.111.203] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224992/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224992; rev:1;) alert tcp $HOME_NET any -> [54.190.222.134] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224991/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224991; rev:1;) alert tcp $HOME_NET any -> [34.134.41.104] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224990/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224990; rev:1;) alert tcp $HOME_NET any -> [125.76.235.47] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224988/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224988; rev:1;) alert tcp $HOME_NET any -> [212.129.11.175] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224989/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224989; rev:1;) alert tcp $HOME_NET any -> [94.103.82.66] 8181 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224987/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224987; rev:1;) alert tcp $HOME_NET any -> [51.68.236.184] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224986/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224986; rev:1;) alert tcp $HOME_NET any -> [44.203.229.72] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224984/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224984; rev:1;) alert tcp $HOME_NET any -> [159.69.191.197] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224985/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224985; rev:1;) alert tcp $HOME_NET any -> [42.192.84.184] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224983/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224983; rev:1;) alert tcp $HOME_NET any -> [51.89.149.150] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224981/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224981; rev:1;) alert tcp $HOME_NET any -> [134.209.184.125] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224982/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224982; rev:1;) alert tcp $HOME_NET any -> [51.89.149.150] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224980; rev:1;) alert tcp $HOME_NET any -> [89.238.65.52] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224979/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224979; rev:1;) alert tcp $HOME_NET any -> [159.89.41.19] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224977; rev:1;) alert tcp $HOME_NET any -> [35.239.88.123] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224978; rev:1;) alert tcp $HOME_NET any -> [142.93.208.151] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224976/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224976; rev:1;) alert tcp $HOME_NET any -> [120.27.132.82] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224974/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224974; rev:1;) alert tcp $HOME_NET any -> [54.144.135.145] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224975; rev:1;) alert tcp $HOME_NET any -> [46.101.60.177] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224973/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224973; rev:1;) alert tcp $HOME_NET any -> [85.255.2.78] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224972/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224972; rev:1;) alert tcp $HOME_NET any -> [123.56.156.53] 43333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224970/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224970; rev:1;) alert tcp $HOME_NET any -> [124.221.198.68] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224971; rev:1;) alert tcp $HOME_NET any -> [51.159.88.170] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224969/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224969; rev:1;) alert tcp $HOME_NET any -> [103.179.31.118] 3337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224968; rev:1;) alert tcp $HOME_NET any -> [176.96.241.195] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224966; rev:1;) alert tcp $HOME_NET any -> [3.17.178.19] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224967; rev:1;) alert tcp $HOME_NET any -> [176.96.241.195] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224965/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224965; rev:1;) alert tcp $HOME_NET any -> [15.236.5.186] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224964/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224964; rev:1;) alert tcp $HOME_NET any -> [15.188.53.194] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224962/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224962; rev:1;) alert tcp $HOME_NET any -> [50.17.203.205] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224963/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224963; rev:1;) alert tcp $HOME_NET any -> [13.69.122.227] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224961/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224961; rev:1;) alert tcp $HOME_NET any -> [185.105.226.57] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224960; rev:1;) alert tcp $HOME_NET any -> [18.143.12.42] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224959; rev:1;) alert tcp $HOME_NET any -> [121.36.220.74] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224957; rev:1;) alert tcp $HOME_NET any -> [51.195.117.237] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224958/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224958; rev:1;) alert tcp $HOME_NET any -> [4.227.232.81] 7777 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224956; rev:1;) alert tcp $HOME_NET any -> [103.234.72.246] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224954/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224954; rev:1;) alert tcp $HOME_NET any -> [169.239.106.169] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224955; rev:1;) alert tcp $HOME_NET any -> [16.16.99.94] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224953/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224953; rev:1;) alert tcp $HOME_NET any -> [77.119.225.212] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224952/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224952; rev:1;) alert tcp $HOME_NET any -> [3.144.93.235] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224950; rev:1;) alert tcp $HOME_NET any -> [206.189.22.238] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224951/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224951; rev:1;) alert tcp $HOME_NET any -> [139.155.126.143] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224949; rev:1;) alert tcp $HOME_NET any -> [68.183.82.182] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224948; rev:1;) alert tcp $HOME_NET any -> [34.101.121.11] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224947/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224947; rev:1;) alert tcp $HOME_NET any -> [103.15.144.253] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224945/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224945; rev:1;) alert tcp $HOME_NET any -> [62.171.185.130] 49167 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224946; rev:1;) alert tcp $HOME_NET any -> [20.10.100.237] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224944/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224944; rev:1;) alert tcp $HOME_NET any -> [3.90.252.110] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224943/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224943; rev:1;) alert tcp $HOME_NET any -> [18.218.33.75] 33333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224942/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224942; rev:1;) alert tcp $HOME_NET any -> [143.110.176.131] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224940/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224940; rev:1;) alert tcp $HOME_NET any -> [101.42.237.50] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224941/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224941; rev:1;) alert tcp $HOME_NET any -> [45.183.247.131] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224939/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224939; rev:1;) alert tcp $HOME_NET any -> [43.139.122.58] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224938/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224938; rev:1;) alert tcp $HOME_NET any -> [210.16.65.142] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224936/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224936; rev:1;) alert tcp $HOME_NET any -> [92.204.49.213] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224937/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224937; rev:1;) alert tcp $HOME_NET any -> [104.248.105.64] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224935/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224935; rev:1;) alert tcp $HOME_NET any -> [54.159.240.187] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224934/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224934; rev:1;) alert tcp $HOME_NET any -> [192.227.137.206] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224933/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224933; rev:1;) alert tcp $HOME_NET any -> [122.8.152.116] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224932/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224932; rev:1;) alert tcp $HOME_NET any -> [193.26.157.114] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224931/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224931; rev:1;) alert tcp $HOME_NET any -> [85.31.236.81] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224930/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224930; rev:1;) alert tcp $HOME_NET any -> [52.87.131.126] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224929/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224929; rev:1;) alert tcp $HOME_NET any -> [66.94.101.15] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224928; rev:1;) alert tcp $HOME_NET any -> [178.62.219.152] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224927/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224927; rev:1;) alert tcp $HOME_NET any -> [198.211.96.134] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224926; rev:1;) alert tcp $HOME_NET any -> [16.171.160.127] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224924/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224924; rev:1;) alert tcp $HOME_NET any -> [13.42.27.245] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224925; rev:1;) alert tcp $HOME_NET any -> [119.194.170.104] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224923/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224923; rev:1;) alert tcp $HOME_NET any -> [167.172.145.75] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224921; rev:1;) alert tcp $HOME_NET any -> [81.173.112.207] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224922/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224922; rev:1;) alert tcp $HOME_NET any -> [206.189.38.25] 9988 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224920/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224920; rev:1;) alert tcp $HOME_NET any -> [3.253.233.39] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224919; rev:1;) alert tcp $HOME_NET any -> [178.128.207.57] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224917/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224917; rev:1;) alert tcp $HOME_NET any -> [188.92.78.156] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224918/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224918; rev:1;) alert tcp $HOME_NET any -> [157.230.239.213] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224916/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224916; rev:1;) alert tcp $HOME_NET any -> [121.196.200.132] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224915/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224915; rev:1;) alert tcp $HOME_NET any -> [78.47.88.192] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224913/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224913; rev:1;) alert tcp $HOME_NET any -> [151.80.216.149] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224914/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224914; rev:1;) alert tcp $HOME_NET any -> [141.147.138.175] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224912/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224912; rev:1;) alert tcp $HOME_NET any -> [176.119.159.236] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224911/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224911; rev:1;) alert tcp $HOME_NET any -> [101.43.30.194] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224910/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224910; rev:1;) alert tcp $HOME_NET any -> [101.33.244.132] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224908/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224908; rev:1;) alert tcp $HOME_NET any -> [213.194.117.46] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224909/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224909; rev:1;) alert tcp $HOME_NET any -> [217.70.191.72] 5133 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224907/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224907; rev:1;) alert tcp $HOME_NET any -> [51.250.125.11] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224905; rev:1;) alert tcp $HOME_NET any -> [124.221.217.218] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224906; rev:1;) alert tcp $HOME_NET any -> [164.90.134.17] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224903; rev:1;) alert tcp $HOME_NET any -> [159.89.251.219] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224904/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224904; rev:1;) alert tcp $HOME_NET any -> [95.216.159.193] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224902/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224902; rev:1;) alert tcp $HOME_NET any -> [13.211.134.246] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224900/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224900; rev:1;) alert tcp $HOME_NET any -> [43.130.149.65] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224901/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224901; rev:1;) alert tcp $HOME_NET any -> [3.14.99.41] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224899; rev:1;) alert tcp $HOME_NET any -> [82.223.102.88] 3334 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224898; rev:1;) alert tcp $HOME_NET any -> [151.80.61.108] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224896; rev:1;) alert tcp $HOME_NET any -> [15.236.5.104] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224897; rev:1;) alert tcp $HOME_NET any -> [164.92.66.36] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224895; rev:1;) alert tcp $HOME_NET any -> [78.129.239.153] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224893; rev:1;) alert tcp $HOME_NET any -> [121.36.71.198] 8877 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224894; rev:1;) alert tcp $HOME_NET any -> [20.126.79.79] 18888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224892; rev:1;) alert tcp $HOME_NET any -> [69.64.43.173] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224891/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224891; rev:1;) alert tcp $HOME_NET any -> [35.180.24.110] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224889; rev:1;) alert tcp $HOME_NET any -> [35.180.24.110] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224890/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224890; rev:1;) alert tcp $HOME_NET any -> [20.26.15.225] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224888/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224888; rev:1;) alert tcp $HOME_NET any -> [135.125.237.28] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224887/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224887; rev:1;) alert tcp $HOME_NET any -> [207.160.105.150] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224885/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224885; rev:1;) alert tcp $HOME_NET any -> [54.253.255.8] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224886/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224886; rev:1;) alert tcp $HOME_NET any -> [124.221.115.130] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224884/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224884; rev:1;) alert tcp $HOME_NET any -> [217.160.144.103] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224883/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224883; rev:1;) alert tcp $HOME_NET any -> [3.140.139.228] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224881/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224881; rev:1;) alert tcp $HOME_NET any -> [139.59.23.119] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224882/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224882; rev:1;) alert tcp $HOME_NET any -> [3.22.192.34] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224880/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224880; rev:1;) alert tcp $HOME_NET any -> [15.237.174.17] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224879/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224879; rev:1;) alert tcp $HOME_NET any -> [20.199.49.142] 7220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224877/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224877; rev:1;) alert tcp $HOME_NET any -> [62.165.77.102] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224878/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224878; rev:1;) alert tcp $HOME_NET any -> [191.101.232.148] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224876/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224876; rev:1;) alert tcp $HOME_NET any -> [85.214.222.82] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224875; rev:1;) alert tcp $HOME_NET any -> [13.92.183.178] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224873/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224873; rev:1;) alert tcp $HOME_NET any -> [1.15.131.185] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224874/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224874; rev:1;) alert tcp $HOME_NET any -> [54.37.65.245] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224872/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224872; rev:1;) alert tcp $HOME_NET any -> [51.20.54.247] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224870/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224870; rev:1;) alert tcp $HOME_NET any -> [51.38.34.225] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224871/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224871; rev:1;) alert tcp $HOME_NET any -> [100.26.49.66] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224869/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224869; rev:1;) alert tcp $HOME_NET any -> [182.61.139.139] 10001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224867; rev:1;) alert tcp $HOME_NET any -> [139.180.160.10] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224868/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224868; rev:1;) alert tcp $HOME_NET any -> [164.92.144.252] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224866; rev:1;) alert tcp $HOME_NET any -> [3.226.240.210] 3636 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224865/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224865; rev:1;) alert tcp $HOME_NET any -> [138.68.123.157] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224863/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224863; rev:1;) alert tcp $HOME_NET any -> [13.48.136.31] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224864; rev:1;) alert tcp $HOME_NET any -> [139.180.174.31] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224862/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224862; rev:1;) alert tcp $HOME_NET any -> [185.51.247.99] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224861/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224861; rev:1;) alert tcp $HOME_NET any -> [67.214.252.214] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224860/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224860; rev:1;) alert tcp $HOME_NET any -> [178.60.199.234] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224859/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224859; rev:1;) alert tcp $HOME_NET any -> [68.219.200.71] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224858/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224858; rev:1;) alert tcp $HOME_NET any -> [3.133.89.224] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224857/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224857; rev:1;) alert tcp $HOME_NET any -> [84.201.180.22] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224856/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224856; rev:1;) alert tcp $HOME_NET any -> [65.21.5.16] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224855/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224855; rev:1;) alert tcp $HOME_NET any -> [13.235.238.220] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224853/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224853; rev:1;) alert tcp $HOME_NET any -> [85.215.78.206] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224854/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224854; rev:1;) alert tcp $HOME_NET any -> [143.198.161.66] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224852/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224852; rev:1;) alert tcp $HOME_NET any -> [20.10.103.1] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224850/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224850; rev:1;) alert tcp $HOME_NET any -> [3.140.190.125] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224851/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224851; rev:1;) alert tcp $HOME_NET any -> [18.157.216.105] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224849/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224849; rev:1;) alert tcp $HOME_NET any -> [114.67.231.81] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224848; rev:1;) alert tcp $HOME_NET any -> [146.190.24.132] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224846; rev:1;) alert tcp $HOME_NET any -> [8.134.186.65] 33333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224847; rev:1;) alert tcp $HOME_NET any -> [185.30.233.211] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224845; rev:1;) alert tcp $HOME_NET any -> [51.91.98.155] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224844/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224844; rev:1;) alert tcp $HOME_NET any -> [167.71.6.59] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224842; rev:1;) alert tcp $HOME_NET any -> [34.196.122.20] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224843; rev:1;) alert tcp $HOME_NET any -> [13.53.235.19] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224841; rev:1;) alert tcp $HOME_NET any -> [178.62.244.130] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224839; rev:1;) alert tcp $HOME_NET any -> [54.78.55.206] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224840; rev:1;) alert tcp $HOME_NET any -> [51.83.2.146] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224838; rev:1;) alert tcp $HOME_NET any -> [15.229.8.152] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224837; rev:1;) alert tcp $HOME_NET any -> [147.135.84.59] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224836; rev:1;) alert tcp $HOME_NET any -> [45.131.40.77] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224834; rev:1;) alert tcp $HOME_NET any -> [185.165.188.50] 1966 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224835; rev:1;) alert tcp $HOME_NET any -> [5.196.46.250] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224833; rev:1;) alert tcp $HOME_NET any -> [8.137.34.214] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224832; rev:1;) alert tcp $HOME_NET any -> [88.99.32.133] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224830; rev:1;) alert tcp $HOME_NET any -> [207.148.3.104] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224831; rev:1;) alert tcp $HOME_NET any -> [163.172.156.186] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224829; rev:1;) alert tcp $HOME_NET any -> [173.14.153.125] 3383 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224828; rev:1;) alert tcp $HOME_NET any -> [47.120.35.178] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224826/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224826; rev:1;) alert tcp $HOME_NET any -> [134.175.55.199] 31220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224827; rev:1;) alert tcp $HOME_NET any -> [13.92.199.151] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224825/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224825; rev:1;) alert tcp $HOME_NET any -> [185.142.236.87] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224823/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224823; rev:1;) alert tcp $HOME_NET any -> [60.204.210.16] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224824/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224824; rev:1;) alert tcp $HOME_NET any -> [146.190.42.223] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224822; rev:1;) alert tcp $HOME_NET any -> [34.140.91.84] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224820; rev:1;) alert tcp $HOME_NET any -> [213.157.17.74] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224821/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224821; rev:1;) alert tcp $HOME_NET any -> [45.79.36.141] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224819; rev:1;) alert tcp $HOME_NET any -> [162.244.83.16] 48495 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224818/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224818; rev:1;) alert tcp $HOME_NET any -> [91.132.147.217] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224816; rev:1;) alert tcp $HOME_NET any -> [162.244.83.16] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224817/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224817; rev:1;) alert tcp $HOME_NET any -> [194.195.214.125] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224815; rev:1;) alert tcp $HOME_NET any -> [13.38.10.31] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224814/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224814; rev:1;) alert tcp $HOME_NET any -> [173.212.246.194] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224812/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224812; rev:1;) alert tcp $HOME_NET any -> [62.165.154.194] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224813/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224813; rev:1;) alert tcp $HOME_NET any -> [141.94.68.118] 45345 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224811/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224811; rev:1;) alert tcp $HOME_NET any -> [18.153.171.185] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224810; rev:1;) alert tcp $HOME_NET any -> [38.242.208.117] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224808; rev:1;) alert tcp $HOME_NET any -> [192.100.169.76] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224809; rev:1;) alert tcp $HOME_NET any -> [78.46.199.142] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224807; rev:1;) alert tcp $HOME_NET any -> [3.12.151.187] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224805; rev:1;) alert tcp $HOME_NET any -> [3.145.82.132] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224806; rev:1;) alert tcp $HOME_NET any -> [193.70.2.177] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224804/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224804; rev:1;) alert tcp $HOME_NET any -> [20.4.193.106] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224803; rev:1;) alert tcp $HOME_NET any -> [161.35.144.78] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224801; rev:1;) alert tcp $HOME_NET any -> [44.201.254.221] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224802; rev:1;) alert tcp $HOME_NET any -> [94.130.170.84] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224800; rev:1;) alert tcp $HOME_NET any -> [52.251.53.239] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224798; rev:1;) alert tcp $HOME_NET any -> [44.213.150.129] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224799; rev:1;) alert tcp $HOME_NET any -> [178.79.165.189] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224797; rev:1;) alert tcp $HOME_NET any -> [192.210.213.73] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224796; rev:1;) alert tcp $HOME_NET any -> [20.124.244.64] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224794; rev:1;) alert tcp $HOME_NET any -> [151.80.216.150] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224795; rev:1;) alert tcp $HOME_NET any -> [188.40.68.152] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224793; rev:1;) alert tcp $HOME_NET any -> [52.73.75.149] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224792; rev:1;) alert tcp $HOME_NET any -> [65.109.172.100] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224791; rev:1;) alert tcp $HOME_NET any -> [124.223.199.175] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224789; rev:1;) alert tcp $HOME_NET any -> [157.230.220.79] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224790; rev:1;) alert tcp $HOME_NET any -> [202.61.200.137] 13333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224788; rev:1;) alert tcp $HOME_NET any -> [3.90.214.17] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224787; rev:1;) alert tcp $HOME_NET any -> [115.159.95.61] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224786; rev:1;) alert tcp $HOME_NET any -> [43.154.234.195] 8446 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224785; rev:1;) alert tcp $HOME_NET any -> [18.217.112.144] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224784; rev:1;) alert tcp $HOME_NET any -> [99.79.33.37] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224783; rev:1;) alert tcp $HOME_NET any -> [85.190.254.139] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224781; rev:1;) alert tcp $HOME_NET any -> [99.79.33.37] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224782; rev:1;) alert tcp $HOME_NET any -> [54.169.234.253] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224780; rev:1;) alert tcp $HOME_NET any -> [164.90.229.69] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224779; rev:1;) alert tcp $HOME_NET any -> [52.65.166.79] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224778; rev:1;) alert tcp $HOME_NET any -> [65.21.177.204] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224776; rev:1;) alert tcp $HOME_NET any -> [137.184.2.115] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224777; rev:1;) alert tcp $HOME_NET any -> [209.38.220.154] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224775/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224775; rev:1;) alert tcp $HOME_NET any -> [116.62.177.151] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224774; rev:1;) alert tcp $HOME_NET any -> [81.70.7.115] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224773; rev:1;) alert tcp $HOME_NET any -> [208.97.136.70] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224772; rev:1;) alert tcp $HOME_NET any -> [45.79.2.86] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224770/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224770; rev:1;) alert tcp $HOME_NET any -> [141.94.119.114] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224771; rev:1;) alert tcp $HOME_NET any -> [83.212.239.216] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224769/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224769; rev:1;) alert tcp $HOME_NET any -> [3.145.7.61] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224768; rev:1;) alert tcp $HOME_NET any -> [195.88.24.103] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224767; rev:1;) alert tcp $HOME_NET any -> [39.104.54.201] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224766/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224766; rev:1;) alert tcp $HOME_NET any -> [20.121.140.105] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224764; rev:1;) alert tcp $HOME_NET any -> [135.125.202.131] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224765; rev:1;) alert tcp $HOME_NET any -> [3.140.127.175] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224763; rev:1;) alert tcp $HOME_NET any -> [185.15.244.116] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224762/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224762; rev:1;) alert tcp $HOME_NET any -> [13.53.36.35] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224761/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224761; rev:1;) alert tcp $HOME_NET any -> [34.236.186.86] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224760; rev:1;) alert tcp $HOME_NET any -> [85.214.222.135] 40192 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224758; rev:1;) alert tcp $HOME_NET any -> [172.104.28.173] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224759; rev:1;) alert tcp $HOME_NET any -> [147.185.239.154] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224757/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224757; rev:1;) alert tcp $HOME_NET any -> [49.12.105.162] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224756/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224756; rev:1;) alert tcp $HOME_NET any -> [138.197.189.229] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224755; rev:1;) alert tcp $HOME_NET any -> [34.196.162.35] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224753; rev:1;) alert tcp $HOME_NET any -> [188.166.144.130] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224754; rev:1;) alert tcp $HOME_NET any -> [51.210.12.48] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224752; rev:1;) alert tcp $HOME_NET any -> [74.234.203.214] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224751; rev:1;) alert tcp $HOME_NET any -> [157.245.14.101] 3875 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224750; rev:1;) alert tcp $HOME_NET any -> [82.157.104.42] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224749; rev:1;) alert tcp $HOME_NET any -> [65.109.0.25] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224748; rev:1;) alert tcp $HOME_NET any -> [65.0.173.206] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224746; rev:1;) alert tcp $HOME_NET any -> [111.229.78.183] 51411 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224747; rev:1;) alert tcp $HOME_NET any -> [50.210.193.60] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224745; rev:1;) alert tcp $HOME_NET any -> [50.116.13.74] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224744; rev:1;) alert tcp $HOME_NET any -> [103.84.207.112] 5333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224743; rev:1;) alert tcp $HOME_NET any -> [45.79.35.215] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224742; rev:1;) alert tcp $HOME_NET any -> [207.148.7.52] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224741; rev:1;) alert tcp $HOME_NET any -> [51.75.65.94] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224740; rev:1;) alert tcp $HOME_NET any -> [3.20.213.77] 6888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224739; rev:1;) alert tcp $HOME_NET any -> [64.225.65.46] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224738; rev:1;) alert tcp $HOME_NET any -> [20.212.177.228] 3128 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224737; rev:1;) alert tcp $HOME_NET any -> [35.225.178.218] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224736; rev:1;) alert tcp $HOME_NET any -> [139.144.176.85] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224735; rev:1;) alert tcp $HOME_NET any -> [39.152.112.250] 30012 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224734; rev:1;) alert tcp $HOME_NET any -> [85.111.90.158] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224733; rev:1;) alert tcp $HOME_NET any -> [51.103.31.58] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224732; rev:1;) alert tcp $HOME_NET any -> [35.92.140.234] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224731; rev:1;) alert tcp $HOME_NET any -> [54.251.187.25] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224730; rev:1;) alert tcp $HOME_NET any -> [54.163.62.255] 6060 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224729; rev:1;) alert tcp $HOME_NET any -> [146.59.225.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224728; rev:1;) alert tcp $HOME_NET any -> [46.30.78.13] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224727; rev:1;) alert tcp $HOME_NET any -> [51.107.15.154] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224726/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224726; rev:1;) alert tcp $HOME_NET any -> [141.95.108.78] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224725; rev:1;) alert tcp $HOME_NET any -> [170.205.27.187] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224724; rev:1;) alert tcp $HOME_NET any -> [45.145.228.96] 9205 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224723; rev:1;) alert tcp $HOME_NET any -> [154.53.58.38] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224721; rev:1;) alert tcp $HOME_NET any -> [103.127.96.29] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224722; rev:1;) alert tcp $HOME_NET any -> [16.171.60.36] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224720; rev:1;) alert tcp $HOME_NET any -> [20.172.175.211] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224719; rev:1;) alert tcp $HOME_NET any -> [95.217.7.235] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224718/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224718; rev:1;) alert tcp $HOME_NET any -> [3.138.195.228] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224716/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224716; rev:1;) alert tcp $HOME_NET any -> [5.196.46.248] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224717; rev:1;) alert tcp $HOME_NET any -> [93.119.15.136] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224715/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224715; rev:1;) alert tcp $HOME_NET any -> [189.212.107.136] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224714; rev:1;) alert tcp $HOME_NET any -> [103.234.72.50] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224712/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224712; rev:1;) alert tcp $HOME_NET any -> [93.95.228.105] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224713; rev:1;) alert tcp $HOME_NET any -> [40.66.41.57] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224711/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224711; rev:1;) alert tcp $HOME_NET any -> [101.37.79.57] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224710/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224710; rev:1;) alert tcp $HOME_NET any -> [47.101.41.158] 63333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224709; rev:1;) alert tcp $HOME_NET any -> [187.45.170.66] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224708/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224708; rev:1;) alert tcp $HOME_NET any -> [167.172.133.72] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224707/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224707; rev:1;) alert tcp $HOME_NET any -> [145.131.30.136] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224705; rev:1;) alert tcp $HOME_NET any -> [82.165.104.109] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224706/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224706; rev:1;) alert tcp $HOME_NET any -> [145.131.30.136] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224704/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224704; rev:1;) alert tcp $HOME_NET any -> [82.223.14.145] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224703/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224703; rev:1;) alert tcp $HOME_NET any -> [209.97.177.217] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224702/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224702; rev:1;) alert tcp $HOME_NET any -> [46.101.211.39] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224700; rev:1;) alert tcp $HOME_NET any -> [51.38.185.204] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224701/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224701; rev:1;) alert tcp $HOME_NET any -> [5.135.250.47] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224699; rev:1;) alert tcp $HOME_NET any -> [139.59.31.56] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224698/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224698; rev:1;) alert tcp $HOME_NET any -> [35.77.47.233] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224696; rev:1;) alert tcp $HOME_NET any -> [165.232.135.156] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224697; rev:1;) alert tcp $HOME_NET any -> [138.197.138.30] 2096 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224695; rev:1;) alert tcp $HOME_NET any -> [104.248.174.148] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224693/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224693; rev:1;) alert tcp $HOME_NET any -> [194.5.85.8] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224694; rev:1;) alert tcp $HOME_NET any -> [51.136.23.185] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224692/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224692; rev:1;) alert tcp $HOME_NET any -> [16.171.9.19] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224691/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224691; rev:1;) alert tcp $HOME_NET any -> [34.154.101.191] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224689/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224689; rev:1;) alert tcp $HOME_NET any -> [52.3.121.210] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224690/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224690; rev:1;) alert tcp $HOME_NET any -> [203.175.11.208] 5001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224688/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224688; rev:1;) alert tcp $HOME_NET any -> [165.22.24.226] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224687/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224687; rev:1;) alert tcp $HOME_NET any -> [159.65.117.170] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224685/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224685; rev:1;) alert tcp $HOME_NET any -> [18.212.242.160] 7780 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224686/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224686; rev:1;) alert tcp $HOME_NET any -> [20.107.81.102] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224684/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224684; rev:1;) alert tcp $HOME_NET any -> [54.213.125.141] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224682/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224682; rev:1;) alert tcp $HOME_NET any -> [184.168.31.231] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224681/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224681; rev:1;) alert tcp $HOME_NET any -> [184.168.31.231] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224680/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224680; rev:1;) alert tcp $HOME_NET any -> [51.250.89.182] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224678/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224678; rev:1;) alert tcp $HOME_NET any -> [23.254.128.102] 12192 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224679/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224679; rev:1;) alert tcp $HOME_NET any -> [54.83.147.30] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224677/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224677; rev:1;) alert tcp $HOME_NET any -> [188.166.194.43] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224676/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224676; rev:1;) alert tcp $HOME_NET any -> [151.80.136.121] 4356 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224674; rev:1;) alert tcp $HOME_NET any -> [103.16.130.37] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224675/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224675; rev:1;) alert tcp $HOME_NET any -> [13.42.26.76] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224673; rev:1;) alert tcp $HOME_NET any -> [3.83.74.210] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224672/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224672; rev:1;) alert tcp $HOME_NET any -> [217.160.47.17] 49157 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224671; rev:1;) alert tcp $HOME_NET any -> [3.20.45.40] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224669/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224669; rev:1;) alert tcp $HOME_NET any -> [54.175.89.223] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224670; rev:1;) alert tcp $HOME_NET any -> [52.211.244.206] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224668; rev:1;) alert tcp $HOME_NET any -> [43.206.156.13] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224667; rev:1;) alert tcp $HOME_NET any -> [212.227.149.85] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224666/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224666; rev:1;) alert tcp $HOME_NET any -> [195.35.16.123] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224665/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224665; rev:1;) alert tcp $HOME_NET any -> [165.227.86.16] 3684 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224664; rev:1;) alert tcp $HOME_NET any -> [178.128.235.100] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224662/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224662; rev:1;) alert tcp $HOME_NET any -> [20.108.95.190] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224663; rev:1;) alert tcp $HOME_NET any -> [173.230.142.67] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224661; rev:1;) alert tcp $HOME_NET any -> [103.84.207.115] 5333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224660/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224660; rev:1;) alert tcp $HOME_NET any -> [35.204.139.17] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224658; rev:1;) alert tcp $HOME_NET any -> [206.189.112.164] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224656; rev:1;) alert tcp $HOME_NET any -> [54.252.197.104] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224657/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224657; rev:1;) alert tcp $HOME_NET any -> [3.138.63.169] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224655; rev:1;) alert tcp $HOME_NET any -> [23.97.129.13] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224654/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224654; rev:1;) alert tcp $HOME_NET any -> [8.134.184.94] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224653; rev:1;) alert tcp $HOME_NET any -> [52.54.145.250] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224651; rev:1;) alert tcp $HOME_NET any -> [217.160.32.242] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224652; rev:1;) alert tcp $HOME_NET any -> [91.107.219.127] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224650; rev:1;) alert tcp $HOME_NET any -> [34.200.11.64] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224649; rev:1;) alert tcp $HOME_NET any -> [52.208.40.144] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224648; rev:1;) alert tcp $HOME_NET any -> [3.110.216.119] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224646; rev:1;) alert tcp $HOME_NET any -> [13.212.126.89] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224647/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224647; rev:1;) alert tcp $HOME_NET any -> [34.38.3.15] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224645; rev:1;) alert tcp $HOME_NET any -> [20.52.159.230] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224644; rev:1;) alert tcp $HOME_NET any -> [38.242.145.214] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224642; rev:1;) alert tcp $HOME_NET any -> [188.68.40.71] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224643; rev:1;) alert tcp $HOME_NET any -> [45.79.195.205] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224641/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224641; rev:1;) alert tcp $HOME_NET any -> [47.113.222.174] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224639; rev:1;) alert tcp $HOME_NET any -> [72.167.49.177] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224640/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224640; rev:1;) alert tcp $HOME_NET any -> [193.178.170.60] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224638; rev:1;) alert tcp $HOME_NET any -> [44.221.195.97] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224637; rev:1;) alert tcp $HOME_NET any -> [51.159.57.80] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224635; rev:1;) alert tcp $HOME_NET any -> [65.21.251.146] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224636/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224636; rev:1;) alert tcp $HOME_NET any -> [34.200.40.96] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224634/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224634; rev:1;) alert tcp $HOME_NET any -> [3.77.69.194] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224632; rev:1;) alert tcp $HOME_NET any -> [195.235.104.118] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224633/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224633; rev:1;) alert tcp $HOME_NET any -> [46.41.150.53] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224631; rev:1;) alert tcp $HOME_NET any -> [51.15.236.177] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224630; rev:1;) alert tcp $HOME_NET any -> [157.245.103.9] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224629; rev:1;) alert tcp $HOME_NET any -> [114.132.162.49] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224627; rev:1;) alert tcp $HOME_NET any -> [138.201.19.103] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224628; rev:1;) alert tcp $HOME_NET any -> [34.207.211.160] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224626/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224626; rev:1;) alert tcp $HOME_NET any -> [81.169.176.35] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224625/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224625; rev:1;) alert tcp $HOME_NET any -> [157.230.209.101] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224623/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224623; rev:1;) alert tcp $HOME_NET any -> [208.87.79.106] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224624/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224624; rev:1;) alert tcp $HOME_NET any -> [162.244.83.17] 48495 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224622/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224622; rev:1;) alert tcp $HOME_NET any -> [162.244.83.17] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224621/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224621; rev:1;) alert tcp $HOME_NET any -> [111.230.205.218] 63333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224620/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224620; rev:1;) alert tcp $HOME_NET any -> [124.70.145.71] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224618/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224618; rev:1;) alert tcp $HOME_NET any -> [170.187.160.4] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224619/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224619; rev:1;) alert tcp $HOME_NET any -> [164.132.48.230] 60002 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224617; rev:1;) alert tcp $HOME_NET any -> [162.244.83.18] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224615/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224615; rev:1;) alert tcp $HOME_NET any -> [162.244.83.18] 48495 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224616/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224616; rev:1;) alert tcp $HOME_NET any -> [51.77.193.27] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224614; rev:1;) alert tcp $HOME_NET any -> [34.71.157.42] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224613/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224613; rev:1;) alert tcp $HOME_NET any -> [34.196.107.121] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224611; rev:1;) alert tcp $HOME_NET any -> [188.166.5.242] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224612/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224612; rev:1;) alert tcp $HOME_NET any -> [52.5.64.123] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224610/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224610; rev:1;) alert tcp $HOME_NET any -> [45.79.146.93] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224608/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224608; rev:1;) alert tcp $HOME_NET any -> [20.50.116.175] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224609/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224609; rev:1;) alert tcp $HOME_NET any -> [4.216.115.73] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224607/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224607; rev:1;) alert tcp $HOME_NET any -> [46.182.208.251] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224605/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224605; rev:1;) alert tcp $HOME_NET any -> [172.173.140.13] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224606; rev:1;) alert tcp $HOME_NET any -> [74.208.104.93] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224604/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224604; rev:1;) alert tcp $HOME_NET any -> [217.182.128.238] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224603/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224603; rev:1;) alert tcp $HOME_NET any -> [146.59.151.113] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224601/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224601; rev:1;) alert tcp $HOME_NET any -> [167.172.147.75] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224602/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224602; rev:1;) alert tcp $HOME_NET any -> [167.71.225.51] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224600/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224600; rev:1;) alert tcp $HOME_NET any -> [85.10.132.89] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224599/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224599; rev:1;) alert tcp $HOME_NET any -> [34.95.236.232] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224597/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224597; rev:1;) alert tcp $HOME_NET any -> [64.225.94.227] 13333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224598/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224598; rev:1;) alert tcp $HOME_NET any -> [141.94.27.61] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224596/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224596; rev:1;) alert tcp $HOME_NET any -> [103.214.7.20] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224595/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224595; rev:1;) alert tcp $HOME_NET any -> [139.217.96.227] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224593/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224593; rev:1;) alert tcp $HOME_NET any -> [18.116.139.191] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224594/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224594; rev:1;) alert tcp $HOME_NET any -> [44.201.143.133] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224592/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224592; rev:1;) alert tcp $HOME_NET any -> [3.68.253.79] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224591/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224591; rev:1;) alert tcp $HOME_NET any -> [34.175.105.176] 3389 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224589/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224589; rev:1;) alert tcp $HOME_NET any -> [164.92.254.153] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224590/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224590; rev:1;) alert tcp $HOME_NET any -> [54.149.85.8] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224588; rev:1;) alert tcp $HOME_NET any -> [78.47.121.48] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224587/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224587; rev:1;) alert tcp $HOME_NET any -> [3.81.217.246] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224585/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224585; rev:1;) alert tcp $HOME_NET any -> [51.124.160.243] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224586/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224586; rev:1;) alert tcp $HOME_NET any -> [13.52.249.97] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224584/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224584; rev:1;) alert tcp $HOME_NET any -> [20.90.77.242] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224583/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224583; rev:1;) alert tcp $HOME_NET any -> [15.206.255.116] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224581/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224581; rev:1;) alert tcp $HOME_NET any -> [208.123.76.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224582/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224582; rev:1;) alert tcp $HOME_NET any -> [34.198.135.203] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224580/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224580; rev:1;) alert tcp $HOME_NET any -> [44.212.47.189] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224579/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224579; rev:1;) alert tcp $HOME_NET any -> [51.250.105.133] 3838 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224578/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224578; rev:1;) alert tcp $HOME_NET any -> [82.156.140.143] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224576/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224576; rev:1;) alert tcp $HOME_NET any -> [163.172.81.204] 1725 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224577/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224577; rev:1;) alert tcp $HOME_NET any -> [42.192.229.143] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224575/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224575; rev:1;) alert tcp $HOME_NET any -> [40.76.10.50] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224574/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224574; rev:1;) alert tcp $HOME_NET any -> [34.86.0.50] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224572/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224572; rev:1;) alert tcp $HOME_NET any -> [101.200.197.134] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224573; rev:1;) alert tcp $HOME_NET any -> [54.159.204.164] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224571/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224571; rev:1;) alert tcp $HOME_NET any -> [185.119.117.228] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224570/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224570; rev:1;) alert tcp $HOME_NET any -> [43.139.35.215] 31220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224568/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224568; rev:1;) alert tcp $HOME_NET any -> [103.175.220.16] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224569/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224569; rev:1;) alert tcp $HOME_NET any -> [64.227.178.226] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224567/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224567; rev:1;) alert tcp $HOME_NET any -> [194.163.178.103] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224566/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224566; rev:1;) alert tcp $HOME_NET any -> [89.219.32.37] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224565/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224565; rev:1;) alert tcp $HOME_NET any -> [13.68.152.68] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224563; rev:1;) alert tcp $HOME_NET any -> [34.136.76.56] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224564; rev:1;) alert tcp $HOME_NET any -> [42.192.227.34] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224562/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224562; rev:1;) alert tcp $HOME_NET any -> [198.199.65.40] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224561/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224561; rev:1;) alert tcp $HOME_NET any -> [52.53.94.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224560/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224560; rev:1;) alert tcp $HOME_NET any -> [52.71.158.170] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224558; rev:1;) alert tcp $HOME_NET any -> [172.105.72.74] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224559/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224559; rev:1;) alert tcp $HOME_NET any -> [104.207.135.128] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224557/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224557; rev:1;) alert tcp $HOME_NET any -> [51.83.45.141] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224556/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224556; rev:1;) alert tcp $HOME_NET any -> [85.214.158.76] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224554/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224554; rev:1;) alert tcp $HOME_NET any -> [65.21.104.175] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224555; rev:1;) alert tcp $HOME_NET any -> [146.190.120.19] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224553; rev:1;) alert tcp $HOME_NET any -> [139.159.143.40] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224552; rev:1;) alert tcp $HOME_NET any -> [49.204.124.139] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224550; rev:1;) alert tcp $HOME_NET any -> [100.20.179.197] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224551; rev:1;) alert tcp $HOME_NET any -> [1.117.150.171] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224549; rev:1;) alert tcp $HOME_NET any -> [107.172.143.125] 7890 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224548; rev:1;) alert tcp $HOME_NET any -> [188.165.39.236] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224547; rev:1;) alert tcp $HOME_NET any -> [18.153.86.103] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224545; rev:1;) alert tcp $HOME_NET any -> [143.244.204.26] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224546; rev:1;) alert tcp $HOME_NET any -> [134.209.38.231] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224544; rev:1;) alert tcp $HOME_NET any -> [20.104.78.25] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224543; rev:1;) alert tcp $HOME_NET any -> [172.208.90.139] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224542; rev:1;) alert tcp $HOME_NET any -> [61.93.209.142] 55535 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224541; rev:1;) alert tcp $HOME_NET any -> [165.232.82.194] 36936 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224540; rev:1;) alert tcp $HOME_NET any -> [143.198.70.33] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224539; rev:1;) alert tcp $HOME_NET any -> [173.249.15.168] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224538; rev:1;) alert tcp $HOME_NET any -> [116.203.99.131] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224537; rev:1;) alert tcp $HOME_NET any -> [20.55.53.129] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224535; rev:1;) alert tcp $HOME_NET any -> [213.205.69.187] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224536; rev:1;) alert tcp $HOME_NET any -> [45.32.45.200] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224534; rev:1;) alert tcp $HOME_NET any -> [20.4.197.194] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224533; rev:1;) alert tcp $HOME_NET any -> [164.132.224.193] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224532; rev:1;) alert tcp $HOME_NET any -> [4.228.83.110] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224531; rev:1;) alert tcp $HOME_NET any -> [44.211.225.208] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224530; rev:1;) alert tcp $HOME_NET any -> [13.245.51.251] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224529; rev:1;) alert tcp $HOME_NET any -> [178.62.116.151] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224528; rev:1;) alert tcp $HOME_NET any -> [3.223.221.155] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224527; rev:1;) alert tcp $HOME_NET any -> [18.194.193.171] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224526; rev:1;) alert tcp $HOME_NET any -> [18.135.107.191] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224525; rev:1;) alert tcp $HOME_NET any -> [5.196.46.251] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224524; rev:1;) alert tcp $HOME_NET any -> [106.52.6.167] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224523; rev:1;) alert tcp $HOME_NET any -> [159.223.236.119] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224521; rev:1;) alert tcp $HOME_NET any -> [141.164.34.69] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224522; rev:1;) alert tcp $HOME_NET any -> [51.15.118.191] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224520; rev:1;) alert tcp $HOME_NET any -> [103.234.72.150] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224519; rev:1;) alert tcp $HOME_NET any -> [18.205.120.250] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224518; rev:1;) alert tcp $HOME_NET any -> [202.61.197.30] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224517; rev:1;) alert tcp $HOME_NET any -> [144.24.21.216] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224515; rev:1;) alert tcp $HOME_NET any -> [54.210.32.231] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224516; rev:1;) alert tcp $HOME_NET any -> [100.20.227.214] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224514; rev:1;) alert tcp $HOME_NET any -> [89.117.17.55] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224513; rev:1;) alert tcp $HOME_NET any -> [52.59.247.217] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224512; rev:1;) alert tcp $HOME_NET any -> [172.190.223.7] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224511; rev:1;) alert tcp $HOME_NET any -> [88.218.227.106] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224509; rev:1;) alert tcp $HOME_NET any -> [80.211.129.233] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224510; rev:1;) alert tcp $HOME_NET any -> [3.121.140.65] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224508; rev:1;) alert tcp $HOME_NET any -> [120.46.84.161] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224507; rev:1;) alert tcp $HOME_NET any -> [3.109.158.233] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224506; rev:1;) alert tcp $HOME_NET any -> [101.42.237.252] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224505; rev:1;) alert tcp $HOME_NET any -> [168.119.119.210] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224504; rev:1;) alert tcp $HOME_NET any -> [150.158.179.35] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224503; rev:1;) alert tcp $HOME_NET any -> [13.49.49.106] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224502; rev:1;) alert tcp $HOME_NET any -> [194.110.220.78] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224501; rev:1;) alert tcp $HOME_NET any -> [52.162.240.12] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224500/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224500; rev:1;) alert tcp $HOME_NET any -> [39.100.72.235] 10000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224499; rev:1;) alert tcp $HOME_NET any -> [49.232.172.226] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224498/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224498; rev:1;) alert tcp $HOME_NET any -> [120.79.45.199] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224497; rev:1;) alert tcp $HOME_NET any -> [84.201.172.51] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224496; rev:1;) alert tcp $HOME_NET any -> [52.223.24.251] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224495; rev:1;) alert tcp $HOME_NET any -> [84.252.140.74] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224494; rev:1;) alert tcp $HOME_NET any -> [162.244.83.19] 48495 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224493; rev:1;) alert tcp $HOME_NET any -> [162.244.83.19] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224492; rev:1;) alert tcp $HOME_NET any -> [54.158.28.235] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224491; rev:1;) alert tcp $HOME_NET any -> [3.96.0.229] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224490; rev:1;) alert tcp $HOME_NET any -> [208.38.138.111] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224489/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224489; rev:1;) alert tcp $HOME_NET any -> [146.190.137.155] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224488; rev:1;) alert tcp $HOME_NET any -> [34.228.42.121] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224487; rev:1;) alert tcp $HOME_NET any -> [151.80.136.89] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224486; rev:1;) alert tcp $HOME_NET any -> [45.142.166.247] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224485; rev:1;) alert tcp $HOME_NET any -> [165.22.86.103] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224484/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224484; rev:1;) alert tcp $HOME_NET any -> [18.181.186.82] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224483; rev:1;) alert tcp $HOME_NET any -> [47.243.75.231] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224482; rev:1;) alert tcp $HOME_NET any -> [13.238.219.152] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224481; rev:1;) alert tcp $HOME_NET any -> [85.215.92.36] 9998 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224480; rev:1;) alert tcp $HOME_NET any -> [34.230.57.235] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224479; rev:1;) alert tcp $HOME_NET any -> [54.237.29.20] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224478; rev:1;) alert tcp $HOME_NET any -> [20.235.60.87] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224477; rev:1;) alert tcp $HOME_NET any -> [13.247.13.248] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224476; rev:1;) alert tcp $HOME_NET any -> [18.194.137.41] 4563 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224475; rev:1;) alert tcp $HOME_NET any -> [194.163.148.16] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224474; rev:1;) alert tcp $HOME_NET any -> [106.55.183.38] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224473; rev:1;) alert tcp $HOME_NET any -> [81.246.28.174] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224472; rev:1;) alert tcp $HOME_NET any -> [107.189.5.211] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224471; rev:1;) alert tcp $HOME_NET any -> [13.76.2.223] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224470; rev:1;) alert tcp $HOME_NET any -> [46.30.45.197] 3654 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224469; rev:1;) alert tcp $HOME_NET any -> [3.13.169.238] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224468; rev:1;) alert tcp $HOME_NET any -> [157.230.91.106] 63456 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224467; rev:1;) alert tcp $HOME_NET any -> [60.204.151.215] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224466; rev:1;) alert tcp $HOME_NET any -> [192.248.154.28] 8634 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224465; rev:1;) alert tcp $HOME_NET any -> [54.209.85.117] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224464; rev:1;) alert tcp $HOME_NET any -> [69.164.220.53] 91 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224463; rev:1;) alert tcp $HOME_NET any -> [178.254.20.32] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224462; rev:1;) alert tcp $HOME_NET any -> [85.215.235.232] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224461; rev:1;) alert tcp $HOME_NET any -> [194.110.220.74] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224460; rev:1;) alert tcp $HOME_NET any -> [18.216.174.51] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224459; rev:1;) alert tcp $HOME_NET any -> [213.200.219.62] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224458; rev:1;) alert tcp $HOME_NET any -> [212.219.179.195] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224457; rev:1;) alert tcp $HOME_NET any -> [54.172.211.64] 3636 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_28; classtype:trojan-activity; sid:91224456; rev:1;) alert tcp $HOME_NET any -> [118.98.223.30] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224454; rev:1;) alert tcp $HOME_NET any -> [118.98.223.30] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224455; rev:1;) alert tcp $HOME_NET any -> [157.245.16.21] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224453; rev:1;) alert tcp $HOME_NET any -> [195.146.148.20] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224452; rev:1;) alert tcp $HOME_NET any -> [18.191.252.217] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224450; rev:1;) alert tcp $HOME_NET any -> [18.163.200.206] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224451; rev:1;) alert tcp $HOME_NET any -> [168.138.128.79] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224449; rev:1;) alert tcp $HOME_NET any -> [165.227.236.119] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224448; rev:1;) alert tcp $HOME_NET any -> [20.228.173.149] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224446; rev:1;) alert tcp $HOME_NET any -> [47.90.133.54] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224447; rev:1;) alert tcp $HOME_NET any -> [152.228.172.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224445; rev:1;) alert tcp $HOME_NET any -> [15.164.193.194] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224444; rev:1;) alert tcp $HOME_NET any -> [149.248.57.215] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224442; rev:1;) alert tcp $HOME_NET any -> [108.163.193.74] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224443; rev:1;) alert tcp $HOME_NET any -> [46.250.241.187] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224441; rev:1;) alert tcp $HOME_NET any -> [64.69.36.47] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224439; rev:1;) alert tcp $HOME_NET any -> [54.147.233.154] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224440; rev:1;) alert tcp $HOME_NET any -> [104.248.202.164] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224438; rev:1;) alert tcp $HOME_NET any -> [200.10.229.166] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224437; rev:1;) alert tcp $HOME_NET any -> [162.19.26.186] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224435; rev:1;) alert tcp $HOME_NET any -> [20.122.180.23] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224436; rev:1;) alert tcp $HOME_NET any -> [18.202.233.222] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224434; rev:1;) alert tcp $HOME_NET any -> [134.122.87.54] 8634 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224433; rev:1;) alert tcp $HOME_NET any -> [20.21.128.253] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224432; rev:1;) alert tcp $HOME_NET any -> [149.28.43.33] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224430; rev:1;) alert tcp $HOME_NET any -> [124.221.246.83] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224431; rev:1;) alert tcp $HOME_NET any -> [51.68.44.33] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224429; rev:1;) alert tcp $HOME_NET any -> [51.68.44.33] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224428; rev:1;) alert tcp $HOME_NET any -> [137.184.70.144] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224426; rev:1;) alert tcp $HOME_NET any -> [51.83.45.84] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224427; rev:1;) alert tcp $HOME_NET any -> [99.83.230.184] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224425; rev:1;) alert tcp $HOME_NET any -> [15.188.176.86] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224423; rev:1;) alert tcp $HOME_NET any -> [3.75.83.36] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224424; rev:1;) alert tcp $HOME_NET any -> [213.157.205.230] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224422; rev:1;) alert tcp $HOME_NET any -> [89.223.84.16] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224421; rev:1;) alert tcp $HOME_NET any -> [101.43.129.91] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224419; rev:1;) alert tcp $HOME_NET any -> [77.68.91.110] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224420; rev:1;) alert tcp $HOME_NET any -> [170.75.160.13] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224418; rev:1;) alert tcp $HOME_NET any -> [138.197.148.237] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224417; rev:1;) alert tcp $HOME_NET any -> [43.138.14.169] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224416; rev:1;) alert tcp $HOME_NET any -> [124.221.66.149] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224414; rev:1;) alert tcp $HOME_NET any -> [51.222.86.151] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224415; rev:1;) alert tcp $HOME_NET any -> [8.210.118.18] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224413; rev:1;) alert tcp $HOME_NET any -> [162.19.79.198] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224411; rev:1;) alert tcp $HOME_NET any -> [51.68.226.183] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224412; rev:1;) alert tcp $HOME_NET any -> [46.17.44.178] 53556 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224410; rev:1;) alert tcp $HOME_NET any -> [52.47.146.128] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224409; rev:1;) alert tcp $HOME_NET any -> [95.142.40.152] 49008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224407; rev:1;) alert tcp $HOME_NET any -> [49.51.18.80] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224408; rev:1;) alert tcp $HOME_NET any -> [164.90.231.239] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224406; rev:1;) alert tcp $HOME_NET any -> [144.22.192.165] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224405; rev:1;) alert tcp $HOME_NET any -> [185.196.21.27] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224404; rev:1;) alert tcp $HOME_NET any -> [164.90.182.93] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224403; rev:1;) alert tcp $HOME_NET any -> [139.59.153.43] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224401; rev:1;) alert tcp $HOME_NET any -> [91.185.90.110] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224402; rev:1;) alert tcp $HOME_NET any -> [137.184.69.124] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224400; rev:1;) alert tcp $HOME_NET any -> [49.12.224.90] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224399; rev:1;) alert tcp $HOME_NET any -> [3.76.239.205] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224397; rev:1;) alert tcp $HOME_NET any -> [95.163.229.103] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224398; rev:1;) alert tcp $HOME_NET any -> [159.223.198.4] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224396; rev:1;) alert tcp $HOME_NET any -> [51.254.115.39] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224395; rev:1;) alert tcp $HOME_NET any -> [46.140.236.187] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224393; rev:1;) alert tcp $HOME_NET any -> [34.243.38.236] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224394; rev:1;) alert tcp $HOME_NET any -> [137.184.154.146] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224392; rev:1;) alert tcp $HOME_NET any -> [149.202.70.35] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224391; rev:1;) alert tcp $HOME_NET any -> [64.126.167.60] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224389; rev:1;) alert tcp $HOME_NET any -> [161.97.84.173] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224390; rev:1;) alert tcp $HOME_NET any -> [103.127.98.146] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224388; rev:1;) alert tcp $HOME_NET any -> [4.180.220.177] 3331 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224387; rev:1;) alert tcp $HOME_NET any -> [20.229.23.48] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224385; rev:1;) alert tcp $HOME_NET any -> [101.132.65.172] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224386; rev:1;) alert tcp $HOME_NET any -> [65.21.106.79] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224384; rev:1;) alert tcp $HOME_NET any -> [153.92.221.28] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224383; rev:1;) alert tcp $HOME_NET any -> [34.80.26.135] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224381; rev:1;) alert tcp $HOME_NET any -> [88.93.130.52] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224382; rev:1;) alert tcp $HOME_NET any -> [13.48.67.224] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224380; rev:1;) alert tcp $HOME_NET any -> [52.39.103.60] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224379; rev:1;) alert tcp $HOME_NET any -> [20.61.82.105] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224378; rev:1;) alert tcp $HOME_NET any -> [209.145.48.158] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224376; rev:1;) alert tcp $HOME_NET any -> [52.67.23.164] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224377; rev:1;) alert tcp $HOME_NET any -> [103.123.242.156] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224375; rev:1;) alert tcp $HOME_NET any -> [49.13.0.208] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224374; rev:1;) alert tcp $HOME_NET any -> [35.210.94.6] 3389 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224373; rev:1;) alert tcp $HOME_NET any -> [5.196.28.230] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224371; rev:1;) alert tcp $HOME_NET any -> [20.232.168.84] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224372; rev:1;) alert tcp $HOME_NET any -> [137.175.50.126] 9205 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224370; rev:1;) alert tcp $HOME_NET any -> [35.71.177.161] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224369; rev:1;) alert tcp $HOME_NET any -> [18.197.237.14] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224367; rev:1;) alert tcp $HOME_NET any -> [110.40.198.148] 9205 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224368; rev:1;) alert tcp $HOME_NET any -> [124.222.195.27] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224366; rev:1;) alert tcp $HOME_NET any -> [167.172.224.242] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224365; rev:1;) alert tcp $HOME_NET any -> [173.255.195.14] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224363; rev:1;) alert tcp $HOME_NET any -> [5.196.28.55] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224364; rev:1;) alert tcp $HOME_NET any -> [3.129.59.207] 3636 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224362; rev:1;) alert tcp $HOME_NET any -> [147.182.156.86] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224360; rev:1;) alert tcp $HOME_NET any -> [50.116.38.164] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224361; rev:1;) alert tcp $HOME_NET any -> [3.145.189.166] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224359; rev:1;) alert tcp $HOME_NET any -> [209.250.243.165] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224358; rev:1;) alert tcp $HOME_NET any -> [4.246.205.205] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224356; rev:1;) alert tcp $HOME_NET any -> [3.75.160.133] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224357; rev:1;) alert tcp $HOME_NET any -> [165.227.142.163] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224355; rev:1;) alert tcp $HOME_NET any -> [83.150.204.101] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224354; rev:1;) alert tcp $HOME_NET any -> [37.114.34.182] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224352; rev:1;) alert tcp $HOME_NET any -> [18.216.173.47] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224353; rev:1;) alert tcp $HOME_NET any -> [120.76.194.29] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224351; rev:1;) alert tcp $HOME_NET any -> [124.223.167.222] 44444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224350; rev:1;) alert tcp $HOME_NET any -> [139.224.238.245] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224348; rev:1;) alert tcp $HOME_NET any -> [134.122.8.42] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224349; rev:1;) alert tcp $HOME_NET any -> [164.90.166.138] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224347; rev:1;) alert tcp $HOME_NET any -> [209.145.51.176] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224346; rev:1;) alert tcp $HOME_NET any -> [34.200.57.29] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224345; rev:1;) alert tcp $HOME_NET any -> [101.43.125.144] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224343; rev:1;) alert tcp $HOME_NET any -> [106.52.131.51] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224344; rev:1;) alert tcp $HOME_NET any -> [152.67.212.185] 9205 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224342; rev:1;) alert tcp $HOME_NET any -> [128.140.3.84] 1920 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224340; rev:1;) alert tcp $HOME_NET any -> [64.227.133.137] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224341; rev:1;) alert tcp $HOME_NET any -> [5.9.202.130] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224339; rev:1;) alert tcp $HOME_NET any -> [138.197.15.15] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224338; rev:1;) alert tcp $HOME_NET any -> [3.86.214.243] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224336; rev:1;) alert tcp $HOME_NET any -> [185.142.238.92] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224337; rev:1;) alert tcp $HOME_NET any -> [51.107.46.38] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224335/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224335; rev:1;) alert tcp $HOME_NET any -> [124.220.74.226] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224334; rev:1;) alert tcp $HOME_NET any -> [1.117.196.217] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224333; rev:1;) alert tcp $HOME_NET any -> [104.248.32.21] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224332; rev:1;) alert tcp $HOME_NET any -> [203.153.108.35] 81 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224330; rev:1;) alert tcp $HOME_NET any -> [13.125.225.16] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224331/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224331; rev:1;) alert tcp $HOME_NET any -> [204.186.86.1] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224329; rev:1;) alert tcp $HOME_NET any -> [104.248.12.53] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224328; rev:1;) alert tcp $HOME_NET any -> [3.212.125.205] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224326; rev:1;) alert tcp $HOME_NET any -> [123.31.11.126] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224327; rev:1;) alert tcp $HOME_NET any -> [34.150.248.211] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224325; rev:1;) alert tcp $HOME_NET any -> [13.237.83.70] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224324; rev:1;) alert tcp $HOME_NET any -> [83.149.93.148] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224323; rev:1;) alert tcp $HOME_NET any -> [49.13.56.152] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224321; rev:1;) alert tcp $HOME_NET any -> [194.110.220.77] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224322; rev:1;) alert tcp $HOME_NET any -> [15.206.116.101] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224320; rev:1;) alert tcp $HOME_NET any -> [54.84.86.210] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224319; rev:1;) alert tcp $HOME_NET any -> [54.198.247.217] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224317; rev:1;) alert tcp $HOME_NET any -> [44.195.20.206] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224318; rev:1;) alert tcp $HOME_NET any -> [43.139.150.116] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224316; rev:1;) alert tcp $HOME_NET any -> [3.133.145.6] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224315; rev:1;) alert tcp $HOME_NET any -> [51.75.231.162] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224313; rev:1;) alert tcp $HOME_NET any -> [167.99.239.93] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224314; rev:1;) alert tcp $HOME_NET any -> [34.207.153.29] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224312; rev:1;) alert tcp $HOME_NET any -> [5.135.250.46] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224311; rev:1;) alert tcp $HOME_NET any -> [18.136.219.88] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224309; rev:1;) alert tcp $HOME_NET any -> [64.227.160.77] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224310; rev:1;) alert tcp $HOME_NET any -> [101.42.229.246] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224308; rev:1;) alert tcp $HOME_NET any -> [13.36.36.90] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224307; rev:1;) alert tcp $HOME_NET any -> [175.178.158.27] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224306; rev:1;) alert tcp $HOME_NET any -> [142.93.216.204] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224305; rev:1;) alert tcp $HOME_NET any -> [174.138.29.229] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224303; rev:1;) alert tcp $HOME_NET any -> [175.178.97.115] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224304; rev:1;) alert tcp $HOME_NET any -> [47.102.149.102] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224302; rev:1;) alert tcp $HOME_NET any -> [62.210.72.99] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224301/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224301; rev:1;) alert tcp $HOME_NET any -> [121.40.116.160] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224300; rev:1;) alert tcp $HOME_NET any -> [98.142.95.254] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224299/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224299; rev:1;) alert tcp $HOME_NET any -> [18.195.48.41] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224298/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224298; rev:1;) alert tcp $HOME_NET any -> [35.245.222.53] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224296/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224296; rev:1;) alert tcp $HOME_NET any -> [136.228.40.23] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224297/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224297; rev:1;) alert tcp $HOME_NET any -> [13.38.249.22] 2807 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224295; rev:1;) alert tcp $HOME_NET any -> [47.106.155.220] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224294; rev:1;) alert tcp $HOME_NET any -> [165.232.98.123] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224292; rev:1;) alert tcp $HOME_NET any -> [194.163.142.251] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224293; rev:1;) alert tcp $HOME_NET any -> [46.231.200.31] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224291; rev:1;) alert tcp $HOME_NET any -> [46.231.200.31] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224290; rev:1;) alert tcp $HOME_NET any -> [52.58.179.176] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224289; rev:1;) alert tcp $HOME_NET any -> [173.230.131.147] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224287/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224287; rev:1;) alert tcp $HOME_NET any -> [3.70.229.179] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224288; rev:1;) alert tcp $HOME_NET any -> [47.98.215.116] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224286/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224286; rev:1;) alert tcp $HOME_NET any -> [54.160.225.186] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224284; rev:1;) alert tcp $HOME_NET any -> [159.223.159.37] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224285/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224285; rev:1;) alert tcp $HOME_NET any -> [54.252.220.162] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224283/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224283; rev:1;) alert tcp $HOME_NET any -> [3.93.48.122] 3636 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224282; rev:1;) alert tcp $HOME_NET any -> [34.107.113.161] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224281; rev:1;) alert tcp $HOME_NET any -> [151.80.216.147] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224279/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224279; rev:1;) alert tcp $HOME_NET any -> [128.199.52.185] 1725 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224280/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224280; rev:1;) alert tcp $HOME_NET any -> [103.146.179.107] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224278/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224278; rev:1;) alert tcp $HOME_NET any -> [142.132.232.1] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224277; rev:1;) alert tcp $HOME_NET any -> [20.16.209.242] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224276; rev:1;) alert tcp $HOME_NET any -> [109.163.227.35] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224274; rev:1;) alert tcp $HOME_NET any -> [153.92.127.108] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224275; rev:1;) alert tcp $HOME_NET any -> [209.38.230.229] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224273; rev:1;) alert tcp $HOME_NET any -> [195.161.114.29] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224272; rev:1;) alert tcp $HOME_NET any -> [136.144.176.243] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224270; rev:1;) alert tcp $HOME_NET any -> [52.87.221.43] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224271; rev:1;) alert tcp $HOME_NET any -> [190.122.105.22] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224269; rev:1;) alert tcp $HOME_NET any -> [101.42.54.118] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224268; rev:1;) alert tcp $HOME_NET any -> [172.104.207.171] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224266; rev:1;) alert tcp $HOME_NET any -> [112.126.60.177] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224267; rev:1;) alert tcp $HOME_NET any -> [152.136.56.105] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224265; rev:1;) alert tcp $HOME_NET any -> [172.232.146.81] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224264; rev:1;) alert tcp $HOME_NET any -> [13.48.236.216] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224262; rev:1;) alert tcp $HOME_NET any -> [208.69.13.162] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224263; rev:1;) alert tcp $HOME_NET any -> [68.183.89.55] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224261; rev:1;) alert tcp $HOME_NET any -> [45.207.38.71] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224259/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224259; rev:1;) alert tcp $HOME_NET any -> [195.35.16.117] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224260; rev:1;) alert tcp $HOME_NET any -> [152.136.57.26] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224258; rev:1;) alert tcp $HOME_NET any -> [52.228.162.128] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224256; rev:1;) alert tcp $HOME_NET any -> [54.191.136.249] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224257; rev:1;) alert tcp $HOME_NET any -> [52.156.9.233] 8144 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224255/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224255; rev:1;) alert tcp $HOME_NET any -> [138.68.148.215] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224254/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224254; rev:1;) alert tcp $HOME_NET any -> [212.227.43.159] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224253/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224253; rev:1;) alert tcp $HOME_NET any -> [114.132.48.232] 31220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224251/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224251; rev:1;) alert tcp $HOME_NET any -> [204.48.24.66] 7860 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224252/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224252; rev:1;) alert tcp $HOME_NET any -> [3.127.55.125] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224250; rev:1;) alert tcp $HOME_NET any -> [34.120.113.25] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224249; rev:1;) alert tcp $HOME_NET any -> [3.238.86.58] 3636 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224247; rev:1;) alert tcp $HOME_NET any -> [34.120.113.25] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224248/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224248; rev:1;) alert tcp $HOME_NET any -> [188.64.149.112] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224246; rev:1;) alert tcp $HOME_NET any -> [18.217.208.44] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224245; rev:1;) alert tcp $HOME_NET any -> [157.230.53.237] 1337 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224243/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224243; rev:1;) alert tcp $HOME_NET any -> [20.117.170.132] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224244; rev:1;) alert tcp $HOME_NET any -> [139.59.160.211] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224242/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224242; rev:1;) alert tcp $HOME_NET any -> [3.111.197.32] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224241; rev:1;) alert tcp $HOME_NET any -> [23.94.198.163] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224240; rev:1;) alert tcp $HOME_NET any -> [51.124.207.15] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224238; rev:1;) alert tcp $HOME_NET any -> [185.38.84.102] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224239; rev:1;) alert tcp $HOME_NET any -> [34.171.215.241] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224237; rev:1;) alert tcp $HOME_NET any -> [46.41.137.51] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224236; rev:1;) alert tcp $HOME_NET any -> [165.232.40.199] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224234/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224234; rev:1;) alert tcp $HOME_NET any -> [54.162.169.249] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224235; rev:1;) alert tcp $HOME_NET any -> [159.65.130.139] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224233; rev:1;) alert tcp $HOME_NET any -> [54.204.25.207] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224231; rev:1;) alert tcp $HOME_NET any -> [141.95.55.26] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224232; rev:1;) alert tcp $HOME_NET any -> [5.157.80.242] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224230; rev:1;) alert tcp $HOME_NET any -> [13.229.250.115] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224229; rev:1;) alert tcp $HOME_NET any -> [13.233.134.147] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224228; rev:1;) alert tcp $HOME_NET any -> [151.80.216.151] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224226; rev:1;) alert tcp $HOME_NET any -> [14.18.41.101] 36183 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224227; rev:1;) alert tcp $HOME_NET any -> [52.220.228.151] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224225; rev:1;) alert tcp $HOME_NET any -> [167.235.140.184] 24245 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224224; rev:1;) alert tcp $HOME_NET any -> [45.79.57.102] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224223/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224223; rev:1;) alert tcp $HOME_NET any -> [167.71.72.109] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224222; rev:1;) alert tcp $HOME_NET any -> [159.89.206.121] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224220; rev:1;) alert tcp $HOME_NET any -> [138.68.143.181] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224221; rev:1;) alert tcp $HOME_NET any -> [142.132.171.73] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224219; rev:1;) alert tcp $HOME_NET any -> [95.216.211.124] 2222 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224218; rev:1;) alert tcp $HOME_NET any -> [54.78.31.215] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224217; rev:1;) alert tcp $HOME_NET any -> [54.186.192.102] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224215; rev:1;) alert tcp $HOME_NET any -> [81.70.76.40] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224216/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224216; rev:1;) alert tcp $HOME_NET any -> [94.23.216.112] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224214; rev:1;) alert tcp $HOME_NET any -> [116.205.241.185] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224213; rev:1;) alert tcp $HOME_NET any -> [54.184.213.179] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224212; rev:1;) alert tcp $HOME_NET any -> [124.221.41.140] 4333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224211; rev:1;) alert tcp $HOME_NET any -> [110.42.200.140] 9205 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224210; rev:1;) alert tcp $HOME_NET any -> [51.137.47.9] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224208; rev:1;) alert tcp $HOME_NET any -> [20.193.35.114] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224209; rev:1;) alert tcp $HOME_NET any -> [35.152.69.51] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224207; rev:1;) alert tcp $HOME_NET any -> [165.22.237.154] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224206; rev:1;) alert tcp $HOME_NET any -> [52.202.155.248] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224205; rev:1;) alert tcp $HOME_NET any -> [13.53.130.126] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224204; rev:1;) alert tcp $HOME_NET any -> [151.80.210.60] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224203; rev:1;) alert tcp $HOME_NET any -> [188.166.65.196] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224202; rev:1;) alert tcp $HOME_NET any -> [212.8.246.82] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224200; rev:1;) alert tcp $HOME_NET any -> [13.40.237.253] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224201; rev:1;) alert tcp $HOME_NET any -> [18.188.127.215] 3636 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224199; rev:1;) alert tcp $HOME_NET any -> [42.192.125.4] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224198; rev:1;) alert tcp $HOME_NET any -> [83.138.53.164] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224196; rev:1;) alert tcp $HOME_NET any -> [45.41.204.75] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224197; rev:1;) alert tcp $HOME_NET any -> [18.216.206.137] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224195; rev:1;) alert tcp $HOME_NET any -> [94.158.245.171] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224194; rev:1;) alert tcp $HOME_NET any -> [95.143.49.193] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224192; rev:1;) alert tcp $HOME_NET any -> [112.90.157.11] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224193; rev:1;) alert tcp $HOME_NET any -> [145.131.32.180] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224191; rev:1;) alert tcp $HOME_NET any -> [174.138.24.144] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224189; rev:1;) alert tcp $HOME_NET any -> [167.114.115.246] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224190; rev:1;) alert tcp $HOME_NET any -> [54.153.180.18] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224188; rev:1;) alert tcp $HOME_NET any -> [13.50.114.99] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224187; rev:1;) alert tcp $HOME_NET any -> [173.249.24.35] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224185; rev:1;) alert tcp $HOME_NET any -> [34.151.109.102] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224186; rev:1;) alert tcp $HOME_NET any -> [157.245.102.242] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224184; rev:1;) alert tcp $HOME_NET any -> [111.230.244.43] 31220 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224183; rev:1;) alert tcp $HOME_NET any -> [124.220.79.209] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224181; rev:1;) alert tcp $HOME_NET any -> [54.244.70.215] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224182; rev:1;) alert tcp $HOME_NET any -> [191.96.53.189] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224180; rev:1;) alert tcp $HOME_NET any -> [117.72.16.69] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224178; rev:1;) alert tcp $HOME_NET any -> [4.194.36.146] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224179; rev:1;) alert tcp $HOME_NET any -> [75.119.139.229] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224177; rev:1;) alert tcp $HOME_NET any -> [43.130.70.58] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224176; rev:1;) alert tcp $HOME_NET any -> [167.114.90.211] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224175; rev:1;) alert tcp $HOME_NET any -> [137.184.51.66] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224173; rev:1;) alert tcp $HOME_NET any -> [165.232.104.7] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224174/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224174; rev:1;) alert tcp $HOME_NET any -> [112.213.125.197] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224172; rev:1;) alert tcp $HOME_NET any -> [49.13.249.141] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224171; rev:1;) alert tcp $HOME_NET any -> [147.182.161.185] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224169; rev:1;) alert tcp $HOME_NET any -> [18.231.195.137] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224170; rev:1;) alert tcp $HOME_NET any -> [46.101.11.131] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224168; rev:1;) alert tcp $HOME_NET any -> [34.142.206.166] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224167; rev:1;) alert tcp $HOME_NET any -> [34.251.38.51] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224165; rev:1;) alert tcp $HOME_NET any -> [18.159.172.54] 4444 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224166; rev:1;) alert tcp $HOME_NET any -> [20.238.49.37] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224164; rev:1;) alert tcp $HOME_NET any -> [16.171.16.100] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224163; rev:1;) alert tcp $HOME_NET any -> [85.239.230.138] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224161; rev:1;) alert tcp $HOME_NET any -> [34.230.28.222] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224162; rev:1;) alert tcp $HOME_NET any -> [203.12.200.132] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224160; rev:1;) alert tcp $HOME_NET any -> [3.26.33.28] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224158; rev:1;) alert tcp $HOME_NET any -> [159.65.53.252] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224159; rev:1;) alert tcp $HOME_NET any -> [149.104.23.83] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224157; rev:1;) alert tcp $HOME_NET any -> [178.62.192.122] 63333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224156; rev:1;) alert tcp $HOME_NET any -> [143.110.220.151] 1724 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224154; rev:1;) alert tcp $HOME_NET any -> [89.58.53.134] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224155; rev:1;) alert tcp $HOME_NET any -> [54.151.129.8] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224153; rev:1;) alert tcp $HOME_NET any -> [136.144.209.56] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224152; rev:1;) alert tcp $HOME_NET any -> [15.207.166.83] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224151; rev:1;) alert tcp $HOME_NET any -> [45.227.61.113] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224150; rev:1;) alert tcp $HOME_NET any -> [40.121.42.210] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224149; rev:1;) alert tcp $HOME_NET any -> [104.47.145.108] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224148; rev:1;) alert tcp $HOME_NET any -> [173.230.145.200] 2319 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224147; rev:1;) alert tcp $HOME_NET any -> [162.14.67.184] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224145; rev:1;) alert tcp $HOME_NET any -> [54.224.200.152] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224146; rev:1;) alert tcp $HOME_NET any -> [13.58.55.150] 8567 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224144; rev:1;) alert tcp $HOME_NET any -> [82.157.138.94] 4433 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224143; rev:1;) alert tcp $HOME_NET any -> [16.16.90.161] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224141; rev:1;) alert tcp $HOME_NET any -> [164.68.115.28] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224142; rev:1;) alert tcp $HOME_NET any -> [178.254.32.135] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224140; rev:1;) alert tcp $HOME_NET any -> [123.56.248.9] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224139; rev:1;) alert tcp $HOME_NET any -> [206.237.2.57] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224138; rev:1;) alert tcp $HOME_NET any -> [159.65.50.76] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224137; rev:1;) alert tcp $HOME_NET any -> [198.23.254.56] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224135; rev:1;) alert tcp $HOME_NET any -> [175.178.114.53] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224136; rev:1;) alert tcp $HOME_NET any -> [34.224.70.190] 10777 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224134/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224134; rev:1;) alert tcp $HOME_NET any -> [3.235.16.65] 3636 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224133/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224133; rev:1;) alert tcp $HOME_NET any -> [151.80.216.148] 3333 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224132; rev:1;) alert tcp $HOME_NET any -> [107.172.102.49] 82 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224131; rev:1;) alert tcp $HOME_NET any -> [134.122.109.9] 5115 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224130; rev:1;) alert tcp $HOME_NET any -> [68.219.200.71] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224129/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224129; rev:1;) alert tcp $HOME_NET any -> [195.74.86.44] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224128; rev:1;) alert tcp $HOME_NET any -> [143.198.138.173] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224127; rev:1;) alert tcp $HOME_NET any -> [185.224.139.32] 2053 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224126/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224126; rev:1;) alert tcp $HOME_NET any -> [178.62.209.220] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224125; rev:1;) alert tcp $HOME_NET any -> [67.207.82.103] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224124; rev:1;) alert tcp $HOME_NET any -> [20.98.48.148] 2002 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224123; rev:1;) alert tcp $HOME_NET any -> [143.198.43.83] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224122; rev:1;) alert tcp $HOME_NET any -> [62.204.41.35] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224121; rev:1;) alert tcp $HOME_NET any -> [62.204.41.35] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224120; rev:1;) alert tcp $HOME_NET any -> [34.230.9.163] 80 (msg:"ThreatFox Godfather botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224119; rev:1;) alert tcp $HOME_NET any -> [195.3.223.172] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224118; rev:1;) alert tcp $HOME_NET any -> [105.106.223.78] 9999 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224117; rev:1;) alert tcp $HOME_NET any -> [8.134.123.162] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224116; rev:1;) alert tcp $HOME_NET any -> [101.33.33.237] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224115; rev:1;) alert tcp $HOME_NET any -> [193.163.170.172] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224114; rev:1;) alert tcp $HOME_NET any -> [206.84.153.217] 8888 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.153.206.194"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"118.31.114.23"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"110.41.11.72"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224110/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"88.214.27.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224109/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"114.132.238.70"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224108; rev:1;) alert tcp $HOME_NET any -> [20.196.198.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs.xcb.one"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1224105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/level/printenv/d2udlm17"; depth:24; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/level/printenv/d2udlm17"; depth:24; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224103/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calculate/in/s94apdy8m"; depth:23; nocase; http.host; content:"47.94.138.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224102/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224102; rev:1;) alert tcp $HOME_NET any -> [109.107.182.30] 20301 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224101; rev:1;) alert tcp $HOME_NET any -> [94.49.168.110] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224100/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91224100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/359d80f9.php"; depth:13; nocase; http.host; content:"aguantemessi0234.000webhostapp.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1224085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224085; rev:1;) alert tcp $HOME_NET any -> [78.178.154.228] 3001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224081/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91224081; rev:1;) alert tcp $HOME_NET any -> [13.235.48.200] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224080/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91224080; rev:1;) alert tcp $HOME_NET any -> [140.141.244.100] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224079/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91224079; rev:1;) alert tcp $HOME_NET any -> [74.12.146.61] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224078/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91224078; rev:1;) alert tcp $HOME_NET any -> [82.3.236.49] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224077/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91224077; rev:1;) alert tcp $HOME_NET any -> [34.245.111.185] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224076/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91224076; rev:1;) alert tcp $HOME_NET any -> [146.190.121.36] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224075/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91224075; rev:1;) alert tcp $HOME_NET any -> [84.201.163.253] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224074/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91224074; rev:1;) alert tcp $HOME_NET any -> [45.93.20.242] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224072/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224072; rev:1;) alert tcp $HOME_NET any -> [185.222.57.69] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224073; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 47287 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224071; rev:1;) alert tcp $HOME_NET any -> [85.110.177.129] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224070; rev:1;) alert tcp $HOME_NET any -> [83.110.223.45] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224069; rev:1;) alert tcp $HOME_NET any -> [141.164.140.44] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224068; rev:1;) alert tcp $HOME_NET any -> [197.14.152.17] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224067; rev:1;) alert tcp $HOME_NET any -> [187.135.87.248] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224066; rev:1;) alert tcp $HOME_NET any -> [187.135.87.248] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224065; rev:1;) alert tcp $HOME_NET any -> [187.135.87.248] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224064; rev:1;) alert tcp $HOME_NET any -> [187.135.87.248] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224062; rev:1;) alert tcp $HOME_NET any -> [187.135.87.248] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224063; rev:1;) alert tcp $HOME_NET any -> [187.135.87.248] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224061; rev:1;) alert tcp $HOME_NET any -> [187.135.87.248] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224060/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224060; rev:1;) alert tcp $HOME_NET any -> [187.135.87.248] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224059/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224059; rev:1;) alert tcp $HOME_NET any -> [187.135.94.249] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224058/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224058; rev:1;) alert tcp $HOME_NET any -> [187.135.94.249] 1978 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224057/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224057; rev:1;) alert tcp $HOME_NET any -> [88.240.237.122] 4444 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224056/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224056; rev:1;) alert tcp $HOME_NET any -> [187.135.122.175] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224055/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3280678.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1224054/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.1215466.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1224053/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1319551.cc"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1224052/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-98-201.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1224050/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_27; classtype:trojan-activity; sid:91224050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-96-174.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1224051/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_27; classtype:trojan-activity; sid:91224051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"workernode3.dev.providerdom.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1224049/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_27; classtype:trojan-activity; sid:91224049; rev:1;) alert tcp $HOME_NET any -> [114.223.85.73] 8008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224048/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224048; rev:1;) alert tcp $HOME_NET any -> [39.107.155.165] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224047; rev:1;) alert tcp $HOME_NET any -> [74.48.127.28] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224046/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224046; rev:1;) alert tcp $HOME_NET any -> [81.70.153.38] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224045; rev:1;) alert tcp $HOME_NET any -> [123.60.128.4] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224044; rev:1;) alert tcp $HOME_NET any -> [1.94.8.83] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224043/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224043; rev:1;) alert tcp $HOME_NET any -> [38.12.25.199] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224042/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224042; rev:1;) alert tcp $HOME_NET any -> [211.97.157.166] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224041/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224041; rev:1;) alert tcp $HOME_NET any -> [23.94.62.181] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224040; rev:1;) alert tcp $HOME_NET any -> [47.118.48.188] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224039/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224039; rev:1;) alert tcp $HOME_NET any -> [116.211.228.233] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224038/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224038; rev:1;) alert tcp $HOME_NET any -> [47.120.42.255] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224037/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minerchenzhi888.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1224036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224036; rev:1;) alert tcp $HOME_NET any -> [85.209.176.126] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gem.gradingran.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1224034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-230-47-185.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1224033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224033; rev:1;) alert tcp $HOME_NET any -> [34.201.97.6] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"85.192.63.29.sslip.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1224031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224031; rev:1;) alert tcp $HOME_NET any -> [148.135.121.196] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224030; rev:1;) alert tcp $HOME_NET any -> [88.99.210.25] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224029; rev:1;) alert tcp $HOME_NET any -> [178.236.246.210] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224027; rev:1;) alert tcp $HOME_NET any -> [194.33.191.202] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224028; rev:1;) alert tcp $HOME_NET any -> [87.121.87.59] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224026; rev:1;) alert tcp $HOME_NET any -> [137.175.19.209] 8443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224025; rev:1;) alert tcp $HOME_NET any -> [206.84.154.119] 8888 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224024; rev:1;) alert tcp $HOME_NET any -> [62.68.75.236] 1602 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224023; rev:1;) alert tcp $HOME_NET any -> [20.213.246.160] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224022; rev:1;) alert tcp $HOME_NET any -> [185.220.204.33] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224021; rev:1;) alert tcp $HOME_NET any -> [222.186.56.59] 10000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224019; rev:1;) alert tcp $HOME_NET any -> [103.145.87.4] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224020; rev:1;) alert tcp $HOME_NET any -> [54.37.237.170] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224018/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2202304197391224451.megasrv.de"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1224016/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224016; rev:1;) alert tcp $HOME_NET any -> [207.174.28.42] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224017/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2202304199058227026.goodsrv.de"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1224015/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224015; rev:1;) alert tcp $HOME_NET any -> [18.216.147.202] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224014/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224014; rev:1;) alert tcp $HOME_NET any -> [139.224.36.193] 8088 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224013/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224013; rev:1;) alert tcp $HOME_NET any -> [91.92.240.98] 17444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224012/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224012; rev:1;) alert tcp $HOME_NET any -> [5.196.243.97] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224011/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224011; rev:1;) alert tcp $HOME_NET any -> [34.124.177.146] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224009/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224009; rev:1;) alert tcp $HOME_NET any -> [164.152.19.24] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224010/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224010; rev:1;) alert tcp $HOME_NET any -> [5.42.92.164] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224008/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224008; rev:1;) alert tcp $HOME_NET any -> [194.87.31.42] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224006/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224006; rev:1;) alert tcp $HOME_NET any -> [194.87.71.41] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224007/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"astramedplus1.fvds.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1224005/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"youthful-euler.91-215-85-177.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1224003/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wizardly-napier.91-215-85-133.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1224004/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224004; rev:1;) alert tcp $HOME_NET any -> [18.141.3.52] 82 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1224002/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.to2express.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1224000/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.fatimafoods.co.uk"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1224001/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91224001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plsxclaim.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223999; rev:1;) alert tcp $HOME_NET any -> [146.19.247.239] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223998; rev:1;) alert tcp $HOME_NET any -> [91.92.251.115] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223996/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223996; rev:1;) alert tcp $HOME_NET any -> [91.217.177.121] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223997/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223997; rev:1;) alert tcp $HOME_NET any -> [206.189.204.202] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223995/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223995; rev:1;) alert tcp $HOME_NET any -> [91.92.246.71] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223994; rev:1;) alert tcp $HOME_NET any -> [176.123.168.62] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223992/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223992; rev:1;) alert tcp $HOME_NET any -> [91.92.254.55] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223993; rev:1;) alert tcp $HOME_NET any -> [185.146.157.147] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223991/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223991; rev:1;) alert tcp $HOME_NET any -> [44.197.84.49] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223990/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223990; rev:1;) alert tcp $HOME_NET any -> [212.13.186.180] 3497 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223989/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223989; rev:1;) alert tcp $HOME_NET any -> [212.13.186.180] 55524 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223987/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223987; rev:1;) alert tcp $HOME_NET any -> [212.13.186.180] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223988/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223988; rev:1;) alert tcp $HOME_NET any -> [212.13.186.180] 37578 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223986/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223986; rev:1;) alert tcp $HOME_NET any -> [212.13.186.180] 33389 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223985/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223985; rev:1;) alert tcp $HOME_NET any -> [212.13.186.180] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223983/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223983; rev:1;) alert tcp $HOME_NET any -> [212.13.186.180] 15618 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223984/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223984; rev:1;) alert tcp $HOME_NET any -> [212.13.186.180] 5649 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223982/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223982; rev:1;) alert tcp $HOME_NET any -> [212.13.186.180] 54603 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223980; rev:1;) alert tcp $HOME_NET any -> [212.13.186.180] 2082 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223981/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223981; rev:1;) alert tcp $HOME_NET any -> [212.13.186.180] 17970 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223979/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223979; rev:1;) alert tcp $HOME_NET any -> [190.28.142.129] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223978; rev:1;) alert tcp $HOME_NET any -> [91.109.178.8] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223977; rev:1;) alert tcp $HOME_NET any -> [206.123.132.167] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223976/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223976; rev:1;) alert tcp $HOME_NET any -> [172.94.122.166] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223974/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223974; rev:1;) alert tcp $HOME_NET any -> [91.109.188.7] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223975; rev:1;) alert tcp $HOME_NET any -> [172.94.122.166] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223973/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223973; rev:1;) alert tcp $HOME_NET any -> [181.214.240.107] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223972/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223972; rev:1;) alert tcp $HOME_NET any -> [78.178.154.228] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223971; rev:1;) alert tcp $HOME_NET any -> [37.221.93.62] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223969/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223969; rev:1;) alert tcp $HOME_NET any -> [212.98.224.226] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223970/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223970; rev:1;) alert tcp $HOME_NET any -> [38.180.91.62] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223968; rev:1;) alert tcp $HOME_NET any -> [94.156.64.168] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223967; rev:1;) alert tcp $HOME_NET any -> [172.111.248.167] 8088 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223966; rev:1;) alert tcp $HOME_NET any -> [185.62.85.197] 777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223965/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223965; rev:1;) alert tcp $HOME_NET any -> [37.1.193.156] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223964/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_27; classtype:trojan-activity; sid:91223964; rev:1;) alert tcp $HOME_NET any -> [194.116.191.150] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223963/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_27; classtype:trojan-activity; sid:91223963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 90%)"; dns_query; content:"stationarycell.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223962/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_27; classtype:trojan-activity; sid:91223962; rev:1;) alert tcp $HOME_NET any -> [94.131.119.167] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223961/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_27; classtype:trojan-activity; sid:91223961; rev:1;) alert tcp $HOME_NET any -> [95.216.146.24] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223959/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_27; classtype:trojan-activity; sid:91223959; rev:1;) alert tcp $HOME_NET any -> [91.92.254.156] 2053 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223960/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_27; classtype:trojan-activity; sid:91223960; rev:1;) alert tcp $HOME_NET any -> [139.59.236.124] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223958/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_27; classtype:trojan-activity; sid:91223958; rev:1;) alert tcp $HOME_NET any -> [45.141.100.164] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223957/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_27; classtype:trojan-activity; sid:91223957; rev:1;) alert tcp $HOME_NET any -> [104.143.47.47] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223956; rev:1;) alert tcp $HOME_NET any -> [124.223.9.174] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223955; rev:1;) alert tcp $HOME_NET any -> [47.113.200.137] 8085 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223954/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223954; rev:1;) alert tcp $HOME_NET any -> [120.27.212.14] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223953/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223953; rev:1;) alert tcp $HOME_NET any -> [45.77.154.202] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223952/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223952; rev:1;) alert tcp $HOME_NET any -> [45.77.154.202] 2082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223951/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223951; rev:1;) alert tcp $HOME_NET any -> [34.87.81.182] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223950; rev:1;) alert tcp $HOME_NET any -> [158.247.216.36] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223949; rev:1;) alert tcp $HOME_NET any -> [45.207.47.21] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223948; rev:1;) alert tcp $HOME_NET any -> [123.207.50.70] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223947/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223947; rev:1;) alert tcp $HOME_NET any -> [123.207.50.70] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223946; rev:1;) alert tcp $HOME_NET any -> [47.106.171.201] 1280 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223944/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223944; rev:1;) alert tcp $HOME_NET any -> [123.207.50.70] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223945/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223945; rev:1;) alert tcp $HOME_NET any -> [124.221.229.174] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223943/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223943; rev:1;) alert tcp $HOME_NET any -> [121.4.59.117] 60020 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223942/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223942; rev:1;) alert tcp $HOME_NET any -> [204.44.86.231] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223941/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223941; rev:1;) alert tcp $HOME_NET any -> [121.37.198.25] 2346 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223939/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223939; rev:1;) alert tcp $HOME_NET any -> [39.105.4.90] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223940/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223940; rev:1;) alert tcp $HOME_NET any -> [23.94.168.52] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223938/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223938; rev:1;) alert tcp $HOME_NET any -> [209.146.124.197] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223937/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223937; rev:1;) alert tcp $HOME_NET any -> [120.79.154.38] 8889 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223936/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223936; rev:1;) alert tcp $HOME_NET any -> [167.179.102.24] 51314 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223935/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223935; rev:1;) alert tcp $HOME_NET any -> [175.178.14.59] 10080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223933/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223933; rev:1;) alert tcp $HOME_NET any -> [8.130.86.184] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223934/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223934; rev:1;) alert tcp $HOME_NET any -> [106.52.78.12] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223932/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223932; rev:1;) alert tcp $HOME_NET any -> [111.230.42.149] 8010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223931/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223931; rev:1;) alert tcp $HOME_NET any -> [114.132.218.55] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223930/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223930; rev:1;) alert tcp $HOME_NET any -> [101.201.46.105] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223929/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223929; rev:1;) alert tcp $HOME_NET any -> [123.207.56.214] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223928; rev:1;) alert tcp $HOME_NET any -> [159.75.97.169] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223927/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223927; rev:1;) alert tcp $HOME_NET any -> [92.118.36.235] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223926; rev:1;) alert tcp $HOME_NET any -> [117.72.42.129] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223925; rev:1;) alert tcp $HOME_NET any -> [139.84.140.146] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223923/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223923; rev:1;) alert tcp $HOME_NET any -> [163.197.217.204] 8899 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223924/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223924; rev:1;) alert tcp $HOME_NET any -> [123.60.67.177] 8747 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223922/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223922; rev:1;) alert tcp $HOME_NET any -> [45.125.67.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223921; rev:1;) alert tcp $HOME_NET any -> [121.41.176.54] 555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223920/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223920; rev:1;) alert tcp $HOME_NET any -> [118.24.129.5] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223919; rev:1;) alert tcp $HOME_NET any -> [131.186.56.94] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223918/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223918; rev:1;) alert tcp $HOME_NET any -> [45.77.31.121] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223917/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223917; rev:1;) alert tcp $HOME_NET any -> [175.178.49.66] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223916/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223916; rev:1;) alert tcp $HOME_NET any -> [39.100.95.242] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223914/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223914; rev:1;) alert tcp $HOME_NET any -> [39.100.95.242] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223915/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223915; rev:1;) alert tcp $HOME_NET any -> [198.44.166.213] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223913/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223913; rev:1;) alert tcp $HOME_NET any -> [122.51.68.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223911/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223911; rev:1;) alert tcp $HOME_NET any -> [111.180.194.194] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223912/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223912; rev:1;) alert tcp $HOME_NET any -> [142.171.26.166] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223910/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223910; rev:1;) alert tcp $HOME_NET any -> [209.146.124.198] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223908/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223908; rev:1;) alert tcp $HOME_NET any -> [110.40.213.80] 18080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223909/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223909; rev:1;) alert tcp $HOME_NET any -> [49.235.101.111] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223907/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223907; rev:1;) alert tcp $HOME_NET any -> [106.14.83.3] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223906; rev:1;) alert tcp $HOME_NET any -> [47.100.249.61] 57800 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223905; rev:1;) alert tcp $HOME_NET any -> [124.223.218.3] 10090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223904/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223904; rev:1;) alert tcp $HOME_NET any -> [39.105.31.188] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ows-171-33-115-245.eu-west-2.compute.outscale.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223901/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223901; rev:1;) alert tcp $HOME_NET any -> [103.30.76.20] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223902/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223902; rev:1;) alert tcp $HOME_NET any -> [190.92.227.9] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223900/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shuyingbaofu.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"172-104-67-4.ip.linodeusercontent.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223898; rev:1;) alert tcp $HOME_NET any -> [45.42.45.36] 45450 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackberryfn.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getdata.php"; depth:12; nocase; http.host; content:"proximaideia.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.40"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223890/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.40"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223891/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223892; rev:1;) alert tcp $HOME_NET any -> [213.248.43.40] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223893; rev:1;) alert tcp $HOME_NET any -> [213.248.43.109] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223894; rev:1;) alert tcp $HOME_NET any -> [43.138.20.107] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223888/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-hsyluctr-1252427727.bj.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223887/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"service-hsyluctr-1252427727.bj.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223886/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223886; rev:1;) alert tcp $HOME_NET any -> [163.5.215.211] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223885/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"stevebrame.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mattchambers.info"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223876/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"jasonwickham.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223877/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"annetterawlings.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223878/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"georgeformby.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223879/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rustysmith.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223880/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dorseyinc.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223881/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223881; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"amyroth.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223882/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wlynch.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223883/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"davidrcarter.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223884/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223884; rev:1;) alert tcp $HOME_NET any -> [162.251.166.163] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223874/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223874; rev:1;) alert tcp $HOME_NET any -> [106.55.186.215] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223873/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"201.221.109.128"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223871/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223871; rev:1;) alert tcp $HOME_NET any -> [13.126.136.220] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223870/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ph-explorer.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223869/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223869; rev:1;) alert tcp $HOME_NET any -> [83.221.220.161] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223868/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223868; rev:1;) alert tcp $HOME_NET any -> [124.222.247.225] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223867/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223867; rev:1;) alert tcp $HOME_NET any -> [175.203.14.166] 80 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223866; rev:1;) alert tcp $HOME_NET any -> [43.143.123.157] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223865/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.120.37.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223864; rev:1;) alert tcp $HOME_NET any -> [35.203.30.240] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223863/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223863; rev:1;) alert tcp $HOME_NET any -> [104.143.47.47] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223862/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223862; rev:1;) alert tcp $HOME_NET any -> [159.75.97.169] 8087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223861/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223861; rev:1;) alert tcp $HOME_NET any -> [144.168.60.68] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223860/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223860; rev:1;) alert tcp $HOME_NET any -> [15.222.66.196] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223859/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223859; rev:1;) alert tcp $HOME_NET any -> [114.67.125.207] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223858/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223858; rev:1;) alert tcp $HOME_NET any -> [198.244.148.175] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223857/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javascripttemporary/3/lineprocess/bigloadprocessdle/5/async/linegeomulti/http/3publicpolldb/game0generator/imagelinuxflower/trafficdownloadscdnhttp/dbflower/secure51mariadb/3datalife/pipe/generator/toasyncprotonlinux/bigloadeternalwpline/jsprocessflowergenerator.php"; depth:267; nocase; http.host; content:"83.229.75.221"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223856/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"caneclothesdriverhen.pw"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223855/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223855; rev:1;) alert tcp $HOME_NET any -> [120.48.58.156] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223854/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223854; rev:1;) alert tcp $HOME_NET any -> [114.132.155.224] 48251 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223853/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223853; rev:1;) alert tcp $HOME_NET any -> [151.236.59.218] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223852/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223852; rev:1;) alert tcp $HOME_NET any -> [85.113.124.147] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223851/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223851; rev:1;) alert tcp $HOME_NET any -> [41.98.254.86] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223850/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223850; rev:1;) alert tcp $HOME_NET any -> [201.137.178.242] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223849/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223849; rev:1;) alert tcp $HOME_NET any -> [216.137.206.1] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223848/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223848; rev:1;) alert tcp $HOME_NET any -> [41.136.61.95] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223847/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223847; rev:1;) alert tcp $HOME_NET any -> [24.45.146.88] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223846/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223846; rev:1;) alert tcp $HOME_NET any -> [2.50.137.114] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223845/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223845; rev:1;) alert tcp $HOME_NET any -> [170.187.148.245] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223844/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223844; rev:1;) alert tcp $HOME_NET any -> [3.254.70.209] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223843/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223843; rev:1;) alert tcp $HOME_NET any -> [3.255.152.96] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223842/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223842; rev:1;) alert tcp $HOME_NET any -> [5.35.34.36] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223841/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223841; rev:1;) alert tcp $HOME_NET any -> [66.85.27.144] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223840/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223840; rev:1;) alert tcp $HOME_NET any -> [66.85.27.144] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223839/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223839; rev:1;) alert tcp $HOME_NET any -> [112.29.177.225] 10036 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223838/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223838; rev:1;) alert tcp $HOME_NET any -> [45.249.9.171] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223837/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223837; rev:1;) alert tcp $HOME_NET any -> [91.92.254.156] 8443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223836/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tahtalidyolezdoliezdominez.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hepgeldomkelzdomezforez.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"domlezcomlezdomdenyomegdo.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223821/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"saygedyolezdomezdominez.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223823/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223823; rev:1;) alert tcp $HOME_NET any -> [124.220.7.195] 8584 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"temt.top"; depth:8; nocase; reference:url, threatfox.abuse.ch/ioc/1223817/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_27; classtype:trojan-activity; sid:91223817; rev:1;) alert tcp $HOME_NET any -> [103.142.246.228] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223815; rev:1;) alert tcp $HOME_NET any -> [5.181.156.131] 667 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223807/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_27; classtype:trojan-activity; sid:91223807; rev:1;) alert tcp $HOME_NET any -> [141.98.10.47] 1024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223808/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_27; classtype:trojan-activity; sid:91223808; rev:1;) alert tcp $HOME_NET any -> [66.204.14.149] 2762 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223833/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223833; rev:1;) alert tcp $HOME_NET any -> [49.233.244.7] 8010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223832/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223832; rev:1;) alert tcp $HOME_NET any -> [34.87.81.182] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223831/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223831; rev:1;) alert tcp $HOME_NET any -> [87.121.87.36] 1335 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223830/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_27; classtype:trojan-activity; sid:91223830; rev:1;) alert tcp $HOME_NET any -> [118.89.197.209] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223829/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"muggymidnightleanuu.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_27; classtype:trojan-activity; sid:91223828; rev:1;) alert tcp $HOME_NET any -> [124.221.190.127] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223827/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223827; rev:1;) alert tcp $HOME_NET any -> [108.61.177.107] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223826/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223826; rev:1;) alert tcp $HOME_NET any -> [34.118.141.190] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223825/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223825; rev:1;) alert tcp $HOME_NET any -> [154.204.60.179] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223824/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_27; classtype:trojan-activity; sid:91223824; rev:1;) alert tcp $HOME_NET any -> [103.143.28.35] 2337 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223819; rev:1;) alert tcp $HOME_NET any -> [38.6.219.47] 9080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223812/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223812; rev:1;) alert tcp $HOME_NET any -> [193.163.170.185] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223811/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223811; rev:1;) alert tcp $HOME_NET any -> [46.1.21.123] 25565 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223810/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223810; rev:1;) alert tcp $HOME_NET any -> [8.213.210.58] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223809/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/siteindex/c/"; depth:13; nocase; http.host; content:"mricossoftmanager.info"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223805/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"173.255.204.62"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1223806/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223806; rev:1;) alert tcp $HOME_NET any -> [141.98.234.31] 53 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223766/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223766; rev:1;) alert tcp $HOME_NET any -> [95.216.13.16] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223769/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223769; rev:1;) alert tcp $HOME_NET any -> [91.107.200.181] 7632 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223764; rev:1;) alert tcp $HOME_NET any -> [95.216.227.177] 2023 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223767; rev:1;) alert tcp $HOME_NET any -> [65.109.80.185] 2023 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"110.40.213.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223770/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"110.40.213.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"absorbbiblowskinj.fun"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ownerteztapplicatiow.pw"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"myoffice-security.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1223798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"16.171.112.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"16.171.112.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/auth.owa"; depth:13; nocase; http.host; content:"45.133.195.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223804/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223804; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 13017 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223801; rev:1;) alert tcp $HOME_NET any -> [3.67.62.142] 13017 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223800; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 13017 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223799; rev:1;) alert tcp $HOME_NET any -> [211.149.166.212] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223796/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223796; rev:1;) alert tcp $HOME_NET any -> [122.51.174.125] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223795/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223795; rev:1;) alert tcp $HOME_NET any -> [37.252.6.219] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223794/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223794; rev:1;) alert tcp $HOME_NET any -> [176.44.60.118] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223793/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223793; rev:1;) alert tcp $HOME_NET any -> [78.176.199.231] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223792/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223792; rev:1;) alert tcp $HOME_NET any -> [105.99.129.75] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223791/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223791; rev:1;) alert tcp $HOME_NET any -> [94.49.0.237] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223790/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223790; rev:1;) alert tcp $HOME_NET any -> [140.82.43.100] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223789/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223789; rev:1;) alert tcp $HOME_NET any -> [18.202.32.159] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223788/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223788; rev:1;) alert tcp $HOME_NET any -> [34.241.144.217] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223787/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223787; rev:1;) alert tcp $HOME_NET any -> [170.64.184.66] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223786/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223786; rev:1;) alert tcp $HOME_NET any -> [34.253.198.138] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223785/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223785; rev:1;) alert tcp $HOME_NET any -> [34.245.186.32] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223784/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223784; rev:1;) alert tcp $HOME_NET any -> [79.133.51.66] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223782/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223782; rev:1;) alert tcp $HOME_NET any -> [66.85.27.144] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223781/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223781; rev:1;) alert tcp $HOME_NET any -> [66.85.27.144] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223780/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.120.37.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"120.78.201.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223775/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"120.78.201.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hm.gif"; depth:7; nocase; http.host; content:"114.132.238.70"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"60.204.135.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223772; rev:1;) alert tcp $HOME_NET any -> [185.250.47.32] 81 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223765; rev:1;) alert tcp $HOME_NET any -> [91.92.137.249] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223755; rev:1;) alert tcp $HOME_NET any -> [81.31.197.8] 53 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223756/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223756; rev:1;) alert tcp $HOME_NET any -> [69.30.253.122] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223757/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223757; rev:1;) alert tcp $HOME_NET any -> [45.155.250.90] 53 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223758; rev:1;) alert tcp $HOME_NET any -> [69.30.215.106] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223759; rev:1;) alert tcp $HOME_NET any -> [185.237.206.223] 53 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223760; rev:1;) alert tcp $HOME_NET any -> [163.172.86.213] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223761/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223761; rev:1;) alert tcp $HOME_NET any -> [88.80.147.105] 53 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223762/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223762; rev:1;) alert tcp $HOME_NET any -> [195.154.220.76] 53 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223763; rev:1;) alert tcp $HOME_NET any -> [95.216.98.218] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ernwhp49.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223608/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fygbib44.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223609/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fygdxr34.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223610/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fygelr11.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fyghzc31.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223612/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fygvdy41.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223613/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fygvol43.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fygxtj33.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223615/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fygyus23.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223616/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juk944yu39.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"larekeib.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223618/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"larekwaj.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223619/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nekguh29.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223620/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nekkfv311.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223621/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nekoqb212.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223622/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nekpmk211.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223623/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nekxiz312.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223624/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223625/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsnein9pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223626/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsone1pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qsthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tagweh13.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ubyahx14.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ubykou33.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223634/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ubyeqz71.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ubyjvy43.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223633/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ubylso31.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ubymid38.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223636/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ubynum53.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ubynuw51.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ubyosi41.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ubyqjh21.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223640/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ubyqkl44.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223641/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ubysiu54.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ubyuhi74.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ubyupn61.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ubyyjt64.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buzareqam.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fannamora.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223647/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gagavusava.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"henuyrapsa.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kennozara.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanenura.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"posarmusza.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ramcazaka.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tajurkoza.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223654/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tappopra.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vavasua.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yakavama.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223657/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yazevora.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zakavama.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223659/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ernqpq512.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223604/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ernrmt711.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223605/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ernvjm611.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ernpqr612.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223603/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ernwbq411.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223607/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223607; rev:1;) alert tcp $HOME_NET any -> [141.255.146.183] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223753/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"dfhdjtujngtdj.atwebpages.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223752; rev:1;) alert tcp $HOME_NET any -> [91.207.5.57] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223751/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ernngy46.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223601/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ernpoc41.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223602/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ernmwz412.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223600/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ernmwa78.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223599/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ernlbx59.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223598/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ernjhw79.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223597/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erniqi44.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223596/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chuljh73.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223594/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ernbrj48.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223595/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chuiqw71.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223593/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"police-circular-gov-bd.fia-gov.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223591/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"police-gov-bd.fia-gov.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223592/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mofa-gov-bd.fia-gov.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223589/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moitt-gov-pk.fia-gov.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223590/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fia-gov.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223587/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cirt-gov-mm.fia-gov.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windows.dns-supports.online"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223580/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"117.50.190.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223586/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.8.158.71"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1223579/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223579; rev:1;) alert tcp $HOME_NET any -> [121.40.254.24] 8812 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223676/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223676; rev:1;) alert tcp $HOME_NET any -> [8.137.11.19] 7878 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223677/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223677; rev:1;) alert tcp $HOME_NET any -> [117.72.42.129] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223683/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223683; rev:1;) alert tcp $HOME_NET any -> [45.207.47.21] 10004 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223688/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223688; rev:1;) alert tcp $HOME_NET any -> [51.103.77.148] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223691/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223691; rev:1;) alert tcp $HOME_NET any -> [18.66.242.12] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223693/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223693; rev:1;) alert tcp $HOME_NET any -> [18.164.93.55] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223692/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223692; rev:1;) alert tcp $HOME_NET any -> [18.164.93.30] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223694; rev:1;) alert tcp $HOME_NET any -> [143.204.102.180] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223695; rev:1;) alert tcp $HOME_NET any -> [18.164.93.167] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223696; rev:1;) alert tcp $HOME_NET any -> [18.66.242.111] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223697; rev:1;) alert tcp $HOME_NET any -> [18.164.93.83] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223698/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223698; rev:1;) alert tcp $HOME_NET any -> [18.66.242.83] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223700; rev:1;) alert tcp $HOME_NET any -> [164.155.212.249] 60020 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223675/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223675; rev:1;) alert tcp $HOME_NET any -> [47.97.3.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"res.smzdm.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223733; rev:1;) alert tcp $HOME_NET any -> [39.100.107.132] 12380 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223734/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cdn.jquerycodes.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cdn.jscriptstore.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223737; rev:1;) alert tcp $HOME_NET any -> [81.31.197.38] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223748; rev:1;) alert tcp $HOME_NET any -> [79.132.130.163] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223749; rev:1;) alert tcp $HOME_NET any -> [194.49.94.194] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223750; rev:1;) alert tcp $HOME_NET any -> [152.89.198.214] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223746; rev:1;) alert tcp $HOME_NET any -> [45.155.250.90] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223747; rev:1;) alert tcp $HOME_NET any -> [69.30.233.162] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223745; rev:1;) alert tcp $HOME_NET any -> [188.166.101.86] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223744/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_26; classtype:trojan-activity; sid:91223744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jugoken567.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223663; rev:1;) alert tcp $HOME_NET any -> [144.208.127.157] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223661; rev:1;) alert tcp $HOME_NET any -> [23.146.184.71] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223662/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/broadcast"; depth:10; nocase; http.host; content:"213.109.202.206"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223743; rev:1;) alert tcp $HOME_NET any -> [1.15.189.30] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-pgxnje5g-1307231181.gz.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-pgxnje5g-1307231181.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"82.156.8.23"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"118.31.114.23"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223738; rev:1;) alert tcp $HOME_NET any -> [59.33.7.98] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223735/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/orion1zed"; depth:10; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199588685141"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.211.95"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.255.210"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.111.217"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223727; rev:1;) alert tcp $HOME_NET any -> [128.140.111.217] 3000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223724; rev:1;) alert tcp $HOME_NET any -> [195.201.255.210] 3001 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223725; rev:1;) alert tcp $HOME_NET any -> [5.75.211.95] 3001 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223726/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223726; rev:1;) alert tcp $HOME_NET any -> [65.2.153.32] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223723/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223723; rev:1;) alert tcp $HOME_NET any -> [144.168.60.68] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223722/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"1.15.189.30"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"43.134.57.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"120.78.201.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223718/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"120.78.201.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223717; rev:1;) alert tcp $HOME_NET any -> [118.31.114.23] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223716/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223716; rev:1;) alert tcp $HOME_NET any -> [20.229.98.160] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223715/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/messages/c0527b0nm"; depth:19; nocase; http.host; content:"myappsec.eu"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myappsec.eu"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223714; rev:1;) alert tcp $HOME_NET any -> [103.131.189.87] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223712/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"103.131.189.87"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223711/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223711; rev:1;) alert tcp $HOME_NET any -> [47.94.219.164] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223710/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.94.219.164"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"175.178.14.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223708/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223708; rev:1;) alert tcp $HOME_NET any -> [3.76.8.79] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223707/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"62.113.112.27"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223706/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223706; rev:1;) alert tcp $HOME_NET any -> [82.115.223.55] 25119 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223705; rev:1;) alert tcp $HOME_NET any -> [171.5.183.122] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223704/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223704; rev:1;) alert tcp $HOME_NET any -> [104.143.47.47] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223703/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223703; rev:1;) alert tcp $HOME_NET any -> [114.132.238.70] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223702/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223702; rev:1;) alert tcp $HOME_NET any -> [65.0.170.133] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223689/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223689; rev:1;) alert tcp $HOME_NET any -> [194.169.55.180] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223687/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223687; rev:1;) alert tcp $HOME_NET any -> [74.48.133.27] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223686/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223686; rev:1;) alert tcp $HOME_NET any -> [8.219.4.230] 8001 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223685/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223685; rev:1;) alert tcp $HOME_NET any -> [5.163.188.229] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223684/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223684; rev:1;) alert tcp $HOME_NET any -> [79.130.53.195] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223682/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223682; rev:1;) alert tcp $HOME_NET any -> [89.211.213.245] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223681/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223681; rev:1;) alert tcp $HOME_NET any -> [109.153.36.214] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223680/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223680; rev:1;) alert tcp $HOME_NET any -> [103.174.114.187] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223679/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223679; rev:1;) alert tcp $HOME_NET any -> [8.140.203.92] 7817 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223678/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_26; classtype:trojan-activity; sid:91223678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3886d2276f6914c4.php"; depth:21; nocase; http.host; content:"5.42.66.58"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223674; rev:1;) alert tcp $HOME_NET any -> [39.107.242.130] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223671/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223671; rev:1;) alert tcp $HOME_NET any -> [193.124.92.156] 18910 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_26; classtype:trojan-activity; sid:91223670; rev:1;) alert tcp $HOME_NET any -> [13.127.208.63] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223669/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223669; rev:1;) alert tcp $HOME_NET any -> [103.53.171.25] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223668/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223668; rev:1;) alert tcp $HOME_NET any -> [36.99.39.121] 55443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223667/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223667; rev:1;) alert tcp $HOME_NET any -> [187.135.87.248] 1741 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223666/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223666; rev:1;) alert tcp $HOME_NET any -> [47.115.213.18] 8789 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223665/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_26; classtype:trojan-activity; sid:91223665; rev:1;) alert tcp $HOME_NET any -> [13.126.183.200] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223664/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223664; rev:1;) alert tcp $HOME_NET any -> [103.207.37.74] 1664 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223660/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223660; rev:1;) alert tcp $HOME_NET any -> [83.97.73.202] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223585/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-hackersdobem.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223584/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223584; rev:1;) alert tcp $HOME_NET any -> [38.46.11.186] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223583/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windows2.systeam.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223582/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windows.systeam.site"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223581/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223581; rev:1;) alert tcp $HOME_NET any -> [3.109.155.10] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223578/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223578; rev:1;) alert tcp $HOME_NET any -> [72.27.102.189] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223577/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223577; rev:1;) alert tcp $HOME_NET any -> [154.246.4.124] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223576/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223576; rev:1;) alert tcp $HOME_NET any -> [197.204.72.175] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223575/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223575; rev:1;) alert tcp $HOME_NET any -> [68.114.251.244] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223574/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223574; rev:1;) alert tcp $HOME_NET any -> [170.64.254.167] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223573/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223573; rev:1;) alert tcp $HOME_NET any -> [3.84.191.39] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223572/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223572; rev:1;) alert tcp $HOME_NET any -> [45.133.216.82] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223571/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223571; rev:1;) alert tcp $HOME_NET any -> [151.236.22.182] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223570/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223570; rev:1;) alert tcp $HOME_NET any -> [139.135.61.33] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223569/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223569; rev:1;) alert tcp $HOME_NET any -> [45.11.183.198] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223556/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223556; rev:1;) alert tcp $HOME_NET any -> [82.115.223.163] 20643 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223555; rev:1;) alert tcp $HOME_NET any -> [46.246.96.149] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"chincenterblandwka.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"maskmusicalproplemanw.pw"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ranchguarrelguidewa.pw"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cachetransferjs.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223553; rev:1;) alert tcp $HOME_NET any -> [23.95.182.18] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223554/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m3cz"; depth:5; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223552/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_25; classtype:trojan-activity; sid:91223552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"150.158.50.177"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"1.15.189.30"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.108.137.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"service-dlsvfir0-1319620322.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"101.43.49.166"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"110.42.213.232"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"8.130.133.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"epsonupdate.uk"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"solar.huawei.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223543; rev:1;) alert tcp $HOME_NET any -> [87.121.87.46] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223542/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223542; rev:1;) alert tcp $HOME_NET any -> [45.153.129.229] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.mygoogleupdate.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mygoogleupdate.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.temt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"www.temt.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223537; rev:1;) alert tcp $HOME_NET any -> [101.43.191.108] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"43.143.143.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"119.91.109.228"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"62.234.19.7"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"154.204.60.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"45.153.129.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"106.55.179.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft/owa/"; depth:15; nocase; http.host; content:"ok.ppctech.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"39.100.78.58"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223528; rev:1;) alert tcp $HOME_NET any -> [193.122.182.182] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223527/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223527; rev:1;) alert tcp $HOME_NET any -> [118.31.114.23] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223526/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223526; rev:1;) alert tcp $HOME_NET any -> [77.105.132.102] 32607 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223521; rev:1;) alert tcp $HOME_NET any -> [209.146.124.195] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"209.146.124.195"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223518; rev:1;) alert tcp $HOME_NET any -> [209.146.124.197] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223519; rev:1;) alert tcp $HOME_NET any -> [43.139.35.215] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.96.170.102"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223516; rev:1;) alert tcp $HOME_NET any -> [65.108.156.223] 8999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223515/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apkapi.php"; depth:11; nocase; http.host; content:"k1-ai-jk.789aa654.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"k1-ai-jk.789aa654.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload.php"; depth:11; nocase; http.host; content:"k1-ai-jk.789aa654.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ok.php"; depth:7; nocase; http.host; content:"k1-ai-jk.789aa654.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apkapi.php"; depth:11; nocase; http.host; content:"k3-ai-jk.jkapp88.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ok.php"; depth:7; nocase; http.host; content:"k3-ai-jk.jkapp88.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload.php"; depth:11; nocase; http.host; content:"k3-ai-jk.jkapp88.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"k3-ai-jk.jkapp88.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkapp88.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223513; rev:1;) alert tcp $HOME_NET any -> [154.212.147.129] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223514; rev:1;) alert tcp $HOME_NET any -> [220.69.33.222] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223504/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223504; rev:1;) alert tcp $HOME_NET any -> [194.36.190.67] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223503/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"poolserverisippool.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223362/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"serversippoolcheck.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223363/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"serverspoolcheckip.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223364/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"serverscheckippool.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223365/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"ipcheckserverspool.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223366/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"bestscanipworld.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223367/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"scanbestipworld.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223368/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"ipbestscanworld.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223369/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"worldipbestscan.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223370/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223370; rev:1;) alert tcp $HOME_NET any -> [91.228.225.55] 55225 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223374/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_25; classtype:trojan-activity; sid:91223374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"2024shivatalisman.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"citrusliveshow.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lineferaline.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"alpacinozyerikoz2.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223450; rev:1;) alert tcp $HOME_NET any -> [5.42.65.55] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server/init.php"; depth:16; nocase; http.host; content:"www.msk-post.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223456/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_25; classtype:trojan-activity; sid:91223456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/webpanel/panel/login.php"; depth:25; nocase; http.host; content:"secure.biiclick.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223458; rev:1;) alert tcp $HOME_NET any -> [5.42.65.55] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.182.86.32"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"85.192.63.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"80.85.241.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"91.103.253.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.208.107.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"94.228.162.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.182.87.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.207.240"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"85.192.63.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223468; rev:1;) alert tcp $HOME_NET any -> [42.123.125.151] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223502/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223502; rev:1;) alert tcp $HOME_NET any -> [36.110.138.149] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223501/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223501; rev:1;) alert tcp $HOME_NET any -> [101.42.8.97] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223500/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223500; rev:1;) alert tcp $HOME_NET any -> [47.109.102.98] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223499/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223499; rev:1;) alert tcp $HOME_NET any -> [101.43.194.127] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223498/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223498; rev:1;) alert tcp $HOME_NET any -> [106.55.179.114] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223497/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223497; rev:1;) alert tcp $HOME_NET any -> [88.80.148.57] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223496/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223496; rev:1;) alert tcp $HOME_NET any -> [54.225.75.87] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223495/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223495; rev:1;) alert tcp $HOME_NET any -> [103.66.59.25] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223494/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223494; rev:1;) alert tcp $HOME_NET any -> [39.105.99.81] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223493/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223493; rev:1;) alert tcp $HOME_NET any -> [37.107.9.197] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223492/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223492; rev:1;) alert tcp $HOME_NET any -> [74.12.145.72] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223491/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223491; rev:1;) alert tcp $HOME_NET any -> [41.96.254.17] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223490/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223490; rev:1;) alert tcp $HOME_NET any -> [101.184.150.149] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223489/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223489; rev:1;) alert tcp $HOME_NET any -> [3.250.74.250] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223488/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223488; rev:1;) alert tcp $HOME_NET any -> [3.254.76.66] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223487/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223487; rev:1;) alert tcp $HOME_NET any -> [34.245.68.85] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223486/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223486; rev:1;) alert tcp $HOME_NET any -> [52.16.246.69] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223485/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223485; rev:1;) alert tcp $HOME_NET any -> [3.255.180.132] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223484/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223484; rev:1;) alert tcp $HOME_NET any -> [3.252.105.160] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223483/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223483; rev:1;) alert tcp $HOME_NET any -> [207.174.28.42] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223482/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223482; rev:1;) alert tcp $HOME_NET any -> [75.2.58.166] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223481/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223481; rev:1;) alert tcp $HOME_NET any -> [202.165.234.82] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223480/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223480; rev:1;) alert tcp $HOME_NET any -> [45.79.100.129] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223479/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223479; rev:1;) alert tcp $HOME_NET any -> [35.171.17.63] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223478/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_25; classtype:trojan-activity; sid:91223478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cm53710.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223477; rev:1;) alert tcp $HOME_NET any -> [111.230.205.218] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223476/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223476; rev:1;) alert tcp $HOME_NET any -> [13.127.77.21] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223475/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223475; rev:1;) alert tcp $HOME_NET any -> [180.184.132.193] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223474/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223474; rev:1;) alert tcp $HOME_NET any -> [113.250.188.15] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223473/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223473; rev:1;) alert tcp $HOME_NET any -> [34.152.50.185] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223472/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223472; rev:1;) alert tcp $HOME_NET any -> [46.97.56.10] 1755 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223471; rev:1;) alert tcp $HOME_NET any -> [185.222.58.98] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223470; rev:1;) alert tcp $HOME_NET any -> [187.135.94.249] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223469/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223469; rev:1;) alert tcp $HOME_NET any -> [47.108.137.190] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223455/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"121.41.0.213"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223454; rev:1;) alert tcp $HOME_NET any -> [65.0.99.80] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223453/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223453; rev:1;) alert tcp $HOME_NET any -> [94.228.169.207] 47379 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_25; classtype:trojan-activity; sid:91223452; rev:1;) alert tcp $HOME_NET any -> [65.2.40.63] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223451/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223451; rev:1;) alert tcp $HOME_NET any -> [103.52.154.204] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223449/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_25; classtype:trojan-activity; sid:91223449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0898772.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc/def/"; depth:9; nocase; http.host; content:"107.173.148.236"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"104.233.170.126"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"121.41.0.213"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223444; rev:1;) alert tcp $HOME_NET any -> [185.196.8.89] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/account/kdikpcoywu"; depth:28; nocase; http.host; content:"erihudeg.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223442; rev:1;) alert tcp $HOME_NET any -> [46.246.86.8] 8889 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223441/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_24; classtype:trojan-activity; sid:91223441; rev:1;) alert tcp $HOME_NET any -> [65.0.183.160] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223440/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_24; classtype:trojan-activity; sid:91223440; rev:1;) alert tcp $HOME_NET any -> [154.246.232.161] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223438/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223438; rev:1;) alert tcp $HOME_NET any -> [154.247.156.61] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223437/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223437; rev:1;) alert tcp $HOME_NET any -> [63.35.219.249] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223436/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223436; rev:1;) alert tcp $HOME_NET any -> [34.245.13.138] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223435/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223435; rev:1;) alert tcp $HOME_NET any -> [34.254.159.213] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223434/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223434; rev:1;) alert tcp $HOME_NET any -> [3.254.151.12] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223433/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223433; rev:1;) alert tcp $HOME_NET any -> [3.253.126.226] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223432/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223432; rev:1;) alert tcp $HOME_NET any -> [54.73.88.104] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223431/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223431; rev:1;) alert tcp $HOME_NET any -> [3.253.193.234] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223430/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223430; rev:1;) alert tcp $HOME_NET any -> [3.249.69.144] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223429/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223429; rev:1;) alert tcp $HOME_NET any -> [52.51.124.219] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223428/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223428; rev:1;) alert tcp $HOME_NET any -> [52.48.84.192] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223427/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223427; rev:1;) alert tcp $HOME_NET any -> [18.201.186.200] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223426/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223426; rev:1;) alert tcp $HOME_NET any -> [3.255.240.193] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223425/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223425; rev:1;) alert tcp $HOME_NET any -> [95.177.216.204] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223424/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223424; rev:1;) alert tcp $HOME_NET any -> [144.76.182.181] 6666 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223423/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223423; rev:1;) alert tcp $HOME_NET any -> [193.233.132.67] 50505 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223422; rev:1;) alert tcp $HOME_NET any -> [78.180.77.175] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"petrus4.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223420; rev:1;) alert tcp $HOME_NET any -> [154.16.16.43] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223419; rev:1;) alert tcp $HOME_NET any -> [87.121.87.61] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223418; rev:1;) alert tcp $HOME_NET any -> [95.10.154.172] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223417; rev:1;) alert tcp $HOME_NET any -> [185.81.157.183] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223416; rev:1;) alert tcp $HOME_NET any -> [5.163.244.167] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223415; rev:1;) alert tcp $HOME_NET any -> [151.236.22.182] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223413; rev:1;) alert tcp $HOME_NET any -> [151.236.22.182] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.736627.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m158663.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m10688.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223410; rev:1;) alert tcp $HOME_NET any -> [20.205.5.174] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223409; rev:1;) alert tcp $HOME_NET any -> [91.92.254.72] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hungrustrang.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223407; rev:1;) alert tcp $HOME_NET any -> [207.174.28.42] 8443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"212.227.211.81.nip.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223405; rev:1;) alert tcp $HOME_NET any -> [62.204.41.67] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223404; rev:1;) alert tcp $HOME_NET any -> [80.211.65.159] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1543279.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mein-kontoauszug.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223401; rev:1;) alert tcp $HOME_NET any -> [87.121.87.60] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ger01.vpnbite.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223400; rev:1;) alert tcp $HOME_NET any -> [185.81.157.123] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223398; rev:1;) alert tcp $HOME_NET any -> [185.81.157.123] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223397; rev:1;) alert tcp $HOME_NET any -> [185.81.157.123] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"like-sports.linkpc.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223395; rev:1;) alert tcp $HOME_NET any -> [190.28.155.51] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223394; rev:1;) alert tcp $HOME_NET any -> [74.48.19.197] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223393; rev:1;) alert tcp $HOME_NET any -> [1.12.224.214] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223392/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_24; classtype:trojan-activity; sid:91223392; rev:1;) alert tcp $HOME_NET any -> [43.134.47.201] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223391/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_24; classtype:trojan-activity; sid:91223391; rev:1;) alert tcp $HOME_NET any -> [47.93.51.191] 39001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223390; rev:1;) alert tcp $HOME_NET any -> [121.41.0.213] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223389; rev:1;) alert tcp $HOME_NET any -> [47.100.180.123] 30004 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223388; rev:1;) alert tcp $HOME_NET any -> [103.113.85.216] 33389 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223386; rev:1;) alert tcp $HOME_NET any -> [91.109.178.5] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223387; rev:1;) alert tcp $HOME_NET any -> [116.62.131.77] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223385; rev:1;) alert tcp $HOME_NET any -> [124.221.151.149] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223384; rev:1;) alert tcp $HOME_NET any -> [45.91.81.148] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223383; rev:1;) alert tcp $HOME_NET any -> [66.135.4.197] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223382; rev:1;) alert tcp $HOME_NET any -> [113.207.49.150] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-94-121-196.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223379; rev:1;) alert tcp $HOME_NET any -> [23.224.131.86] 7878 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223380; rev:1;) alert tcp $HOME_NET any -> [43.143.58.212] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"img.daquexing.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223377; rev:1;) alert tcp $HOME_NET any -> [185.196.8.246] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/annotate/project/48q040ijc"; depth:27; nocase; http.host; content:"septcntr.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223372; rev:1;) alert tcp $HOME_NET any -> [213.109.202.206] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223371/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_24; classtype:trojan-activity; sid:91223371; rev:1;) alert tcp $HOME_NET any -> [154.204.60.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223361/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_24; classtype:trojan-activity; sid:91223361; rev:1;) alert tcp $HOME_NET any -> [206.123.135.125] 2008 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223360; rev:1;) alert tcp $HOME_NET any -> [193.233.132.62] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"agedelayglacierwe.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/php/sqlimagedump/proton/tolocalexternal/trafficuploads/httpdownloads/processbigloadlongpolluploads/videotraffic/36serverpipe/videowindowstraffic.php"; depth:149; nocase; http.host; content:"213.226.100.235"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223358; rev:1;) alert tcp $HOME_NET any -> [45.155.249.144] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reactivate/robotics/6jmnbrxrqkfk"; depth:33; nocase; http.host; content:"conectmeto.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6jsupdateuniversal/defaultbase/95base4/central8low/processjs/default/privategeouploads/wpgamewp/voiddb7/flowerupdateauth8/processdle/update/privatemariadbjavascriptprotect/downloads9/voiddb/multiserver3/betterauthdump/api5game/imagevmpythonjavascript_linuxfloweruniversaltemp.php"; depth:280; nocase; http.host; content:"194.110.248.41"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs.mlcrosoft.fyi"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223353; rev:1;) alert tcp $HOME_NET any -> [2.58.14.243] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.teleradiocom.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223351; rev:1;) alert tcp $HOME_NET any -> [93.243.153.98] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223350/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_24; classtype:trojan-activity; sid:91223350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/index.php"; depth:16; nocase; http.host; content:"cbinr.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/index.php"; depth:16; nocase; http.host; content:"rimakc.ru"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jspacketprocesslongpollapibigloadbasecdntemporary.php"; depth:54; nocase; http.host; content:"736134cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223347; rev:1;) alert tcp $HOME_NET any -> [195.20.16.188] 20749 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223121; rev:1;) alert tcp $HOME_NET any -> [198.98.61.218] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223332/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_24; classtype:trojan-activity; sid:91223332; rev:1;) alert tcp $HOME_NET any -> [41.98.5.84] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223346/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223346; rev:1;) alert tcp $HOME_NET any -> [104.200.72.34] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223345/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223345; rev:1;) alert tcp $HOME_NET any -> [52.50.215.69] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223344/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223344; rev:1;) alert tcp $HOME_NET any -> [54.246.252.86] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223343/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223343; rev:1;) alert tcp $HOME_NET any -> [63.35.233.38] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223342/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223342; rev:1;) alert tcp $HOME_NET any -> [52.50.69.203] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223341/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223341; rev:1;) alert tcp $HOME_NET any -> [18.201.59.71] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223340/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223340; rev:1;) alert tcp $HOME_NET any -> [63.35.213.102] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223339/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223339; rev:1;) alert tcp $HOME_NET any -> [34.243.97.207] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223338/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223338; rev:1;) alert tcp $HOME_NET any -> [3.254.189.38] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223337/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223337; rev:1;) alert tcp $HOME_NET any -> [54.74.101.34] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223336/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223336; rev:1;) alert tcp $HOME_NET any -> [18.201.76.60] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223335/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223335; rev:1;) alert tcp $HOME_NET any -> [18.201.103.208] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223334/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223334; rev:1;) alert tcp $HOME_NET any -> [54.78.98.76] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223333/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_24; classtype:trojan-activity; sid:91223333; rev:1;) alert tcp $HOME_NET any -> [81.19.135.215] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223331/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_24; classtype:trojan-activity; sid:91223331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"kitchenfootballkiw.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223330; rev:1;) alert tcp $HOME_NET any -> [75.161.193.18] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223329; rev:1;) alert tcp $HOME_NET any -> [175.110.189.137] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223328; rev:1;) alert tcp $HOME_NET any -> [151.236.22.182] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223327; rev:1;) alert tcp $HOME_NET any -> [151.236.22.182] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223326; rev:1;) alert tcp $HOME_NET any -> [172.203.228.210] 8080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.736628.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"736631.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223324; rev:1;) alert tcp $HOME_NET any -> [216.48.180.70] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223322/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_24; classtype:trojan-activity; sid:91223322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-101-188.ssdcloudindia.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223321/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_24; classtype:trojan-activity; sid:91223321; rev:1;) alert tcp $HOME_NET any -> [43.129.169.102] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223320; rev:1;) alert tcp $HOME_NET any -> [154.23.240.253] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223319; rev:1;) alert tcp $HOME_NET any -> [38.207.178.41] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223318; rev:1;) alert tcp $HOME_NET any -> [47.109.82.90] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223316; rev:1;) alert tcp $HOME_NET any -> [117.72.13.228] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223317; rev:1;) alert tcp $HOME_NET any -> [101.200.84.59] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223315; rev:1;) alert tcp $HOME_NET any -> [74.48.58.161] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223314; rev:1;) alert tcp $HOME_NET any -> [154.216.191.96] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223313; rev:1;) alert tcp $HOME_NET any -> [180.141.200.54] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223312; rev:1;) alert tcp $HOME_NET any -> [74.48.189.58] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223310; rev:1;) alert tcp $HOME_NET any -> [47.108.228.38] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223311; rev:1;) alert tcp $HOME_NET any -> [43.129.247.23] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223309; rev:1;) alert tcp $HOME_NET any -> [124.221.189.45] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223308; rev:1;) alert tcp $HOME_NET any -> [117.72.17.252] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223306; rev:1;) alert tcp $HOME_NET any -> [42.193.36.56] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223307; rev:1;) alert tcp $HOME_NET any -> [117.18.3.244] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223305; rev:1;) alert tcp $HOME_NET any -> [211.97.157.173] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223304; rev:1;) alert tcp $HOME_NET any -> [154.3.2.17] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223303; rev:1;) alert tcp $HOME_NET any -> [121.41.100.232] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223301/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223301; rev:1;) alert tcp $HOME_NET any -> [121.41.116.17] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223302; rev:1;) alert tcp $HOME_NET any -> [182.43.71.62] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223300; rev:1;) alert tcp $HOME_NET any -> [8.134.101.167] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223299/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223299; rev:1;) alert tcp $HOME_NET any -> [139.224.188.165] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223297/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223297; rev:1;) alert tcp $HOME_NET any -> [118.89.133.137] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223298/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223298; rev:1;) alert tcp $HOME_NET any -> [93.123.85.116] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223296/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jet.gradingran.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"askedmuthino.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anthronotes.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223293; rev:1;) alert tcp $HOME_NET any -> [193.168.141.159] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-204-70-129.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223291; rev:1;) alert tcp $HOME_NET any -> [3.230.47.185] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223289; rev:1;) alert tcp $HOME_NET any -> [3.220.152.159] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223290; rev:1;) alert tcp $HOME_NET any -> [79.137.196.188] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223288; rev:1;) alert tcp $HOME_NET any -> [79.137.194.188] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223287/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223287; rev:1;) alert tcp $HOME_NET any -> [119.45.128.170] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223286/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223286; rev:1;) alert tcp $HOME_NET any -> [158.180.47.184] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223285/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223285; rev:1;) alert tcp $HOME_NET any -> [178.232.115.65] 3389 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223284; rev:1;) alert tcp $HOME_NET any -> [64.227.41.169] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223283/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223283; rev:1;) alert tcp $HOME_NET any -> [45.204.82.103] 6606 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223282; rev:1;) alert tcp $HOME_NET any -> [1.54.172.244] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223281; rev:1;) alert tcp $HOME_NET any -> [104.244.72.108] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223280/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223280; rev:1;) alert tcp $HOME_NET any -> [8.218.80.239] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223278/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223278; rev:1;) alert tcp $HOME_NET any -> [8.218.80.239] 8443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223279/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223279; rev:1;) alert tcp $HOME_NET any -> [176.107.190.42] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223276; rev:1;) alert tcp $HOME_NET any -> [91.92.242.184] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223277; rev:1;) alert tcp $HOME_NET any -> [20.201.119.163] 1025 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crm.salesatelier.at"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v22016114045840870.hotsrv.de"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heuristic-blackwell.45-76-184-28.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223272; rev:1;) alert tcp $HOME_NET any -> [15.188.15.165] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223271; rev:1;) alert tcp $HOME_NET any -> [191.17.127.227] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223270; rev:1;) alert tcp $HOME_NET any -> [31.220.97.187] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223269; rev:1;) alert tcp $HOME_NET any -> [191.82.235.60] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223268; rev:1;) alert tcp $HOME_NET any -> [69.197.134.103] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223267; rev:1;) alert tcp $HOME_NET any -> [94.12.43.18] 49947 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serpost-track.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"livraison-douane.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223265; rev:1;) alert tcp $HOME_NET any -> [23.27.120.116] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223263; rev:1;) alert tcp $HOME_NET any -> [194.163.175.12] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rb-n-clk.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.loyaltyben.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m-sendungsverfolgung.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223259/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vf2gkzq1lw9.c.updraftclone.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.agdetails.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"track-parcels.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223255/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bahrain-fine.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"film-studio.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223254/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223254; rev:1;) alert tcp $HOME_NET any -> [83.220.174.2] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223252/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loyaltyben.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223253/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223253; rev:1;) alert tcp $HOME_NET any -> [194.87.31.216] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223251/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223251; rev:1;) alert tcp $HOME_NET any -> [91.109.188.11] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223249; rev:1;) alert tcp $HOME_NET any -> [51.116.104.192] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223250; rev:1;) alert tcp $HOME_NET any -> [143.198.138.49] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223248/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223248; rev:1;) alert tcp $HOME_NET any -> [213.159.209.194] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223247; rev:1;) alert tcp $HOME_NET any -> [217.28.221.80] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amazing-torvalds.137-184-80-125.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223245; rev:1;) alert tcp $HOME_NET any -> [159.65.22.88] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223244; rev:1;) alert tcp $HOME_NET any -> [137.184.67.135] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223243/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223243; rev:1;) alert tcp $HOME_NET any -> [91.109.182.6] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223242/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223242; rev:1;) alert tcp $HOME_NET any -> [213.195.115.250] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223241; rev:1;) alert tcp $HOME_NET any -> [213.195.115.250] 4003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223239; rev:1;) alert tcp $HOME_NET any -> [213.195.115.250] 5003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223240; rev:1;) alert tcp $HOME_NET any -> [213.195.115.250] 4002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223238; rev:1;) alert tcp $HOME_NET any -> [213.195.115.250] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223236; rev:1;) alert tcp $HOME_NET any -> [213.195.115.250] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223237; rev:1;) alert tcp $HOME_NET any -> [91.92.241.23] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223235; rev:1;) alert tcp $HOME_NET any -> [88.229.3.212] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223234/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223234; rev:1;) alert tcp $HOME_NET any -> [185.81.157.14] 2024 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223232; rev:1;) alert tcp $HOME_NET any -> [88.229.3.212] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223233; rev:1;) alert tcp $HOME_NET any -> [94.130.130.51] 202 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223231; rev:1;) alert tcp $HOME_NET any -> [38.242.236.116] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223230; rev:1;) alert tcp $HOME_NET any -> [185.81.157.119] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223228; rev:1;) alert tcp $HOME_NET any -> [207.180.238.243] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223229; rev:1;) alert tcp $HOME_NET any -> [206.123.132.227] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223226; rev:1;) alert tcp $HOME_NET any -> [140.82.26.84] 5959 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223227; rev:1;) alert tcp $HOME_NET any -> [91.109.186.4] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223225; rev:1;) alert tcp $HOME_NET any -> [190.28.128.226] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223224; rev:1;) alert tcp $HOME_NET any -> [192.109.119.100] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223223/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_24; classtype:trojan-activity; sid:91223223; rev:1;) alert tcp $HOME_NET any -> [45.76.83.253] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223222/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_24; classtype:trojan-activity; sid:91223222; rev:1;) alert tcp $HOME_NET any -> [45.32.106.247] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223221/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_24; classtype:trojan-activity; sid:91223221; rev:1;) alert tcp $HOME_NET any -> [91.92.252.130] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223220/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_24; classtype:trojan-activity; sid:91223220; rev:1;) alert tcp $HOME_NET any -> [103.5.126.215] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223219/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_24; classtype:trojan-activity; sid:91223219; rev:1;) alert tcp $HOME_NET any -> [8.210.232.186] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223218/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_24; classtype:trojan-activity; sid:91223218; rev:1;) alert tcp $HOME_NET any -> [103.232.245.46] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223217/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_24; classtype:trojan-activity; sid:91223217; rev:1;) alert tcp $HOME_NET any -> [92.63.163.105] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223215/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_24; classtype:trojan-activity; sid:91223215; rev:1;) alert tcp $HOME_NET any -> [34.29.241.225] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223216/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_24; classtype:trojan-activity; sid:91223216; rev:1;) alert tcp $HOME_NET any -> [121.40.122.92] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223214/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_24; classtype:trojan-activity; sid:91223214; rev:1;) alert tcp $HOME_NET any -> [172.233.222.33] 53 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223213/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_24; classtype:trojan-activity; sid:91223213; rev:1;) alert tcp $HOME_NET any -> [109.248.236.18] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223212/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_24; classtype:trojan-activity; sid:91223212; rev:1;) alert tcp $HOME_NET any -> [47.103.203.3] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223210/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_24; classtype:trojan-activity; sid:91223210; rev:1;) alert tcp $HOME_NET any -> [64.176.228.98] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223211/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_24; classtype:trojan-activity; sid:91223211; rev:1;) alert tcp $HOME_NET any -> [77.76.145.150] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223209/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_24; classtype:trojan-activity; sid:91223209; rev:1;) alert tcp $HOME_NET any -> [81.19.136.231] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223208; rev:1;) alert tcp $HOME_NET any -> [81.19.136.231] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223207; rev:1;) alert tcp $HOME_NET any -> [142.171.27.92] 3699 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223206; rev:1;) alert tcp $HOME_NET any -> [43.143.7.85] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223205; rev:1;) alert tcp $HOME_NET any -> [103.234.72.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223203; rev:1;) alert tcp $HOME_NET any -> [206.237.11.229] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223204; rev:1;) alert tcp $HOME_NET any -> [137.175.111.153] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223202; rev:1;) alert tcp $HOME_NET any -> [85.209.176.146] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223201; rev:1;) alert tcp $HOME_NET any -> [185.196.9.231] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223200; rev:1;) alert tcp $HOME_NET any -> [8.217.24.207] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223199; rev:1;) alert tcp $HOME_NET any -> [101.34.79.168] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223198; rev:1;) alert tcp $HOME_NET any -> [45.207.47.21] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223197; rev:1;) alert tcp $HOME_NET any -> [121.41.0.213] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223196; rev:1;) alert tcp $HOME_NET any -> [124.221.66.51] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223195; rev:1;) alert tcp $HOME_NET any -> [47.106.206.198] 825 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223194; rev:1;) alert tcp $HOME_NET any -> [45.95.172.40] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223193; rev:1;) alert tcp $HOME_NET any -> [175.27.234.162] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223192; rev:1;) alert tcp $HOME_NET any -> [18.176.183.3] 16992 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223191; rev:1;) alert tcp $HOME_NET any -> [148.135.67.47] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223190; rev:1;) alert tcp $HOME_NET any -> [91.92.252.192] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223188; rev:1;) alert tcp $HOME_NET any -> [91.92.252.192] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223189; rev:1;) alert tcp $HOME_NET any -> [212.104.172.85] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223186; rev:1;) alert tcp $HOME_NET any -> [124.71.136.141] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223187; rev:1;) alert tcp $HOME_NET any -> [94.156.65.112] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223185; rev:1;) alert tcp $HOME_NET any -> [194.87.218.132] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223184; rev:1;) alert tcp $HOME_NET any -> [47.107.115.234] 50001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223183; rev:1;) alert tcp $HOME_NET any -> [52.226.247.32] 2525 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223182; rev:1;) alert tcp $HOME_NET any -> [49.235.101.111] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223181; rev:1;) alert tcp $HOME_NET any -> [89.117.217.11] 34678 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223180; rev:1;) alert tcp $HOME_NET any -> [47.115.213.18] 2333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223178; rev:1;) alert tcp $HOME_NET any -> [124.71.143.196] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223179; rev:1;) alert tcp $HOME_NET any -> [159.75.97.169] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223177; rev:1;) alert tcp $HOME_NET any -> [193.23.161.16] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223176; rev:1;) alert tcp $HOME_NET any -> [47.109.33.216] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223175; rev:1;) alert tcp $HOME_NET any -> [46.29.162.14] 5896 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223174/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223174; rev:1;) alert tcp $HOME_NET any -> [8.217.137.245] 60011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223173; rev:1;) alert tcp $HOME_NET any -> [45.207.38.139] 8085 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223172; rev:1;) alert tcp $HOME_NET any -> [47.106.67.138] 50028 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223171; rev:1;) alert tcp $HOME_NET any -> [107.148.52.138] 8883 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223170; rev:1;) alert tcp $HOME_NET any -> [3.66.49.194] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223169; rev:1;) alert tcp $HOME_NET any -> [103.234.72.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223168; rev:1;) alert tcp $HOME_NET any -> [8.134.172.115] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223167; rev:1;) alert tcp $HOME_NET any -> [124.223.180.89] 7699 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223166; rev:1;) alert tcp $HOME_NET any -> [150.158.135.188] 8446 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223165; rev:1;) alert tcp $HOME_NET any -> [172.94.104.130] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223164; rev:1;) alert tcp $HOME_NET any -> [101.201.46.105] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223163; rev:1;) alert tcp $HOME_NET any -> [124.222.213.61] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223162; rev:1;) alert tcp $HOME_NET any -> [168.100.9.112] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223161; rev:1;) alert tcp $HOME_NET any -> [79.124.40.106] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223160; rev:1;) alert tcp $HOME_NET any -> [123.57.245.160] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223159; rev:1;) alert tcp $HOME_NET any -> [110.41.185.132] 775 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223158; rev:1;) alert tcp $HOME_NET any -> [194.156.99.174] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223157; rev:1;) alert tcp $HOME_NET any -> [82.157.149.194] 19982 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223156; rev:1;) alert tcp $HOME_NET any -> [47.76.72.11] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"138-197-178-187.ipv4.staticdns2.io"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223154; rev:1;) alert tcp $HOME_NET any -> [119.45.128.170] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223153; rev:1;) alert tcp $HOME_NET any -> [49.232.217.206] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"112.lan-za2-1.static.rozabg.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223151; rev:1;) alert tcp $HOME_NET any -> [111.230.42.149] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daquexing.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hw.jn1tea.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-124-71-143-196.compute.hwclouds-dns.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223147; rev:1;) alert tcp $HOME_NET any -> [182.61.15.115] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223146; rev:1;) alert tcp $HOME_NET any -> [192.144.220.12] 55555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223144; rev:1;) alert tcp $HOME_NET any -> [43.139.120.183] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panel.jinglin.zhonghaizhi.cn"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.niuwxt.haowusong.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"payments.breached.cx"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.eyefinancemonitor.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-66-49-194.eu-central-1.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9mjunw.easypanel.host"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223138; rev:1;) alert tcp $HOME_NET any -> [8.213.137.64] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srv59.resgatetitularidade.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9tvz"; depth:5; nocase; http.host; content:"117.73.13.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223135/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_24; classtype:trojan-activity; sid:91223135; rev:1;) alert tcp $HOME_NET any -> [185.65.134.162] 12567 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223134/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_24; classtype:trojan-activity; sid:91223134; rev:1;) alert tcp $HOME_NET any -> [5.252.178.48] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223133/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_24; classtype:trojan-activity; sid:91223133; rev:1;) alert tcp $HOME_NET any -> [216.218.135.117] 12567 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223132; rev:1;) alert tcp $HOME_NET any -> [193.233.132.74] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223131; rev:1;) alert tcp $HOME_NET any -> [91.92.251.143] 29025 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223130; rev:1;) alert tcp $HOME_NET any -> [161.123.69.29] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223129/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_24; classtype:trojan-activity; sid:91223129; rev:1;) alert tcp $HOME_NET any -> [94.103.188.192] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223128; rev:1;) alert tcp $HOME_NET any -> [46.17.103.81] 5893 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_24; classtype:trojan-activity; sid:91223127; rev:1;) alert tcp $HOME_NET any -> [119.45.197.57] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223126/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_24; classtype:trojan-activity; sid:91223126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cupaffordcathedralk.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223125; rev:1;) alert tcp $HOME_NET any -> [103.151.217.232] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223124/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_23; classtype:trojan-activity; sid:91223124; rev:1;) alert tcp $HOME_NET any -> [62.234.19.7] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223123/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_23; classtype:trojan-activity; sid:91223123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"8.130.113.224"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"secure.biiclick.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223120/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223120; rev:1;) alert tcp $HOME_NET any -> [193.168.141.159] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223119/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_23; classtype:trojan-activity; sid:91223119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.c1oudflare.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223117; rev:1;) alert tcp $HOME_NET any -> [39.104.204.12] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.c1oudflare.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.c1oudflare.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerexternalpythonlowprocessorbigloadserverdatalifeuploads.php"; depth:67; nocase; http.host; content:"315615cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223114; rev:1;) alert tcp $HOME_NET any -> [213.109.202.156] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223113/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_23; classtype:trojan-activity; sid:91223113; rev:1;) alert tcp $HOME_NET any -> [156.227.6.113] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223112/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_23; classtype:trojan-activity; sid:91223112; rev:1;) alert tcp $HOME_NET any -> [45.152.67.101] 52010 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223111/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223111; rev:1;) alert tcp $HOME_NET any -> [211.149.151.12] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223110/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223110; rev:1;) alert tcp $HOME_NET any -> [142.154.37.6] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223109/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223109; rev:1;) alert tcp $HOME_NET any -> [188.54.122.204] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223108/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.251.66"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223107; rev:1;) alert tcp $HOME_NET any -> [201.143.77.10] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223106/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223106; rev:1;) alert tcp $HOME_NET any -> [108.61.81.4] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223105/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223105; rev:1;) alert tcp $HOME_NET any -> [198.13.36.52] 9443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223104/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223104; rev:1;) alert tcp $HOME_NET any -> [185.244.130.43] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223103/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223103; rev:1;) alert tcp $HOME_NET any -> [159.203.163.53] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223102/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223102; rev:1;) alert tcp $HOME_NET any -> [149.40.62.223] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223101/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223101; rev:1;) alert tcp $HOME_NET any -> [172.206.9.120] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223100/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223100; rev:1;) alert tcp $HOME_NET any -> [34.142.175.189] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223099/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4xdm"; depth:5; nocase; http.host; content:"113.250.188.15"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223098/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_23; classtype:trojan-activity; sid:91223098; rev:1;) alert tcp $HOME_NET any -> [113.250.188.15] 8599 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223097; rev:1;) alert tcp $HOME_NET any -> [98.71.74.227] 47952 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223096; rev:1;) alert tcp $HOME_NET any -> [198.24.151.216] 47560 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223095; rev:1;) alert tcp $HOME_NET any -> [94.156.64.168] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223092/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"workstation.homeip.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223093/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223093; rev:1;) alert tcp $HOME_NET any -> [205.234.156.139] 3780 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223094/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_23; classtype:trojan-activity; sid:91223094; rev:1;) alert tcp $HOME_NET any -> [8.134.80.227] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223091/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_23; classtype:trojan-activity; sid:91223091; rev:1;) alert tcp $HOME_NET any -> [5.182.86.8] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223090/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223090; rev:1;) alert tcp $HOME_NET any -> [147.139.212.210] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223089/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_23; classtype:trojan-activity; sid:91223089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"182.160.6.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"103.185.249.231"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223087/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2022/11/lvjh6wkebixyop5aqcjtb"; depth:57; nocase; http.host; content:"3.94.121.196"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"139.129.207.45"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"117.73.13.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223083; rev:1;) alert tcp $HOME_NET any -> [206.237.17.6] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223082/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_23; classtype:trojan-activity; sid:91223082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"123.249.101.92"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"150.158.139.244"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223079/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223078/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/videocpuprotect.php"; depth:20; nocase; http.host; content:"012782m.dccrk.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223076/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"topchanov.live"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223073/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_23; classtype:trojan-activity; sid:91223073; rev:1;) alert tcp $HOME_NET any -> [85.192.63.29] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223075/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223075; rev:1;) alert tcp $HOME_NET any -> [193.233.132.67] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223074/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-azqy7lup-1303896379.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223072/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-azqy7lup-1303896379.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alert/install/s0rmgizy"; depth:23; nocase; http.host; content:"37.1.204.197"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223070; rev:1;) alert tcp $HOME_NET any -> [45.155.249.250] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lindacolor.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/v3.56/nj4pfeosigf"; depth:23; nocase; http.host; content:"lindacolor.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"8.130.113.224"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"47.106.235.23"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"patatas.ac.ug"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223064; rev:1;) alert tcp $HOME_NET any -> [42.190.109.101] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223063/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_23; classtype:trojan-activity; sid:91223063; rev:1;) alert tcp $HOME_NET any -> [104.37.185.125] 6543 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223062; rev:1;) alert tcp $HOME_NET any -> [5.51.198.41] 1155 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223061/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_23; classtype:trojan-activity; sid:91223061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unougn.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conitreid.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223036; rev:1;) alert tcp $HOME_NET any -> [185.71.67.60] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223038/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_23; classtype:trojan-activity; sid:91223038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ambernokepez.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223039/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223039; rev:1;) alert tcp $HOME_NET any -> [195.20.16.190] 38173 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223045; rev:1;) alert tcp $HOME_NET any -> [85.239.243.3] 23399 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223060/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223060; rev:1;) alert tcp $HOME_NET any -> [67.247.14.242] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223059/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223059; rev:1;) alert tcp $HOME_NET any -> [83.213.202.225] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223058/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223058; rev:1;) alert tcp $HOME_NET any -> [69.159.0.71] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223057/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223057; rev:1;) alert tcp $HOME_NET any -> [41.97.123.250] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223056/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223056; rev:1;) alert tcp $HOME_NET any -> [93.210.172.20] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223055/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223055; rev:1;) alert tcp $HOME_NET any -> [34.210.14.17] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223054/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223054; rev:1;) alert tcp $HOME_NET any -> [124.222.63.238] 8020 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223053/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223053; rev:1;) alert tcp $HOME_NET any -> [91.236.230.169] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223052/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223052; rev:1;) alert tcp $HOME_NET any -> [159.100.6.167] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223051/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223051; rev:1;) alert tcp $HOME_NET any -> [34.124.168.255] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223050/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_23; classtype:trojan-activity; sid:91223050; rev:1;) alert tcp $HOME_NET any -> [141.255.152.15] 19811 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223049; rev:1;) alert tcp $HOME_NET any -> [104.237.129.166] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223048/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_23; classtype:trojan-activity; sid:91223048; rev:1;) alert tcp $HOME_NET any -> [91.92.242.204] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223047/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_23; classtype:trojan-activity; sid:91223047; rev:1;) alert tcp $HOME_NET any -> [39.100.85.67] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223046/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_23; classtype:trojan-activity; sid:91223046; rev:1;) alert tcp $HOME_NET any -> [185.172.128.125] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223044/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223044; rev:1;) alert tcp $HOME_NET any -> [193.3.19.114] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223043/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_23; classtype:trojan-activity; sid:91223043; rev:1;) alert tcp $HOME_NET any -> [185.71.67.60] 6522 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223042/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_23; classtype:trojan-activity; sid:91223042; rev:1;) alert tcp $HOME_NET any -> [159.89.241.128] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223041/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_23; classtype:trojan-activity; sid:91223041; rev:1;) alert tcp $HOME_NET any -> [139.129.207.45] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223040/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_23; classtype:trojan-activity; sid:91223040; rev:1;) alert tcp $HOME_NET any -> [185.245.183.76] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223037/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91223037; rev:1;) alert tcp $HOME_NET any -> [45.155.249.148] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91223034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"45.155.249.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91223033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/promote/v6.71/py3v1rnwvxu5"; depth:27; nocase; http.host; content:"104.238.131.176"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91223032; rev:1;) alert tcp $HOME_NET any -> [5.161.227.233] 5236 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91223031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compose/v2.85/cieu4a5v4t5"; depth:26; nocase; http.host; content:"gertefin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91223030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conectmeto.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1223028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91223028; rev:1;) alert tcp $HOME_NET any -> [45.155.249.144] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91223029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reactivate/robotics/6jmnbrxrqkfk"; depth:33; nocase; http.host; content:"conectmeto.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91223027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4ea69013b92ecb73.php"; depth:21; nocase; http.host; content:"5.42.65.54"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91223026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0896895.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91223025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"makeexpectentrypon.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91223024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91223023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdc8cb4ba5f9dfaa.php"; depth:21; nocase; http.host; content:"95.216.72.17"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91223022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tablesockartfinewa.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91223021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"claimpassivedebatw.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1223020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91223020; rev:1;) alert tcp $HOME_NET any -> [47.76.71.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223019/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91223019; rev:1;) alert tcp $HOME_NET any -> [23.94.182.87] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223018/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223018; rev:1;) alert tcp $HOME_NET any -> [154.12.254.215] 46450 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223017/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223017; rev:1;) alert tcp $HOME_NET any -> [80.240.16.166] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223016/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223016; rev:1;) alert tcp $HOME_NET any -> [141.255.147.252] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223015/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223015; rev:1;) alert tcp $HOME_NET any -> [117.195.19.125] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223014/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223014; rev:1;) alert tcp $HOME_NET any -> [41.103.235.125] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223013/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223013; rev:1;) alert tcp $HOME_NET any -> [77.8.86.26] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223012/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223012; rev:1;) alert tcp $HOME_NET any -> [2.50.137.78] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223011/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223011; rev:1;) alert tcp $HOME_NET any -> [139.144.23.113] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223010/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223010; rev:1;) alert tcp $HOME_NET any -> [54.233.152.150] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223009/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223009; rev:1;) alert tcp $HOME_NET any -> [80.78.27.224] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223008/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223008; rev:1;) alert tcp $HOME_NET any -> [45.145.228.123] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223007/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223007; rev:1;) alert tcp $HOME_NET any -> [91.236.230.169] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223006/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223006; rev:1;) alert tcp $HOME_NET any -> [91.236.230.169] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223005/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223005; rev:1;) alert tcp $HOME_NET any -> [91.236.230.169] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223004/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223004; rev:1;) alert tcp $HOME_NET any -> [15.222.155.153] 11002 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223003/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223003; rev:1;) alert tcp $HOME_NET any -> [44.197.84.49] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223002/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223002; rev:1;) alert tcp $HOME_NET any -> [95.111.219.145] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223001/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223001; rev:1;) alert tcp $HOME_NET any -> [94.237.103.164] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1223000/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91223000; rev:1;) alert tcp $HOME_NET any -> [94.237.88.153] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222999/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91222999; rev:1;) alert tcp $HOME_NET any -> [74.103.149.82] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222997/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91222997; rev:1;) alert tcp $HOME_NET any -> [74.103.149.82] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222998/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91222998; rev:1;) alert tcp $HOME_NET any -> [83.213.157.103] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222996/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222996; rev:1;) alert tcp $HOME_NET any -> [39.100.140.248] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222995/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222995; rev:1;) alert tcp $HOME_NET any -> [91.92.243.245] 9192 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"globron.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sbjjzwu1y2uxash1/"; depth:18; nocase; http.host; content:"milosrcrdos1821klmas.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222982/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sbjjzwu1y2uxash1/"; depth:18; nocase; http.host; content:"62.122.184.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222981/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sbjjzwu1y2uxash1/"; depth:18; nocase; http.host; content:"milosrcrdos1821klmas.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222983/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sbjjzwu1y2uxash1/"; depth:18; nocase; http.host; content:"milosrcrdos1821klmas.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222984/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sbjjzwu1y2uxash1/"; depth:18; nocase; http.host; content:"milosrcrdos1822klmas.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222985/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sbjjzwu1y2uxash1/"; depth:18; nocase; http.host; content:"milosrcrdos1822klmas.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222986/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sbjjzwu1y2uxash1/"; depth:18; nocase; http.host; content:"milosrcrdos1822klmas.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222987/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogqymdu0mze1mwjj/"; depth:18; nocase; http.host; content:"gozneajans.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222988/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogqymdu0mze1mwjj/"; depth:18; nocase; http.host; content:"blackeuro.com.tr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222989/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogqymdu0mze1mwjj/"; depth:18; nocase; http.host; content:"karamelsepetikanas.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222992/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogqymdu0mze1mwjj/"; depth:18; nocase; http.host; content:"denerinselektirik.com.tr"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222990/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogqymdu0mze1mwjj/"; depth:18; nocase; http.host; content:"karadajanskal.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222991/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222991; rev:1;) alert tcp $HOME_NET any -> [116.203.3.40] 3000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222979/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222979; rev:1;) alert tcp $HOME_NET any -> [95.216.149.92] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.149.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.3.40"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222977; rev:1;) alert tcp $HOME_NET any -> [193.34.212.17] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222976/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222976; rev:1;) alert tcp $HOME_NET any -> [212.162.149.96] 80 (msg:"ThreatFox CloudEyE payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222974/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jtudenoc176.bin"; depth:16; nocase; http.host; content:"212.162.149.96"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bahamasvps/coreserver/gate.php"; depth:31; nocase; http.host; content:"arthemo.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222973/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"fbplx.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:bad-unknown; sid:91222971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"lin-cdn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222972/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:bad-unknown; sid:91222972; rev:1;) alert tcp $HOME_NET any -> [45.155.249.7] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222931/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"smartpoliceax.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222945/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91222945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"digitalcodecrafters.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222947/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"43.139.92.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222970/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.115.203.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222969/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"101.37.117.0"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"106.52.244.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"15.205.128.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"110.42.213.232"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222965/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"101.201.224.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222964/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"annualraises2023.zip"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222962/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222962; rev:1;) alert tcp $HOME_NET any -> [143.198.17.52] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222963/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"annualraises2023.zip"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222961/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"103.143.248.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/vs/v1/v2/asa/qw"; depth:20; nocase; http.host; content:"36.140.95.168"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"154.12.22.114"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222958/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"121.37.21.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windows.dns-supports.online"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222955; rev:1;) alert tcp $HOME_NET any -> [45.8.158.71] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"windows.dns-supports.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222954/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222954; rev:1;) alert tcp $HOME_NET any -> [36.140.95.168] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222953/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/vs/v1/v2/asa/qw"; depth:20; nocase; http.host; content:"www.emohack.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222952/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"139.155.153.109"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222951/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"124.221.145.245"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"198.98.48.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"fronzysb.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222948; rev:1;) alert tcp $HOME_NET any -> [185.196.9.231] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222946/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u14/0.44170515690096146.dat"; depth:28; nocase; http.host; content:"ucakbiletsorgulama.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222944/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/51h6kn/0.10488555301618846.dat"; depth:31; nocase; http.host; content:"mexicopostalcode.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222943/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/viubb/0.45625095726666564.dat"; depth:30; nocase; http.host; content:"adanacigkoftesiparis.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222942/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rlhb/0.5991546204420577.dat"; depth:28; nocase; http.host; content:"kartvizitfiyatlari.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222941/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bds19ul/0.17061133165068715.dat"; depth:32; nocase; http.host; content:"adanacamasiryikama.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222940/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"120.78.156.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222939/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.112.137.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222938/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"metersphere.zenmen.cloud"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222937/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"107.174.245.122"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222936/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"45.207.38.139"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222935/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"8.142.5.148"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222934/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"139.224.188.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222933/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.112.137.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222932/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222930/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2022/03/29136388_"; depth:45; nocase; http.host; content:"111.229.142.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222929/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixeqe1el.gif"; depth:14; nocase; http.host; content:"111.19.244.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222927/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"15.205.128.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"120.27.148.91"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"biggerfun.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222921; rev:1;) alert tcp $HOME_NET any -> [178.236.246.109] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222923/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222923; rev:1;) alert tcp $HOME_NET any -> [104.225.129.134] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222922/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222922; rev:1;) alert tcp $HOME_NET any -> [185.130.47.98] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222924/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222924; rev:1;) alert tcp $HOME_NET any -> [134.175.127.254] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222920/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"139.129.207.45"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222919; rev:1;) alert tcp $HOME_NET any -> [120.24.179.84] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222918/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222918; rev:1;) alert tcp $HOME_NET any -> [139.129.207.45] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222917/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m1po"; depth:5; nocase; http.host; content:"45.145.228.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222916/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_22; classtype:trojan-activity; sid:91222916; rev:1;) alert tcp $HOME_NET any -> [13.233.18.110] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222915/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222915; rev:1;) alert tcp $HOME_NET any -> [107.151.246.236] 12315 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222914/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91222914; rev:1;) alert tcp $HOME_NET any -> [83.244.56.53] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222913/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91222913; rev:1;) alert tcp $HOME_NET any -> [184.105.191.94] 6969 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222902/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_22; classtype:trojan-activity; sid:91222902; rev:1;) alert tcp $HOME_NET any -> [75.161.224.191] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222912/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91222912; rev:1;) alert tcp $HOME_NET any -> [74.12.145.72] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222911/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91222911; rev:1;) alert tcp $HOME_NET any -> [176.123.8.153] 49802 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222910/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91222910; rev:1;) alert tcp $HOME_NET any -> [159.203.3.47] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222909/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91222909; rev:1;) alert tcp $HOME_NET any -> [64.23.140.90] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222908/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91222908; rev:1;) alert tcp $HOME_NET any -> [20.107.115.8] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222907/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91222907; rev:1;) alert tcp $HOME_NET any -> [13.209.21.1] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222906/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91222906; rev:1;) alert tcp $HOME_NET any -> [15.188.62.181] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222905/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91222905; rev:1;) alert tcp $HOME_NET any -> [37.120.239.146] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222904/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_22; classtype:trojan-activity; sid:91222904; rev:1;) alert tcp $HOME_NET any -> [194.147.140.186] 4040 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222903; rev:1;) alert tcp $HOME_NET any -> [47.108.175.149] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222901/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222901; rev:1;) alert tcp $HOME_NET any -> [45.140.146.67] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222900/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222900; rev:1;) alert tcp $HOME_NET any -> [110.42.213.232] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222899/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"injuuuste2.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222898; rev:1;) alert tcp $HOME_NET any -> [5.149.249.185] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222897/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"jewelassertivebop.fun"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222896; rev:1;) alert tcp $HOME_NET any -> [91.92.245.58] 4444 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seemeseeyou.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222895; rev:1;) alert tcp $HOME_NET any -> [65.0.135.212] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222893/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222893; rev:1;) alert tcp $HOME_NET any -> [165.3.113.96] 8098 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222892/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222892; rev:1;) alert tcp $HOME_NET any -> [124.221.145.245] 8086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222891/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.view.nuvaringsideffectslawsuit.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222886/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.newearth-superfoods.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222887/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222887; rev:1;) alert tcp $HOME_NET any -> [94.49.185.150] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222890/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/centralcentralrequest/4eternal/longpollimage4/31temp/3/pipe/pollpublic/providertrafficlinux/requestvoiddb1bigload/image9externalvideo/public/videodle0/server5dleflower/flower2/asynchttpauth/wordpress2multi/process/pythonprocessdbflowergeneratortemporary.php"; depth:258; nocase; http.host; content:"78.24.217.54"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_22; classtype:trojan-activity; sid:91222889; rev:1;) alert tcp $HOME_NET any -> [164.155.212.249] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222888/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_22; classtype:trojan-activity; sid:91222888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-014.epsonupdate.uk"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222885/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"cdn-014.epsonupdate.uk"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222884/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222884; rev:1;) alert tcp $HOME_NET any -> [139.155.153.109] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222883/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222883; rev:1;) alert tcp $HOME_NET any -> [193.29.13.220] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222882/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222882; rev:1;) alert tcp $HOME_NET any -> [165.3.113.96] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222881/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222881; rev:1;) alert tcp $HOME_NET any -> [103.143.248.179] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222880/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222880; rev:1;) alert tcp $HOME_NET any -> [165.3.113.96] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222879/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222879; rev:1;) alert tcp $HOME_NET any -> [27.124.3.19] 6606 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222878/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222878; rev:1;) alert tcp $HOME_NET any -> [91.92.248.33] 4782 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222877/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222877; rev:1;) alert tcp $HOME_NET any -> [45.8.158.71] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222876/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.dns-supports.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.dns-supports.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222874/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222874; rev:1;) alert tcp $HOME_NET any -> [83.10.50.193] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222873/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222872/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222872; rev:1;) alert tcp $HOME_NET any -> [106.52.244.189] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222871/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222871; rev:1;) alert tcp $HOME_NET any -> [185.196.9.234] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222865/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222865; rev:1;) alert tcp $HOME_NET any -> [103.185.249.231] 18080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222864/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222864; rev:1;) alert tcp $HOME_NET any -> [154.8.162.103] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222863/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222863; rev:1;) alert tcp $HOME_NET any -> [121.37.208.133] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222862/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222862; rev:1;) alert tcp $HOME_NET any -> [101.37.23.56] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222861/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222861; rev:1;) alert tcp $HOME_NET any -> [31.222.238.48] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222860/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222860; rev:1;) alert tcp $HOME_NET any -> [91.92.253.137] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222859/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222859; rev:1;) alert tcp $HOME_NET any -> [193.233.203.168] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222858/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222858; rev:1;) alert tcp $HOME_NET any -> [198.13.36.52] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222857/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222857; rev:1;) alert tcp $HOME_NET any -> [47.100.126.235] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222856/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222856; rev:1;) alert tcp $HOME_NET any -> [167.114.115.246] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222855/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l3131/"; depth:7; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l32/"; depth:5; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l33/"; depth:5; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l34/"; depth:5; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l35/"; depth:5; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l36/"; depth:5; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l38/"; depth:5; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l37/"; depth:5; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l39/"; depth:5; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l404/"; depth:6; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l4040/"; depth:7; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l606/"; depth:6; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/osk/"; depth:5; nocase; http.host; content:"2.56.57.108"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l808/"; depth:6; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/"; depth:5; nocase; http.host; content:"2.56.59.226"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nn/"; depth:4; nocase; http.host; content:"37.0.11.237"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x/"; depth:3; nocase; http.host; content:"64.188.21.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/os/"; depth:4; nocase; http.host; content:"9enternecera.ru.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/"; depth:5; nocase; http.host; content:"adwa2tv.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgi/"; depth:5; nocase; http.host; content:"aegismd.ca"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b11/"; depth:5; nocase; http.host; content:"b1xz.duckdns.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b24/"; depth:5; nocase; http.host; content:"b1xz.duckdns.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b27/"; depth:5; nocase; http.host; content:"b1xz.duckdns.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222804/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b40/"; depth:5; nocase; http.host; content:"b1xz.duckdns.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b505/"; depth:6; nocase; http.host; content:"b1xz.duckdns.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oski/"; depth:6; nocase; http.host; content:"de4mon-p4nel.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sa/"; depth:4; nocase; http.host; content:"elsantos.co"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/site/bot/"; depth:10; nocase; http.host; content:"gilvantur.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oski/"; depth:6; nocase; http.host; content:"ipc-nena.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/make/"; depth:6; nocase; http.host; content:"soitaab.co"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222819; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/su/"; depth:4; nocase; http.host; content:"sunwindz.in.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222820; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a/"; depth:3; nocase; http.host; content:"trafficbadassery.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222821/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mar3/"; depth:6; nocase; http.host; content:"tunqyuindia.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222822; rev:1;) alert tcp $HOME_NET any -> [185.172.128.33] 38294 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222854/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1g"; depth:3; nocase; http.host; content:"itskuba.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222811/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hao/"; depth:5; nocase; http.host; content:"marbellacabs.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222812/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222812; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgi/"; depth:5; nocase; http.host; content:"mcharglaw.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222813/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222813; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crown/"; depth:7; nocase; http.host; content:"mmcjo.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222814/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222814; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/surce/a/"; depth:9; nocase; http.host; content:"no1geekfun.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222815; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgi/"; depth:5; nocase; http.host; content:"pplonline.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222816; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oski/"; depth:6; nocase; http.host; content:"rgjeweller.mu"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222817/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/fonts/static/"; depth:21; nocase; http.host; content:"smarteyecare.in"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222818/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222818; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l3030/"; depth:7; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l27/"; depth:5; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l2828/"; depth:7; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l29/"; depth:5; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l25/"; depth:5; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l2626/"; depth:7; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l2323/"; depth:7; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l24/"; depth:5; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222775/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l2121/"; depth:7; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l22/"; depth:5; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1919/"; depth:7; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1414/"; depth:7; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222769/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1616/"; depth:7; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222770/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1212/"; depth:7; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222768; rev:1;) alert tcp $HOME_NET any -> [2.56.212.247] 80 (msg:"ThreatFox Ficker Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1010/"; depth:7; nocase; http.host; content:"103.114.107.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222767; rev:1;) alert tcp $HOME_NET any -> [45.67.231.4] 80 (msg:"ThreatFox Ficker Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222763; rev:1;) alert tcp $HOME_NET any -> [79.110.52.39] 80 (msg:"ThreatFox Ficker Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"creepfleetconfusew.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"getfnewsolutions.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222633/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bluenetworking.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222634/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erihudeg.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222635; rev:1;) alert tcp $HOME_NET any -> [77.105.132.87] 22221 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blogggg/blogger.php"; depth:20; nocase; http.host; content:"moscow-post.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtq4mmuxodbhmtvi/"; depth:18; nocase; http.host; content:"194.26.135.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222661/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222661; rev:1;) alert tcp $HOME_NET any -> [104.21.88.185] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222670/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mail.googlesmail.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222671/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222671; rev:1;) alert tcp $HOME_NET any -> [185.225.69.33] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pl.exe"; depth:7; nocase; http.host; content:"193.3.19.247"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sl.exe"; depth:7; nocase; http.host; content:"193.3.19.247"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222761/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a/a/www/"; depth:9; nocase; http.host; content:"web24host.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222823/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oski/"; depth:6; nocase; http.host; content:"zenginler.online"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222824/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"withclier.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firegate.php"; depth:17; nocase; http.host; content:"195.20.16.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222846; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firepro.php"; depth:16; nocase; http.host; content:"195.20.16.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222847; rev:1;) alert tcp $HOME_NET any -> [45.142.182.103] 4426 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222850/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222850; rev:1;) alert tcp $HOME_NET any -> [193.233.132.72] 36295 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222851/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222851; rev:1;) alert tcp $HOME_NET any -> [198.98.48.31] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222853/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222853; rev:1;) alert tcp $HOME_NET any -> [158.160.58.164] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222852/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222852; rev:1;) alert tcp $HOME_NET any -> [198.251.89.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222849/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"111.229.163.225"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222848; rev:1;) alert tcp $HOME_NET any -> [109.123.227.158] 2223 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/broadcast"; depth:10; nocase; http.host; content:"85.209.11.236"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222844/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"115.159.112.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"164.155.212.249"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.140.147.193"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222841; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vlenath"; depth:8; nocase; http.host; content:"91.92.252.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222840; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"165.3.113.96"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222838; rev:1;) alert tcp $HOME_NET any -> [164.155.212.249] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"45.136.14.51"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/system/role/list"; depth:17; nocase; http.host; content:"8.141.13.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222836; rev:1;) alert tcp $HOME_NET any -> [109.123.227.147] 5243 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222831; rev:1;) alert tcp $HOME_NET any -> [85.239.237.153] 5632 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222832; rev:1;) alert tcp $HOME_NET any -> [154.38.164.50] 5243 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222833; rev:1;) alert tcp $HOME_NET any -> [109.123.227.174] 23399 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222834; rev:1;) alert tcp $HOME_NET any -> [5.180.151.180] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222828; rev:1;) alert tcp $HOME_NET any -> [172.234.224.202] 13785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222829; rev:1;) alert tcp $HOME_NET any -> [109.123.227.170] 5632 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222830; rev:1;) alert tcp $HOME_NET any -> [5.180.151.194] 5631 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222826/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222826; rev:1;) alert tcp $HOME_NET any -> [154.38.185.136] 5243 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222827; rev:1;) alert tcp $HOME_NET any -> [172.232.189.141] 2078 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222825/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222825; rev:1;) alert tcp $HOME_NET any -> [5.75.178.55] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222766/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222766; rev:1;) alert tcp $HOME_NET any -> [185.172.128.33] 35875 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222762/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222762; rev:1;) alert tcp $HOME_NET any -> [5.42.65.31] 48396 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222758; rev:1;) alert tcp $HOME_NET any -> [13.233.98.101] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222757/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222757; rev:1;) alert tcp $HOME_NET any -> [101.201.224.75] 2333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222756/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n1h3/0.5119460133828262.dat"; depth:28; nocase; http.host; content:"holyrosaryinternational.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p9g/0.9681228263349928.dat"; depth:27; nocase; http.host; content:"gofly.id"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/at2ja9/0.6508004520633979.dat"; depth:30; nocase; http.host; content:"saeedalkarmi.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3hidbt/0.6552612703498036.dat"; depth:30; nocase; http.host; content:"grehlingerssealcoating.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6wx4/0.844468240812589.dat"; depth:27; nocase; http.host; content:"israrliaqat.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8wjmd9n/0.5687043298865158.dat"; depth:31; nocase; http.host; content:"paldiengineering.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222750; rev:1;) alert tcp $HOME_NET any -> [109.123.227.166] 5938 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222749; rev:1;) alert tcp $HOME_NET any -> [144.91.113.0] 13721 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222745; rev:1;) alert tcp $HOME_NET any -> [172.232.172.228] 2221 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222746; rev:1;) alert tcp $HOME_NET any -> [172.232.7.224] 9785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222747; rev:1;) alert tcp $HOME_NET any -> [172.232.172.171] 13721 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222748; rev:1;) alert tcp $HOME_NET any -> [147.78.47.178] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zx.regsvcast.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hr"; depth:3; nocase; http.host; content:"zx.regsvcast.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"as.regsvcast.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hr"; depth:3; nocase; http.host; content:"as.regsvcast.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qw.regsvcast.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hr"; depth:3; nocase; http.host; content:"qw.regsvcast.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222738; rev:1;) alert tcp $HOME_NET any -> [103.164.49.148] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"103.164.49.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222736; rev:1;) alert tcp $HOME_NET any -> [138.197.178.187] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"138.197.178.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-lqsfxdz9-1307700818.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geqeqwea.js"; depth:12; nocase; http.host; content:"service-lqsfxdz9-1307700818.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222732; rev:1;) alert tcp $HOME_NET any -> [82.157.78.234] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"82.157.78.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"213.109.202.219"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222729; rev:1;) alert tcp $HOME_NET any -> [1.15.189.30] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"1.15.189.30"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222727; rev:1;) alert tcp $HOME_NET any -> [185.11.61.65] 443 (msg:"ThreatFox DanaBot payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222726/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advancedlpscanner.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222712/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanceds-ip-scan.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222713/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanceds-ip-scanner.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222714/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanceds-lp-scanner.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222715/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advnced-ip-scan.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222716/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advnced-ip-scanner.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222717/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advnced-lp-scanner.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222718/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"inductiveautomatlon.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222719/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"inductiveoutomation.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222720/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"inductlveautomation.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222721/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"mycaase.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222722/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"mycaase.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222723/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"oldsfaq.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222724/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"technorobo-life.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222725/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"adsvanced-ip-scanner.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222685/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advancd-ip-scanner.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222686/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advancd-ip-scanner.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222687/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advancd-lp-scanner.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222688/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanced-ip-scan.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222689/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanced-ip-scanned.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222690/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanced-ip-scanning.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222691/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanced-ip-scanning.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222692/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanced-ipscan.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222693/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanced-ipscanning.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222694/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanced-lp-scan.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222695/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanced-lp-scaners.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222696/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanced-lp-scaners.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222697/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanced-lp-scanned.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222698/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanced-lp-scanned.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222699/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanced-lp-scanner.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222700/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanced-lp-scanners.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222701/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanced-port-scanner.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222702/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advancede-ip-scanner.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222703/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advancedes-ip-scan.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222704/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advancedes-ip-scan.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222705/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advancedes-ip-scanner.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222706/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advancedes-ip-scanner.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222707/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advancedes-lp-scan.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222708/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advancedes-lp-scanner.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222709/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advancedes-lp-scanner.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222710/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advancedip-scanner.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222711/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"adavanced-ip-scaner.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222677/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"adavanced-ip-scanner.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222678/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"adevancd-lp-scanner.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222679/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"adevanced-ip-scans.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222680/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"adevanced-lp-scaners.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222681/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"adevanced-lp-scanner.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222682/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"adevanced-lp-scanners.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222683/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"adsvancd-lp-scanner.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222684/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_21; classtype:trojan-activity; sid:91222684; rev:1;) alert tcp $HOME_NET any -> [194.26.29.153] 15648 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222676/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222676; rev:1;) alert tcp $HOME_NET any -> [87.107.164.199] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222675/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222675; rev:1;) alert tcp $HOME_NET any -> [95.216.178.71] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.178.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/396833e4.php"; depth:13; nocase; http.host; content:"zekhost.000webhostapp.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222672/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222672; rev:1;) alert tcp $HOME_NET any -> [13.126.178.6] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222669/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdnmulti/linepollsqldlecdn.php"; depth:31; nocase; http.host; content:"82.146.37.188"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222668; rev:1;) alert tcp $HOME_NET any -> [194.147.140.222] 2025 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222667; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 12460 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222666/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222666; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 12460 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222665/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222665; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 12460 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222664; rev:1;) alert tcp $HOME_NET any -> [109.123.227.167] 5938 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222663/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222663; rev:1;) alert tcp $HOME_NET any -> [216.83.58.190] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222662/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222662; rev:1;) alert tcp $HOME_NET any -> [24.241.8.84] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222660/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222660; rev:1;) alert tcp $HOME_NET any -> [95.215.108.41] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222659/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222659; rev:1;) alert tcp $HOME_NET any -> [138.197.68.179] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222658/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222658; rev:1;) alert tcp $HOME_NET any -> [76.84.73.88] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222657/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222657; rev:1;) alert tcp $HOME_NET any -> [13.213.218.169] 45923 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222656/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222656; rev:1;) alert tcp $HOME_NET any -> [69.164.199.179] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222655/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222655; rev:1;) alert tcp $HOME_NET any -> [13.38.219.27] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222654/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222654; rev:1;) alert tcp $HOME_NET any -> [91.92.250.227] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222653/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222653; rev:1;) alert tcp $HOME_NET any -> [139.84.147.34] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222652/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222652; rev:1;) alert tcp $HOME_NET any -> [94.131.107.198] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222651/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_21; classtype:trojan-activity; sid:91222651; rev:1;) alert tcp $HOME_NET any -> [13.232.180.80] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222650/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222650; rev:1;) alert tcp $HOME_NET any -> [121.37.82.36] 8834 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222649/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bombertublestylebanws.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/datalifetemp.php"; depth:17; nocase; http.host; content:"962855cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222647/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_21; classtype:trojan-activity; sid:91222647; rev:1;) alert tcp $HOME_NET any -> [15.207.21.242] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222645/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222645; rev:1;) alert tcp $HOME_NET any -> [54.39.105.235] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222643/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222643; rev:1;) alert tcp $HOME_NET any -> [171.5.184.236] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222642/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_21; classtype:trojan-activity; sid:91222642; rev:1;) alert tcp $HOME_NET any -> [13.200.243.215] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222641/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222641; rev:1;) alert tcp $HOME_NET any -> [8.134.158.237] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222640/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"charon561.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compute/antivirus/kwojux68ks"; depth:29; nocase; http.host; content:"charon561.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222638; rev:1;) alert tcp $HOME_NET any -> [178.128.92.166] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222637/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/provideruniversaltrackdownloads.php"; depth:36; nocase; http.host; content:"324387cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222636/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222636; rev:1;) alert tcp $HOME_NET any -> [135.125.107.166] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222632/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222632; rev:1;) alert tcp $HOME_NET any -> [5.75.155.39] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222631/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222631; rev:1;) alert tcp $HOME_NET any -> [185.92.220.86] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222629/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222629; rev:1;) alert tcp $HOME_NET any -> [80.221.144.253] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222630/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222630; rev:1;) alert tcp $HOME_NET any -> [185.92.220.86] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222628/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222628; rev:1;) alert tcp $HOME_NET any -> [91.219.148.57] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222627/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222627; rev:1;) alert tcp $HOME_NET any -> [192.227.194.139] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222626/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222626; rev:1;) alert tcp $HOME_NET any -> [5.255.126.139] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222625/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222625; rev:1;) alert tcp $HOME_NET any -> [68.183.193.39] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222624/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222624; rev:1;) alert tcp $HOME_NET any -> [159.246.29.95] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222623/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222623; rev:1;) alert tcp $HOME_NET any -> [51.195.150.20] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222622/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222622; rev:1;) alert tcp $HOME_NET any -> [193.3.19.167] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222621/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222621; rev:1;) alert tcp $HOME_NET any -> [47.101.144.63] 38286 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222620/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222620; rev:1;) alert tcp $HOME_NET any -> [45.79.190.91] 53 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222619/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222619; rev:1;) alert tcp $HOME_NET any -> [185.225.17.126] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222618/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222618; rev:1;) alert tcp $HOME_NET any -> [138.197.168.137] 18443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222616/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222616; rev:1;) alert tcp $HOME_NET any -> [178.128.144.35] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222617/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222617; rev:1;) alert tcp $HOME_NET any -> [64.227.130.114] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222615/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222615; rev:1;) alert tcp $HOME_NET any -> [35.86.154.89] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222613/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222613; rev:1;) alert tcp $HOME_NET any -> [150.109.240.18] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222614/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222614; rev:1;) alert tcp $HOME_NET any -> [188.166.125.71] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222612/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222612; rev:1;) alert tcp $HOME_NET any -> [5.252.21.121] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222611/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222611; rev:1;) alert tcp $HOME_NET any -> [74.208.208.195] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222610/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222610; rev:1;) alert tcp $HOME_NET any -> [74.103.149.82] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222608/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222608; rev:1;) alert tcp $HOME_NET any -> [3.231.153.226] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222609/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222609; rev:1;) alert tcp $HOME_NET any -> [3.93.43.122] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222607/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222607; rev:1;) alert tcp $HOME_NET any -> [45.79.166.193] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222606/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222606; rev:1;) alert tcp $HOME_NET any -> [45.79.166.193] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222605/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222605; rev:1;) alert tcp $HOME_NET any -> [154.204.44.228] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222604/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222604; rev:1;) alert tcp $HOME_NET any -> [46.101.130.143] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222602/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222602; rev:1;) alert tcp $HOME_NET any -> [47.101.155.133] 7443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222603/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222603; rev:1;) alert tcp $HOME_NET any -> [185.142.184.133] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222601/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222601; rev:1;) alert tcp $HOME_NET any -> [34.162.51.179] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222600/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222600; rev:1;) alert tcp $HOME_NET any -> [54.165.231.50] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222599/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222599; rev:1;) alert tcp $HOME_NET any -> [222.239.251.205] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222598/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222598; rev:1;) alert tcp $HOME_NET any -> [35.238.245.197] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222597/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222597; rev:1;) alert tcp $HOME_NET any -> [13.58.104.219] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222596/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222596; rev:1;) alert tcp $HOME_NET any -> [121.40.188.247] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222595/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222595; rev:1;) alert tcp $HOME_NET any -> [143.198.128.249] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222594/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222594; rev:1;) alert tcp $HOME_NET any -> [168.100.11.164] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222593/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222593; rev:1;) alert tcp $HOME_NET any -> [45.77.221.80] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222592/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222592; rev:1;) alert tcp $HOME_NET any -> [194.87.196.126] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222591/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222591; rev:1;) alert tcp $HOME_NET any -> [34.28.126.114] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222590/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222590; rev:1;) alert tcp $HOME_NET any -> [62.218.124.18] 1338 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222589/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222589; rev:1;) alert tcp $HOME_NET any -> [172.172.192.169] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222588/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222588; rev:1;) alert tcp $HOME_NET any -> [20.99.141.107] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222587/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222587; rev:1;) alert tcp $HOME_NET any -> [104.193.69.166] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222586/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222586; rev:1;) alert tcp $HOME_NET any -> [44.200.76.22] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222585/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222585; rev:1;) alert tcp $HOME_NET any -> [167.179.67.91] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222584/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222584; rev:1;) alert tcp $HOME_NET any -> [46.29.166.80] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222583/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222583; rev:1;) alert tcp $HOME_NET any -> [158.247.217.90] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222582/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222582; rev:1;) alert tcp $HOME_NET any -> [172.233.186.141] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222581/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222581; rev:1;) alert tcp $HOME_NET any -> [35.85.36.238] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222580/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222580; rev:1;) alert tcp $HOME_NET any -> [170.187.136.83] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222579/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222579; rev:1;) alert tcp $HOME_NET any -> [47.111.31.7] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222578/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222578; rev:1;) alert tcp $HOME_NET any -> [23.224.55.82] 9999 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222576/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222576; rev:1;) alert tcp $HOME_NET any -> [45.155.249.148] 8089 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222577/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222577; rev:1;) alert tcp $HOME_NET any -> [89.147.110.79] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222575/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222575; rev:1;) alert tcp $HOME_NET any -> [185.77.225.199] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222574/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222574; rev:1;) alert tcp $HOME_NET any -> [142.93.141.211] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222573/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222573; rev:1;) alert tcp $HOME_NET any -> [172.206.69.72] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222572/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222572; rev:1;) alert tcp $HOME_NET any -> [104.131.0.220] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222571/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222571; rev:1;) alert tcp $HOME_NET any -> [207.148.92.178] 55555 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222570/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222570; rev:1;) alert tcp $HOME_NET any -> [18.234.231.155] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222569/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222569; rev:1;) alert tcp $HOME_NET any -> [91.219.148.228] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222568/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222568; rev:1;) alert tcp $HOME_NET any -> [208.85.18.159] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222567/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222567; rev:1;) alert tcp $HOME_NET any -> [206.237.28.61] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222566/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222566; rev:1;) alert tcp $HOME_NET any -> [159.75.187.222] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222565/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222565; rev:1;) alert tcp $HOME_NET any -> [185.205.209.163] 4443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222564/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222564; rev:1;) alert tcp $HOME_NET any -> [107.174.180.233] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222563/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222563; rev:1;) alert tcp $HOME_NET any -> [66.135.19.181] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222561/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222561; rev:1;) alert tcp $HOME_NET any -> [172.233.222.33] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222562/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222562; rev:1;) alert tcp $HOME_NET any -> [212.71.246.109] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222560/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222560; rev:1;) alert tcp $HOME_NET any -> [47.101.141.106] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222559/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222559; rev:1;) alert tcp $HOME_NET any -> [193.148.166.247] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222557/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222557; rev:1;) alert tcp $HOME_NET any -> [142.171.44.245] 2053 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222558/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222558; rev:1;) alert tcp $HOME_NET any -> [139.162.105.67] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222555/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222555; rev:1;) alert tcp $HOME_NET any -> [167.99.62.1] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222556/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222556; rev:1;) alert tcp $HOME_NET any -> [148.113.182.51] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222554/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222554; rev:1;) alert tcp $HOME_NET any -> [8.217.121.233] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222553/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_20; classtype:trojan-activity; sid:91222553; rev:1;) alert tcp $HOME_NET any -> [216.48.179.60] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222552/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222552; rev:1;) alert tcp $HOME_NET any -> [164.52.219.118] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222551/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222551; rev:1;) alert tcp $HOME_NET any -> [216.48.182.251] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222550/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222550; rev:1;) alert tcp $HOME_NET any -> [164.52.201.144] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222549/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222549; rev:1;) alert tcp $HOME_NET any -> [216.48.185.120] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222548/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222548; rev:1;) alert tcp $HOME_NET any -> [216.48.183.75] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222547/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222547; rev:1;) alert tcp $HOME_NET any -> [216.48.183.206] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222545/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222545; rev:1;) alert tcp $HOME_NET any -> [164.52.204.122] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222546/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222546; rev:1;) alert tcp $HOME_NET any -> [164.52.203.68] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222543/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222543; rev:1;) alert tcp $HOME_NET any -> [164.52.200.182] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222544/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222544; rev:1;) alert tcp $HOME_NET any -> [216.48.185.13] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222542/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-73-173.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222540/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222540; rev:1;) alert tcp $HOME_NET any -> [216.48.184.188] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222541/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"secops.vunetsystems.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222538/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-72-122.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222539/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"server.instahosting.in"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222537/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222537; rev:1;) alert tcp $HOME_NET any -> [216.48.183.85] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222535/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222535; rev:1;) alert tcp $HOME_NET any -> [216.48.179.106] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222536/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222536; rev:1;) alert tcp $HOME_NET any -> [216.48.177.248] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222534/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222534; rev:1;) alert tcp $HOME_NET any -> [216.48.183.81] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222533/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222533; rev:1;) alert tcp $HOME_NET any -> [164.52.223.174] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222532/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222532; rev:1;) alert tcp $HOME_NET any -> [216.48.183.60] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222530/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222530; rev:1;) alert tcp $HOME_NET any -> [216.48.179.174] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222531/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222531; rev:1;) alert tcp $HOME_NET any -> [216.48.183.71] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222529/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222529; rev:1;) alert tcp $HOME_NET any -> [164.52.210.159] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222527/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222527; rev:1;) alert tcp $HOME_NET any -> [216.48.179.170] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222528/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222528; rev:1;) alert tcp $HOME_NET any -> [216.48.183.70] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222526/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222526; rev:1;) alert tcp $HOME_NET any -> [216.48.183.41] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222525/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222525; rev:1;) alert tcp $HOME_NET any -> [216.48.181.201] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222523/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222523; rev:1;) alert tcp $HOME_NET any -> [164.52.211.43] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222524/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-69-153.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222522/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222522; rev:1;) alert tcp $HOME_NET any -> [216.48.178.45] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222520/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-100-70.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222521/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-96-68.ssdcloudindia.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222519/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-102-13.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222517/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-100-206.ssdcloudindia.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222518/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-69-171.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222515/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.ripplendt.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222516/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-94-248.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222513/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-85-101.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222514/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-68-182.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222511/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222511; rev:1;) alert tcp $HOME_NET any -> [216.48.179.68] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222512/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-99-251.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222510/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"farentrip.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222508/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-92-174.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222509/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.cgimilan.gov.in"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222506/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-71-68.ssdcloudindia.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222507/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webdisk.ripplendt.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222504/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-96-170.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222505/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-95-45.ssdcloudindia.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222502/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-73-176.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222503/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-100-85.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222500/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-79-159.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222501/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-100-71.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222498/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-73-167.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222499/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"api.mcc-dspace.l2c2.co.in"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222497/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kbs.thinkiit.in"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222495/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"178.177.200.35.bc.googleusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222496/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"178.227.100.34.bc.googleusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222493/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"test1.donateabook.org.in"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222494/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"215.145.200.35.bc.googleusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222492/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-73-172.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222490/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-100-41.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222491/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.elearnacad.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222488/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.cgidubai.gov.in"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222489/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-80-43.ssdcloudindia.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222487/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.farentrip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222485/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"webmail.togetherindia.in"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222486/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"f66we2.easypanel.host"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222483/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"testseries.thinkiit.in"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222484/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-69-144.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222482/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-87-205.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222480/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qak8s.vunet.io"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222481/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hadoop1.bizinso.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222478/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-98-191.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222479/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mcc-dspace.l2c2.co.in"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222476/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-100-60.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222477/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cpanel.ripplendt.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222474/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-100-81.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222475/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"216-48-179-60.cprapid.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222473/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.trustkeyfinserv.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222471/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trustkeyfinserv.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222472/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stage.mobycover.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222469/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-88-118.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222470/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-96-60.ssdcloudindia.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222467/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-73-170.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222468/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mail.eoibogota.gov.in"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222466/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"e2e-100-75.ssdcloudindia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222465/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"82-147-85-120.networktube.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mx.thebestonline24.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"system.xnesa.in"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghostmain.site"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.36.11.181.135.clients.your-server.de"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmr.r4nd0m.anondns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smartpanel.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.paquerasfacilitadas.fun.g10corretora.com.br"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bumbiz.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kaspersky-secure.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.data.shopvigil.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"144920-1-76bedd-01.services.oktawave.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.rawrie.eu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222453; rev:1;) alert tcp $HOME_NET any -> [51.195.35.200] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222450; rev:1;) alert tcp $HOME_NET any -> [51.195.35.200] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"172-104-103-158.ip.linodeusercontent.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3109813.ip-54-36-127.eu"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"70.225.125.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clarenssbodiker.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miner.sjzh.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"82-147-85-187.networktube.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222445; rev:1;) alert tcp $HOME_NET any -> [54.36.127.183] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minehidden-gpu.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222443; rev:1;) alert tcp $HOME_NET any -> [54.36.127.183] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.servermethod.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ok.adaklab.ir"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"82-147-85-194.networktube.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panfsaafcxzelkfsha31523.xyz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoftcom.gfdwertwdd.xyz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads.thebestonline24.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"host.jjzpanel.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"law.fan"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auth.xy0ke.pro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahv-id-14636.vps.awcloud.nl"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"info.thebestonline24.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.ok.adaklab.ir"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-191-246-30.us-east-2.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newstroczvmonmy3ne1w.su"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"82-147-85-178.networktube.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"telefonemusk.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip200.ip-51-195-35.eu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"strongsteelhomes.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xm.centralmarketingkur.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222422; rev:1;) alert tcp $HOME_NET any -> [197.91.182.171] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222421; rev:1;) alert tcp $HOME_NET any -> [197.91.182.171] 86 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222420; rev:1;) alert tcp $HOME_NET any -> [54.38.193.134] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222419; rev:1;) alert tcp $HOME_NET any -> [54.38.193.134] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222418; rev:1;) alert tcp $HOME_NET any -> [176.119.35.43] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222417; rev:1;) alert tcp $HOME_NET any -> [176.119.35.43] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222416; rev:1;) alert tcp $HOME_NET any -> [82.66.185.138] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thebestonline24.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222413; rev:1;) alert tcp $HOME_NET any -> [82.66.185.138] 4443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zel.bio"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bankcashcredit.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"main-node.incaves.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.klaster.pp.ua"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rex-exploits.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rawrie.eu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fortunagamez.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"willyman.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dsadw33fdsfs.buzz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ghostmain.site"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"demo.citichoice.ca"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.rex-exploits.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.smartpanel.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minernumberone.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jjzpanel.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowsupdate.love-network.cc"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"snsnuji.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swapme.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.strongsteelhomes.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rede.tphost.com.br"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.shopvigil.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klaster.pp.ua"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.minehidden-gpu.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paquerasfacilitadas.fun.g10corretora.com.br"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.system.xnesa.in"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.webpanel777.pl"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hotspot.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seanhenning-101.ddns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaspersky-secure.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servermethod.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.rede.tphost.com.br"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.hostinguje.me"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.minehidden.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bixby.lat"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222379; rev:1;) alert tcp $HOME_NET any -> [102.50.247.129] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frazedev.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222378; rev:1;) alert tcp $HOME_NET any -> [130.162.178.229] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.clarenssbodiker.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"82-147-85-167.networktube.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.beylikotomasyon.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.red-hacks.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"caboshed-rations.000webhostapp.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fortunagamez.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222370; rev:1;) alert tcp $HOME_NET any -> [129.151.135.50] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.moner0000f5rvt.site"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jf832nfds90vxcj893422m.store"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222367; rev:1;) alert tcp $HOME_NET any -> [82.147.85.194] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unam.farorsps.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3112463.ip-54-38-193.eu"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222364; rev:1;) alert tcp $HOME_NET any -> [51.38.81.65] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"red-hacks.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.krypto.itwu.pl"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222361; rev:1;) alert tcp $HOME_NET any -> [82.147.85.242] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moner0000f5rvt.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222358; rev:1;) alert tcp $HOME_NET any -> [62.109.5.118] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.thebestonline24.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222357; rev:1;) alert tcp $HOME_NET any -> [158.247.198.75] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222355; rev:1;) alert tcp $HOME_NET any -> [158.247.198.75] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.strongsteelhomes.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222354; rev:1;) alert tcp $HOME_NET any -> [177.124.72.24] 11180 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222353; rev:1;) alert tcp $HOME_NET any -> [185.117.3.110] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222351; rev:1;) alert tcp $HOME_NET any -> [18.191.246.30] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222352; rev:1;) alert tcp $HOME_NET any -> [185.117.3.110] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"krypto.itwu.pl"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmr.sjzh.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.auth.xy0ke.pro"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"px1.bankcashcredit.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minehidden.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ok.adaklab.ir"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fanklubziuta.pl"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.jf832nfds90vxcj893422m.store"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-228ceefa.vps.ovh.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222341; rev:1;) alert tcp $HOME_NET any -> [103.30.126.101] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"owenkruse.click"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222340; rev:1;) alert tcp $HOME_NET any -> [172.111.239.90] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222338; rev:1;) alert tcp $HOME_NET any -> [45.120.177.17] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222336; rev:1;) alert tcp $HOME_NET any -> [135.181.11.36] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222337; rev:1;) alert tcp $HOME_NET any -> [212.64.217.73] 4000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222335/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222335; rev:1;) alert tcp $HOME_NET any -> [8.218.175.2] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222334; rev:1;) alert tcp $HOME_NET any -> [34.125.225.70] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222333; rev:1;) alert tcp $HOME_NET any -> [172.104.103.158] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222331/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222331; rev:1;) alert tcp $HOME_NET any -> [140.238.173.180] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222332; rev:1;) alert tcp $HOME_NET any -> [8.218.155.228] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222330; rev:1;) alert tcp $HOME_NET any -> [173.212.221.227] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222329/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222329; rev:1;) alert tcp $HOME_NET any -> [130.61.242.29] 443 (msg:"ThreatFox Octopus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222328; rev:1;) alert tcp $HOME_NET any -> [124.221.221.169] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222326; rev:1;) alert tcp $HOME_NET any -> [49.113.76.120] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222327; rev:1;) alert tcp $HOME_NET any -> [124.220.180.112] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222325; rev:1;) alert tcp $HOME_NET any -> [159.223.205.56] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222324; rev:1;) alert tcp $HOME_NET any -> [69.30.197.178] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222323; rev:1;) alert tcp $HOME_NET any -> [49.7.216.160] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222322; rev:1;) alert tcp $HOME_NET any -> [121.196.246.205] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222321; rev:1;) alert tcp $HOME_NET any -> [94.103.188.85] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222320; rev:1;) alert tcp $HOME_NET any -> [5.182.27.71] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222319; rev:1;) alert tcp $HOME_NET any -> [193.168.141.137] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222318; rev:1;) alert tcp $HOME_NET any -> [193.168.141.125] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222317; rev:1;) alert tcp $HOME_NET any -> [5.180.114.36] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222316; rev:1;) alert tcp $HOME_NET any -> [52.204.220.46] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222315; rev:1;) alert tcp $HOME_NET any -> [103.241.72.56] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222314; rev:1;) alert tcp $HOME_NET any -> [8.134.166.14] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222313; rev:1;) alert tcp $HOME_NET any -> [18.116.150.89] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222312; rev:1;) alert tcp $HOME_NET any -> [150.107.2.177] 8880 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222311; rev:1;) alert tcp $HOME_NET any -> [150.107.2.178] 8880 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222309; rev:1;) alert tcp $HOME_NET any -> [196.65.209.44] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222310; rev:1;) alert tcp $HOME_NET any -> [66.85.157.78] 8443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222308; rev:1;) alert tcp $HOME_NET any -> [149.115.225.38] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222307; rev:1;) alert tcp $HOME_NET any -> [149.115.225.24] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222305; rev:1;) alert tcp $HOME_NET any -> [194.33.191.199] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222306; rev:1;) alert tcp $HOME_NET any -> [203.23.128.78] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wonderful-murdock.91-215-85-133.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222303; rev:1;) alert tcp $HOME_NET any -> [176.57.212.219] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222302; rev:1;) alert tcp $HOME_NET any -> [149.115.225.35] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222300; rev:1;) alert tcp $HOME_NET any -> [193.233.254.44] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222298/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222298; rev:1;) alert tcp $HOME_NET any -> [163.5.64.90] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222299/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222299; rev:1;) alert tcp $HOME_NET any -> [185.250.210.36] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222297/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222297; rev:1;) alert tcp $HOME_NET any -> [18.141.202.110] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222295; rev:1;) alert tcp $HOME_NET any -> [193.233.255.121] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222296/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222296; rev:1;) alert tcp $HOME_NET any -> [194.87.31.108] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wtf.creativefolks.dev"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222293; rev:1;) alert tcp $HOME_NET any -> [213.195.115.250] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222292; rev:1;) alert tcp $HOME_NET any -> [163.53.219.110] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222291; rev:1;) alert tcp $HOME_NET any -> [216.83.58.188] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222290; rev:1;) alert tcp $HOME_NET any -> [43.254.216.167] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222289; rev:1;) alert tcp $HOME_NET any -> [45.8.158.71] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222287/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222287; rev:1;) alert tcp $HOME_NET any -> [45.8.158.71] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222288; rev:1;) alert tcp $HOME_NET any -> [104.143.47.212] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222286/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222286; rev:1;) alert tcp $HOME_NET any -> [104.143.47.212] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222285/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222285; rev:1;) alert tcp $HOME_NET any -> [3.94.121.196] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222283/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222283; rev:1;) alert tcp $HOME_NET any -> [3.94.121.196] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222284; rev:1;) alert tcp $HOME_NET any -> [141.98.11.100] 57524 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222282; rev:1;) alert tcp $HOME_NET any -> [43.130.60.49] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222280/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222280; rev:1;) alert tcp $HOME_NET any -> [120.79.24.241] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222281; rev:1;) alert tcp $HOME_NET any -> [1.117.69.82] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222279/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222279; rev:1;) alert tcp $HOME_NET any -> [123.207.4.127] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222277; rev:1;) alert tcp $HOME_NET any -> [123.207.4.127] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222278/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222278; rev:1;) alert tcp $HOME_NET any -> [47.106.171.201] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222276; rev:1;) alert tcp $HOME_NET any -> [2.58.15.202] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222275; rev:1;) alert tcp $HOME_NET any -> [117.73.13.170] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222274; rev:1;) alert tcp $HOME_NET any -> [45.207.38.139] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222272; rev:1;) alert tcp $HOME_NET any -> [117.73.13.170] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222273; rev:1;) alert tcp $HOME_NET any -> [45.207.38.139] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222271; rev:1;) alert tcp $HOME_NET any -> [45.207.38.139] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222270; rev:1;) alert tcp $HOME_NET any -> [47.104.94.246] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222268; rev:1;) alert tcp $HOME_NET any -> [47.104.94.246] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222269; rev:1;) alert tcp $HOME_NET any -> [101.43.191.108] 7500 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222267; rev:1;) alert tcp $HOME_NET any -> [8.140.147.193] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222266; rev:1;) alert tcp $HOME_NET any -> [101.34.28.19] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222265; rev:1;) alert tcp $HOME_NET any -> [101.43.26.191] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222264; rev:1;) alert tcp $HOME_NET any -> [43.143.170.206] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222263; rev:1;) alert tcp $HOME_NET any -> [162.14.107.218] 4434 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222262; rev:1;) alert tcp $HOME_NET any -> [194.156.99.174] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222261; rev:1;) alert tcp $HOME_NET any -> [194.156.99.174] 2052 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222260; rev:1;) alert tcp $HOME_NET any -> [120.55.13.114] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222259/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222259; rev:1;) alert tcp $HOME_NET any -> [107.173.164.135] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222258; rev:1;) alert tcp $HOME_NET any -> [23.224.61.39] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222256; rev:1;) alert tcp $HOME_NET any -> [190.92.227.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222257; rev:1;) alert tcp $HOME_NET any -> [94.103.188.85] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222252/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222252; rev:1;) alert tcp $HOME_NET any -> [193.168.141.137] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222253/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222253; rev:1;) alert tcp $HOME_NET any -> [193.168.141.125] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222254/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222254; rev:1;) alert tcp $HOME_NET any -> [5.180.114.36] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222255/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_20; classtype:trojan-activity; sid:91222255; rev:1;) alert tcp $HOME_NET any -> [195.54.171.198] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222251/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.nightmare.su"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222249; rev:1;) alert tcp $HOME_NET any -> [94.228.118.45] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222250; rev:1;) alert tcp $HOME_NET any -> [38.207.176.111] 8443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222248/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222248; rev:1;) alert tcp $HOME_NET any -> [47.109.102.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222246; rev:1;) alert tcp $HOME_NET any -> [172.232.189.146] 2078 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222244/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222244; rev:1;) alert tcp $HOME_NET any -> [172.232.172.117] 1194 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222243/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222243; rev:1;) alert tcp $HOME_NET any -> [89.117.55.179] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222242/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222242; rev:1;) alert tcp $HOME_NET any -> [216.83.58.191] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222241/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222241; rev:1;) alert tcp $HOME_NET any -> [49.0.240.90] 40000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222240/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222240; rev:1;) alert tcp $HOME_NET any -> [154.247.243.68] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222239/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222239; rev:1;) alert tcp $HOME_NET any -> [5.15.75.36] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222238/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222238; rev:1;) alert tcp $HOME_NET any -> [180.162.229.35] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222237/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222237; rev:1;) alert tcp $HOME_NET any -> [88.229.249.77] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222236/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222236; rev:1;) alert tcp $HOME_NET any -> [94.49.34.145] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222235/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222235; rev:1;) alert tcp $HOME_NET any -> [185.181.4.52] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222234/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222234; rev:1;) alert tcp $HOME_NET any -> [65.20.84.176] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222233/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222233; rev:1;) alert tcp $HOME_NET any -> [78.129.165.238] 4443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222232; rev:1;) alert tcp $HOME_NET any -> [95.217.55.209] 20344 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222231; rev:1;) alert tcp $HOME_NET any -> [195.20.16.190] 45294 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222230; rev:1;) alert tcp $HOME_NET any -> [213.166.71.117] 24419 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222229; rev:1;) alert tcp $HOME_NET any -> [154.38.185.132] 13786 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222222; rev:1;) alert tcp $HOME_NET any -> [172.232.189.134] 2221 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222223/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222223; rev:1;) alert tcp $HOME_NET any -> [185.187.235.158] 23399 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222224; rev:1;) alert tcp $HOME_NET any -> [154.38.185.138] 13786 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222225; rev:1;) alert tcp $HOME_NET any -> [46.250.253.58] 5243 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222226; rev:1;) alert tcp $HOME_NET any -> [154.38.185.135] 13782 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222227; rev:1;) alert tcp $HOME_NET any -> [89.117.55.178] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b1avt/330336026"; depth:16; nocase; http.host; content:"iniofer.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222221; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qopln/870780979"; depth:16; nocase; http.host; content:"techcloudes.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pomae/483059611"; depth:16; nocase; http.host; content:"humaurapp.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1pbo3/965065562"; depth:16; nocase; http.host; content:"trenierad.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222218; rev:1;) alert tcp $HOME_NET any -> [193.233.132.71] 25545 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222217; rev:1;) alert tcp $HOME_NET any -> [34.142.29.177] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222216/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abd2wufkw/json.php"; depth:19; nocase; http.host; content:"cdn3-adb2.online"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abd2wufkw/json.php"; depth:19; nocase; http.host; content:"cdn3-adb2.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cdn3-adb2.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222212/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cdn3-adb2.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222213/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222213; rev:1;) alert tcp $HOME_NET any -> [185.164.163.134] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222211/; target:src_ip; metadata: confidence_level 60, first_seen 2023_12_20; classtype:trojan-activity; sid:91222211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"116.198.46.64"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"123.207.45.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"124.71.74.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"101.37.117.0"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.37.117.0"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"120.46.94.192"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"120.24.179.84"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"107.174.245.122"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222203; rev:1;) alert tcp $HOME_NET any -> [13.233.136.138] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222202/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222202; rev:1;) alert tcp $HOME_NET any -> [121.37.21.229] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222201/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222201; rev:1;) alert tcp $HOME_NET any -> [185.16.39.253] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222198; rev:1;) alert tcp $HOME_NET any -> [193.233.132.70] 13246 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222200; rev:1;) alert tcp $HOME_NET any -> [193.233.132.71] 45650 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222199; rev:1;) alert tcp $HOME_NET any -> [15.229.1.40] 3081 (msg:"ThreatFox Mekotio botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222187; rev:1;) alert tcp $HOME_NET any -> [102.37.141.218] 6099 (msg:"ThreatFox Mekotio botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222188; rev:1;) alert tcp $HOME_NET any -> [38.54.45.105] 9988 (msg:"ThreatFox Mekotio botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ellokodell00.hopto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"indiapotira.servebeer.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"homelpd6099.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enterprese2023.is-a-hunter.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boludo.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crhuj/428884744"; depth:16; nocase; http.host; content:"ezprocess.com.br"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heab/30635168"; depth:14; nocase; http.host; content:"antaema.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kzuivnz/448023695"; depth:18; nocase; http.host; content:"sterkmanfield.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222195; rev:1;) alert tcp $HOME_NET any -> [8.130.110.55] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222186/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222186; rev:1;) alert tcp $HOME_NET any -> [77.88.196.146] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222185/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server/string.php"; depth:18; nocase; http.host; content:"www.msk-post.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"116.62.24.245"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/recite/v6.1/1sv8ow5g"; depth:21; nocase; http.host; content:"microsoftsyst3m.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/recite/v6.1/1sv8ow5g"; depth:21; nocase; http.host; content:"microsoftsyst3m.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"service-dlsvfir0-1319620322.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222180; rev:1;) alert tcp $HOME_NET any -> [45.32.92.30] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222172; rev:1;) alert tcp $HOME_NET any -> [51.81.131.161] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222173; rev:1;) alert tcp $HOME_NET any -> [78.153.130.249] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222174/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222174; rev:1;) alert tcp $HOME_NET any -> [82.147.85.246] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222175; rev:1;) alert tcp $HOME_NET any -> [91.92.253.38] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222176; rev:1;) alert tcp $HOME_NET any -> [95.217.5.29] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222177; rev:1;) alert tcp $HOME_NET any -> [159.203.86.11] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222178; rev:1;) alert tcp $HOME_NET any -> [195.3.223.172] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222179; rev:1;) alert tcp $HOME_NET any -> [118.122.75.154] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222171/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222171; rev:1;) alert tcp $HOME_NET any -> [3.110.158.115] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222170/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222170; rev:1;) alert tcp $HOME_NET any -> [107.191.56.230] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222162; rev:1;) alert tcp $HOME_NET any -> [65.20.78.70] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222163; rev:1;) alert tcp $HOME_NET any -> [216.128.151.26] 13782 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222164; rev:1;) alert tcp $HOME_NET any -> [139.180.137.30] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222165; rev:1;) alert tcp $HOME_NET any -> [149.28.252.250] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222166; rev:1;) alert tcp $HOME_NET any -> [172.232.161.248] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222167; rev:1;) alert tcp $HOME_NET any -> [216.128.179.120] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222168; rev:1;) alert tcp $HOME_NET any -> [172.232.190.249] 5631 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222169; rev:1;) alert tcp $HOME_NET any -> [109.230.238.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/query/"; depth:7; nocase; http.host; content:"109.230.238.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222160; rev:1;) alert tcp $HOME_NET any -> [114.132.48.232] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.115.203.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222158; rev:1;) alert tcp $HOME_NET any -> [95.179.247.197] 13782 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otjkntayzdi5y2ux/"; depth:18; nocase; http.host; content:"sybracms12.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222141/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otjkntayzdi5y2ux/"; depth:18; nocase; http.host; content:"sybracmsd412.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222142/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otjkntayzdi5y2ux/"; depth:18; nocase; http.host; content:"sybracmssf512.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222143/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otjkntayzdi5y2ux/"; depth:18; nocase; http.host; content:"sybracmsas112.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222144/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otjkntayzdi5y2ux/"; depth:18; nocase; http.host; content:"sybracmsytu612.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222145/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"musherpicka.live"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222146/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"golevasi800.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222147/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222147; rev:1;) alert tcp $HOME_NET any -> [95.214.25.71] 1645 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222148; rev:1;) alert tcp $HOME_NET any -> [45.9.74.71] 80 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222150; rev:1;) alert tcp $HOME_NET any -> [5.42.92.88] 80 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222149; rev:1;) alert tcp $HOME_NET any -> [78.47.79.11] 80 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"23.88.121.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222156; rev:1;) alert tcp $HOME_NET any -> [23.88.121.200] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222155; rev:1;) alert tcp $HOME_NET any -> [74.50.93.170] 4040 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222154; rev:1;) alert tcp $HOME_NET any -> [123.249.5.106] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222153/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222153; rev:1;) alert tcp $HOME_NET any -> [115.159.112.155] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222152/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222152; rev:1;) alert tcp $HOME_NET any -> [172.232.162.62] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222140/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222140; rev:1;) alert tcp $HOME_NET any -> [104.207.143.168] 2222 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222139/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222139; rev:1;) alert tcp $HOME_NET any -> [64.176.67.92] 2078 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222138/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222138; rev:1;) alert tcp $HOME_NET any -> [178.154.205.14] 443 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222137/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222137; rev:1;) alert tcp $HOME_NET any -> [118.195.173.237] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222136/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222136; rev:1;) alert tcp $HOME_NET any -> [185.81.128.22] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222135/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222135; rev:1;) alert tcp $HOME_NET any -> [74.48.27.254] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222134/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222134; rev:1;) alert tcp $HOME_NET any -> [69.156.151.155] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222133/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222133; rev:1;) alert tcp $HOME_NET any -> [108.173.65.146] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222132/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222132; rev:1;) alert tcp $HOME_NET any -> [97.99.69.38] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222131/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222131; rev:1;) alert tcp $HOME_NET any -> [151.64.214.235] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222130/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222130; rev:1;) alert tcp $HOME_NET any -> [37.186.58.134] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222129/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222129; rev:1;) alert tcp $HOME_NET any -> [165.232.154.39] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222128/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222128; rev:1;) alert tcp $HOME_NET any -> [185.196.11.27] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222127/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222127; rev:1;) alert tcp $HOME_NET any -> [206.237.23.155] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222126/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222126; rev:1;) alert tcp $HOME_NET any -> [206.237.23.155] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222125/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222125; rev:1;) alert tcp $HOME_NET any -> [45.120.177.198] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222124/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222124; rev:1;) alert tcp $HOME_NET any -> [146.75.71.221] 9031 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222123/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222123; rev:1;) alert tcp $HOME_NET any -> [59.103.81.96] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222122/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_20; classtype:trojan-activity; sid:91222122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"froggraduategravi.fun"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"angerbumpyardee.pw"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cruelslumpeeris.pw"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"gatelistcoldyeisa.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222046/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"laborermemorandumjes.pw"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"lawitemymodelefr.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222048/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"surfsponsorjun.pw"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"wakereviewhuwee.pw"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222050/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222050; rev:1;) alert tcp $HOME_NET any -> [8.134.158.237] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222120/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222120; rev:1;) alert tcp $HOME_NET any -> [13.126.105.113] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222119/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222119; rev:1;) alert tcp $HOME_NET any -> [194.26.192.132] 12343 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222118; rev:1;) alert tcp $HOME_NET any -> [103.47.144.118] 7045 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222117; rev:1;) alert tcp $HOME_NET any -> [120.27.148.91] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222116/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222116; rev:1;) alert tcp $HOME_NET any -> [18.229.248.167] 10977 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222115; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 10977 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222114; rev:1;) alert tcp $HOME_NET any -> [54.94.248.37] 10977 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222113; rev:1;) alert tcp $HOME_NET any -> [18.228.115.60] 10977 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_20; classtype:trojan-activity; sid:91222112; rev:1;) alert tcp $HOME_NET any -> [205.234.156.138] 3780 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222111/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_20; classtype:trojan-activity; sid:91222111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"45.207.38.139"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222107; rev:1;) alert tcp $HOME_NET any -> [146.70.115.55] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/detect/properties/b2qcqjtllh4"; depth:30; nocase; http.host; content:"spenserfitolife.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spenserfitolife.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222105; rev:1;) alert tcp $HOME_NET any -> [5.252.177.247] 80 (msg:"ThreatFox magecart botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222102/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222102; rev:1;) alert tcp $HOME_NET any -> [66.11.117.40] 80 (msg:"ThreatFox magecart botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222101; rev:1;) alert tcp $HOME_NET any -> [45.153.48.176] 443 (msg:"ThreatFox magecart botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222099; rev:1;) alert tcp $HOME_NET any -> [37.1.213.121] 8080 (msg:"ThreatFox magecart botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222100; rev:1;) alert tcp $HOME_NET any -> [37.252.1.225] 443 (msg:"ThreatFox magecart botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222098; rev:1;) alert tcp $HOME_NET any -> [5.45.83.223] 443 (msg:"ThreatFox magecart botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222096; rev:1;) alert tcp $HOME_NET any -> [91.92.250.214] 80 (msg:"ThreatFox magecart botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.kfsldieuwq.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kfsldieuwq.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222093/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn145403011.softether.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"interesting-wozniak.45-153-48-176.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222092/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222092; rev:1;) alert tcp $HOME_NET any -> [175.197.65.135] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222091/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222091; rev:1;) alert tcp $HOME_NET any -> [172.86.75.90] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222090/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222090; rev:1;) alert tcp $HOME_NET any -> [5.180.114.165] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222089/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222089; rev:1;) alert tcp $HOME_NET any -> [139.180.191.68] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222088; rev:1;) alert tcp $HOME_NET any -> [91.103.253.190] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222087/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222087; rev:1;) alert tcp $HOME_NET any -> [5.181.156.137] 8443 (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222086; rev:1;) alert tcp $HOME_NET any -> [91.92.241.65] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222085; rev:1;) alert tcp $HOME_NET any -> [45.76.184.28] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222084; rev:1;) alert tcp $HOME_NET any -> [18.116.150.89] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222083; rev:1;) alert tcp $HOME_NET any -> [20.121.44.156] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222082/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222082; rev:1;) alert tcp $HOME_NET any -> [207.180.224.118] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222081; rev:1;) alert tcp $HOME_NET any -> [167.99.182.53] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222080; rev:1;) alert tcp $HOME_NET any -> [45.8.158.71] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222079/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222079; rev:1;) alert tcp $HOME_NET any -> [150.158.57.120] 182 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222078/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222078; rev:1;) alert tcp $HOME_NET any -> [8.217.24.207] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222077; rev:1;) alert tcp $HOME_NET any -> [107.151.244.121] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222076/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222076; rev:1;) alert tcp $HOME_NET any -> [47.254.233.5] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222075/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pickbeatmoduleprefer.pw"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222063/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91222063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"familiardvotecheapw.pw"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222064/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91222064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"technologyprosecutiw.pw"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222065/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91222065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cuttingcoachrecovr.pw"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222066/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91222066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tablesockartfinewa.pw"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222067/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91222067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"advertiseshotdecaywi.pw"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222068/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91222068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"necklacecasecauseowa.fun"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222069/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91222069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lipstructorymusclewow.fun"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222070/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91222070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kitchenfootballkiw.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222071/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91222071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pedestriankididentityw.fun"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222072/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91222072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mixperiodfrienndy.fun"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222073/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91222073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vegatablebeacjinser.fun"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222074/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91222074; rev:1;) alert tcp $HOME_NET any -> [185.231.153.14] 11141 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222062; rev:1;) alert tcp $HOME_NET any -> [3.127.181.115] 13064 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"underlinefreeapearew.fun"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222060/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222060; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 13064 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222059/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222059; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 13064 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222058/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222058; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 13064 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222057/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222057; rev:1;) alert tcp $HOME_NET any -> [193.233.132.51] 19027 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222056/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"43.138.72.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222055/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222054/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"103.146.140.99"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222053/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222052/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"8.219.229.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222051; rev:1;) alert tcp $HOME_NET any -> [92.99.190.143] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222043/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91222043; rev:1;) alert tcp $HOME_NET any -> [116.203.56.11] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222042/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91222042; rev:1;) alert tcp $HOME_NET any -> [109.107.181.8] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222041/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91222041; rev:1;) alert tcp $HOME_NET any -> [105.224.22.18] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222040/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91222040; rev:1;) alert tcp $HOME_NET any -> [54.91.218.249] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222039/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91222039; rev:1;) alert tcp $HOME_NET any -> [185.246.118.13] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222038/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91222038; rev:1;) alert tcp $HOME_NET any -> [139.196.241.226] 40000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222037/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91222037; rev:1;) alert tcp $HOME_NET any -> [3.110.107.80] 40069 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222036/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91222036; rev:1;) alert tcp $HOME_NET any -> [222.88.56.105] 80 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222035/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91222035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"120.46.132.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"121.36.226.214"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"62.234.27.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"111.230.205.218"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"213.109.202.219"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"193.201.9.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.141.15.227"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"103.234.72.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"219.128.25.2"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.115.203.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.67.155.15"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222023; rev:1;) alert tcp $HOME_NET any -> [192.3.255.42] 2052 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"104.21.13.73"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1222022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222022; rev:1;) alert tcp $HOME_NET any -> [164.155.212.249] 8087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222021/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_19; classtype:trojan-activity; sid:91222021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ifcr.top"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222019; rev:1;) alert tcp $HOME_NET any -> [3.74.161.55] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ibmxwork.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222018/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222018; rev:1;) alert tcp $HOME_NET any -> [69.164.213.141] 5631 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222017/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222017; rev:1;) alert tcp $HOME_NET any -> [82.115.223.26] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222016/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222016; rev:1;) alert tcp $HOME_NET any -> [193.29.13.220] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222015/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_19; classtype:trojan-activity; sid:91222015; rev:1;) alert tcp $HOME_NET any -> [45.144.152.86] 58001 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222014/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222014; rev:1;) alert tcp $HOME_NET any -> [186.13.27.93] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222013/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"613dd1395d4110c46c877ef5.keenetic.io"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1222012/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222012; rev:1;) alert tcp $HOME_NET any -> [13.215.228.73] 3521 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222011/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222011; rev:1;) alert tcp $HOME_NET any -> [187.135.93.241] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222010/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222010; rev:1;) alert tcp $HOME_NET any -> [47.98.232.71] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222009/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222009; rev:1;) alert tcp $HOME_NET any -> [47.113.216.45] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222007/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222007; rev:1;) alert tcp $HOME_NET any -> [103.185.249.231] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222008/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222008; rev:1;) alert tcp $HOME_NET any -> [54.149.46.15] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222006/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222006; rev:1;) alert tcp $HOME_NET any -> [47.103.212.17] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222005/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222005; rev:1;) alert tcp $HOME_NET any -> [103.30.76.224] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222003/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222003; rev:1;) alert tcp $HOME_NET any -> [121.36.105.186] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222004/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222004; rev:1;) alert tcp $HOME_NET any -> [101.34.56.61] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222002/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222002; rev:1;) alert tcp $HOME_NET any -> [198.46.211.238] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222001/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222001; rev:1;) alert tcp $HOME_NET any -> [8.130.29.234] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221999; rev:1;) alert tcp $HOME_NET any -> [47.99.89.87] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1222000/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91222000; rev:1;) alert tcp $HOME_NET any -> [107.172.81.121] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221997/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221997; rev:1;) alert tcp $HOME_NET any -> [91.92.241.103] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221998; rev:1;) alert tcp $HOME_NET any -> [154.201.66.49] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221996/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221996; rev:1;) alert tcp $HOME_NET any -> [103.24.219.46] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221995/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221995; rev:1;) alert tcp $HOME_NET any -> [136.244.69.110] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221993; rev:1;) alert tcp $HOME_NET any -> [139.9.219.175] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221994; rev:1;) alert tcp $HOME_NET any -> [120.55.15.202] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221992/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221992; rev:1;) alert tcp $HOME_NET any -> [43.139.74.167] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221991/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221991; rev:1;) alert tcp $HOME_NET any -> [117.50.171.158] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221990/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221990; rev:1;) alert tcp $HOME_NET any -> [103.77.240.57] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221989/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221989; rev:1;) alert tcp $HOME_NET any -> [154.55.139.35] 8081 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221987/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221987; rev:1;) alert tcp $HOME_NET any -> [119.6.239.81] 888 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221988/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221988; rev:1;) alert tcp $HOME_NET any -> [119.6.239.68] 888 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221986/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freedrum.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221985/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bgesmart.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221984/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ironwulf.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221983/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.typhoonexpress.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221981/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proizza.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221982/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.askmochajen.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221979/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oxfordlightworks.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ganjitsu.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.teleradiologist.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221976/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"askmochajen.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"herbaitget.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221974/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"section8solar.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wallofmemes.io"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221973/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.creditsail.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.wolfchristmas.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221972/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.ironwulf.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221970/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.landystandesign.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helpfulcpa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221969/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cannabisfamily.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ukusnews.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.candlecarverva.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221965/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.captainalpha.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221963/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hereswhat.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221964/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rackattackrentals.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221961/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.tc-canada.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221962/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tv1la.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chefboiisblack.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cmrland11.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221958/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5starfreelancer.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agungpodomoroland.co"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"getcoffeeperks.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221954/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inthekitchenwithjen.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.pdlmobility.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221952/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"caliberenterprise.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221953/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vancouvergold.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221951/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.inthekitchenwithjen.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.glassenclosed.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kidhemp.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.besttrademarklawyers.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cannabisforamerica.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221947/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.blackbeltportal.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221945/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drinkyourbuzz.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221944/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subvip.af789.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221942/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cbdhealthlink.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221943/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helloproinc.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221940/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tc-canada.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221941/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"commercialconcretefinish.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221939/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coffeezine.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221937/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l5rkotei.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221938/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2118959.hosted-by-vdsina.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221936/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dpruttech.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221935/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bhnwithpercy.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221934/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abodetv.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221932/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.206-166-251-52.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221933/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"keithpressurewashing.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221931/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kitehites.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221930/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drxhousecall.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.glassenclosedcellar.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221929/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.icleanzer.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leathermasterpro.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221927/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moiacewtzpar.loan"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cannabisbusinessguide.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221924/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asleytomafa.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221922/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usuaetv.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221923/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jjshoppingmart.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cannacannect.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221920/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cansoftsem.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gearforme.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221917/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glassenclosedwinecellar.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221918/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221918; rev:1;) alert tcp $HOME_NET any -> [168.100.10.176] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221916/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-4-12-90.compute-1.amazonaws.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221915/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221915; rev:1;) alert tcp $HOME_NET any -> [52.5.62.203] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221913/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221913; rev:1;) alert tcp $HOME_NET any -> [52.204.70.129] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221914/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221914; rev:1;) alert tcp $HOME_NET any -> [54.92.206.177] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221912/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221912; rev:1;) alert tcp $HOME_NET any -> [103.12.148.35] 8088 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221911/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221911; rev:1;) alert tcp $HOME_NET any -> [198.74.55.170] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221910/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221910; rev:1;) alert tcp $HOME_NET any -> [57.129.0.118] 8082 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221908/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221908; rev:1;) alert tcp $HOME_NET any -> [57.129.0.118] 8085 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221909/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221909; rev:1;) alert tcp $HOME_NET any -> [57.129.0.118] 8081 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221907/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221907; rev:1;) alert tcp $HOME_NET any -> [104.155.74.148] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221906; rev:1;) alert tcp $HOME_NET any -> [91.92.253.38] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221905; rev:1;) alert tcp $HOME_NET any -> [78.153.130.249] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221904/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221904; rev:1;) alert tcp $HOME_NET any -> [172.234.57.195] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221903; rev:1;) alert tcp $HOME_NET any -> [159.203.16.141] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221902/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"db.nya.lat"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221901/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221901; rev:1;) alert tcp $HOME_NET any -> [189.169.129.114] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221900/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221900; rev:1;) alert tcp $HOME_NET any -> [64.156.192.19] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221899; rev:1;) alert tcp $HOME_NET any -> [104.161.50.230] 1900 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221898; rev:1;) alert tcp $HOME_NET any -> [77.105.132.88] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221896; rev:1;) alert tcp $HOME_NET any -> [45.74.34.32] 1993 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221897; rev:1;) alert tcp $HOME_NET any -> [113.207.49.50] 16804 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221895; rev:1;) alert tcp $HOME_NET any -> [176.128.134.182] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221894; rev:1;) alert tcp $HOME_NET any -> [154.61.77.210] 2323 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221892; rev:1;) alert tcp $HOME_NET any -> [103.234.72.81] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221893; rev:1;) alert tcp $HOME_NET any -> [118.195.164.90] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221891/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221891; rev:1;) alert tcp $HOME_NET any -> [207.180.215.36] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221890/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221890; rev:1;) alert tcp $HOME_NET any -> [139.196.241.226] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221889; rev:1;) alert tcp $HOME_NET any -> [206.237.23.155] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221888/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2202308201063236187.nicesrv.de"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221887/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fastwebhosting.quest"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221886/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev.wearecube.se"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221884/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-51-20-113-6.eu-north-1.compute.amazonaws.com"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221885/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221885; rev:1;) alert tcp $HOME_NET any -> [108.143.198.224] 16001 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221883/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221883; rev:1;) alert tcp $HOME_NET any -> [134.209.242.12] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221882/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221882; rev:1;) alert tcp $HOME_NET any -> [108.216.43.217] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221880/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221880; rev:1;) alert tcp $HOME_NET any -> [91.109.176.8] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221881/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221881; rev:1;) alert tcp $HOME_NET any -> [209.145.59.89] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221879/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221879; rev:1;) alert tcp $HOME_NET any -> [138.197.189.80] 64191 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221878/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221878; rev:1;) alert tcp $HOME_NET any -> [64.176.65.152] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221876/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221876; rev:1;) alert tcp $HOME_NET any -> [150.107.2.176] 8880 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221877/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221877; rev:1;) alert tcp $HOME_NET any -> [91.92.252.111] 37156 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"my-parcel-tracking.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221874/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221874; rev:1;) alert tcp $HOME_NET any -> [37.49.228.68] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221873/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rb-vc.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221872/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obszarabonencki.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221870/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hbotpanel.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221871/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"es-evobanco-app.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221868/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"es-bankinter-info.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221869/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"195-85-207-218.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.alextrucking.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221865/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"es-bancsabadell.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221866; rev:1;) alert tcp $HOME_NET any -> [91.215.85.133] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221863/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"citrusclaim.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221864; rev:1;) alert tcp $HOME_NET any -> [154.9.29.45] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221862/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221862; rev:1;) alert tcp $HOME_NET any -> [5.182.86.93] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221861/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221861; rev:1;) alert tcp $HOME_NET any -> [154.9.29.46] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221859/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221859; rev:1;) alert tcp $HOME_NET any -> [38.54.96.204] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221860/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221860; rev:1;) alert tcp $HOME_NET any -> [38.242.150.72] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221858/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.alextrucking.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221856/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"verfolgen-sendung.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221857/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221857; rev:1;) alert tcp $HOME_NET any -> [113.30.191.25] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221855/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rb-n-clk.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221853/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"143-198-109-200.cprapid.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221854/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftp.smssound.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221851/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanglucso.hcmute.edu.vn"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221852/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ruralvia-dispositivo.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221849/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panel.blackmeti.sbs"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221850/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rb-vc.online"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sendung-verfolgen.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.alextrucking.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amzlogin.fr"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221844/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.143-198-109-200.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"telegramuser.servehttp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vm4792021.52ssd.had.wf"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"openai.ln.cn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221841; rev:1;) alert tcp $HOME_NET any -> [20.163.24.200] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221839; rev:1;) alert tcp $HOME_NET any -> [154.9.29.85] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221840; rev:1;) alert tcp $HOME_NET any -> [5.35.99.214] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221838; rev:1;) alert tcp $HOME_NET any -> [77.246.97.192] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221837; rev:1;) alert tcp $HOME_NET any -> [194.233.75.102] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221835; rev:1;) alert tcp $HOME_NET any -> [163.5.169.32] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c6-v5.v2red.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221834; rev:1;) alert tcp $HOME_NET any -> [137.184.80.125] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.amazing-torvalds.137-184-80-125.plesk.page"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221833; rev:1;) alert tcp $HOME_NET any -> [83.212.98.93] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221831; rev:1;) alert tcp $HOME_NET any -> [173.212.250.19] 1993 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221830; rev:1;) alert tcp $HOME_NET any -> [185.62.87.246] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221829; rev:1;) alert tcp $HOME_NET any -> [94.130.130.51] 206 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221828; rev:1;) alert tcp $HOME_NET any -> [165.73.249.21] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221826/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221826; rev:1;) alert tcp $HOME_NET any -> [165.73.249.21] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221827; rev:1;) alert tcp $HOME_NET any -> [165.73.249.21] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221825/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221825; rev:1;) alert tcp $HOME_NET any -> [103.195.103.33] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221824/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221824; rev:1;) alert tcp $HOME_NET any -> [103.195.103.33] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221823/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221823; rev:1;) alert tcp $HOME_NET any -> [91.92.248.33] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221822; rev:1;) alert tcp $HOME_NET any -> [91.92.248.33] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221821/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221821; rev:1;) alert tcp $HOME_NET any -> [193.26.115.142] 2004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221820; rev:1;) alert tcp $HOME_NET any -> [45.138.16.216] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221819; rev:1;) alert tcp $HOME_NET any -> [198.23.227.140] 6661 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221818/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221818; rev:1;) alert tcp $HOME_NET any -> [185.62.87.238] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221817/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"met.jyq.icu"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221816; rev:1;) alert tcp $HOME_NET any -> [47.98.188.214] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221815; rev:1;) alert tcp $HOME_NET any -> [45.129.199.38] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221814/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_19; classtype:trojan-activity; sid:91221814; rev:1;) alert tcp $HOME_NET any -> [124.221.183.95] 7666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221813/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221813; rev:1;) alert tcp $HOME_NET any -> [62.234.27.204] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221812/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221812; rev:1;) alert tcp $HOME_NET any -> [4.194.176.178] 8899 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221811/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221811; rev:1;) alert tcp $HOME_NET any -> [34.30.78.243] 50003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221809; rev:1;) alert tcp $HOME_NET any -> [154.12.55.147] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221810; rev:1;) alert tcp $HOME_NET any -> [34.30.78.243] 50002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221808; rev:1;) alert tcp $HOME_NET any -> [45.8.158.71] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221807; rev:1;) alert tcp $HOME_NET any -> [81.70.239.105] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221805; rev:1;) alert tcp $HOME_NET any -> [45.8.158.71] 2095 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221806; rev:1;) alert tcp $HOME_NET any -> [165.154.131.126] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221804/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221804; rev:1;) alert tcp $HOME_NET any -> [47.115.203.204] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221803; rev:1;) alert tcp $HOME_NET any -> [107.175.247.197] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221802; rev:1;) alert tcp $HOME_NET any -> [154.12.22.114] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221801; rev:1;) alert tcp $HOME_NET any -> [148.135.67.47] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221800; rev:1;) alert tcp $HOME_NET any -> [148.135.67.47] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221798; rev:1;) alert tcp $HOME_NET any -> [148.135.67.47] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221799; rev:1;) alert tcp $HOME_NET any -> [43.143.111.123] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221797; rev:1;) alert tcp $HOME_NET any -> [42.236.91.107] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221796; rev:1;) alert tcp $HOME_NET any -> [47.120.17.177] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221794; rev:1;) alert tcp $HOME_NET any -> [5.181.80.82] 445 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221795; rev:1;) alert tcp $HOME_NET any -> [211.149.172.173] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221793; rev:1;) alert tcp $HOME_NET any -> [124.222.173.76] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221792; rev:1;) alert tcp $HOME_NET any -> [121.41.100.232] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221790; rev:1;) alert tcp $HOME_NET any -> [104.168.54.191] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221791; rev:1;) alert tcp $HOME_NET any -> [45.148.244.206] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221789; rev:1;) alert tcp $HOME_NET any -> [175.178.14.59] 10088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221787; rev:1;) alert tcp $HOME_NET any -> [8.130.92.31] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221788; rev:1;) alert tcp $HOME_NET any -> [104.192.83.70] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221786; rev:1;) alert tcp $HOME_NET any -> [43.139.92.184] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221785; rev:1;) alert tcp $HOME_NET any -> [171.33.115.245] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221784; rev:1;) alert tcp $HOME_NET any -> [8.130.96.92] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221782; rev:1;) alert tcp $HOME_NET any -> [8.130.96.92] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221783; rev:1;) alert tcp $HOME_NET any -> [118.24.24.120] 30030 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221780; rev:1;) alert tcp $HOME_NET any -> [43.143.217.171] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221781; rev:1;) alert tcp $HOME_NET any -> [114.132.244.54] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221779; rev:1;) alert tcp $HOME_NET any -> [134.209.197.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221778; rev:1;) alert tcp $HOME_NET any -> [79.137.192.8] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221776; rev:1;) alert tcp $HOME_NET any -> [8.140.147.193] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221777; rev:1;) alert tcp $HOME_NET any -> [20.214.161.162] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221774; rev:1;) alert tcp $HOME_NET any -> [104.129.180.34] 11112 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221775/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221775; rev:1;) alert tcp $HOME_NET any -> [95.216.100.213] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221773; rev:1;) alert tcp $HOME_NET any -> [124.71.11.42] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221772; rev:1;) alert tcp $HOME_NET any -> [124.71.11.42] 5000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221771; rev:1;) alert tcp $HOME_NET any -> [8.141.95.164] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221770/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221770; rev:1;) alert tcp $HOME_NET any -> [124.221.167.192] 40011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221769/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221769; rev:1;) alert tcp $HOME_NET any -> [101.43.191.108] 6667 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221767; rev:1;) alert tcp $HOME_NET any -> [119.29.250.145] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221768; rev:1;) alert tcp $HOME_NET any -> [110.42.209.75] 661 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221766/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221766; rev:1;) alert tcp $HOME_NET any -> [45.207.38.139] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221765; rev:1;) alert tcp $HOME_NET any -> [124.220.101.173] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221764; rev:1;) alert tcp $HOME_NET any -> [120.55.63.96] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221763; rev:1;) alert tcp $HOME_NET any -> [91.92.252.228] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221761/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221761; rev:1;) alert tcp $HOME_NET any -> [129.226.83.129] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221762/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221762; rev:1;) alert tcp $HOME_NET any -> [91.92.252.228] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-204-194-46.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221759; rev:1;) alert tcp $HOME_NET any -> [139.196.191.50] 8018 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221758; rev:1;) alert tcp $HOME_NET any -> [124.223.182.22] 10009 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221757/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221757; rev:1;) alert tcp $HOME_NET any -> [101.37.117.0] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221756/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221756; rev:1;) alert tcp $HOME_NET any -> [39.104.204.12] 3306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221755; rev:1;) alert tcp $HOME_NET any -> [121.88.5.82] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221754; rev:1;) alert tcp $HOME_NET any -> [159.203.31.103] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221753; rev:1;) alert tcp $HOME_NET any -> [124.223.158.191] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221751; rev:1;) alert tcp $HOME_NET any -> [36.111.177.240] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221752; rev:1;) alert tcp $HOME_NET any -> [34.28.72.212] 40006 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221750; rev:1;) alert tcp $HOME_NET any -> [47.100.182.88] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"as-tor1-sapimx.andes-system.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hw.yideng.co"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221747; rev:1;) alert tcp $HOME_NET any -> [118.195.129.40] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221746; rev:1;) alert tcp $HOME_NET any -> [103.142.9.135] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221745; rev:1;) alert tcp $HOME_NET any -> [120.55.52.218] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221744; rev:1;) alert tcp $HOME_NET any -> [149.104.24.41] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221742; rev:1;) alert tcp $HOME_NET any -> [120.78.83.129] 52110 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221743; rev:1;) alert tcp $HOME_NET any -> [23.152.0.81] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221741; rev:1;) alert tcp $HOME_NET any -> [47.242.177.53] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221739; rev:1;) alert tcp $HOME_NET any -> [112.74.184.37] 111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221740; rev:1;) alert tcp $HOME_NET any -> [47.113.185.53] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221738; rev:1;) alert tcp $HOME_NET any -> [43.139.223.24] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221737; rev:1;) alert tcp $HOME_NET any -> [110.42.224.55] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221736; rev:1;) alert tcp $HOME_NET any -> [192.210.207.169] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221735; rev:1;) alert tcp $HOME_NET any -> [38.6.177.119] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.sqmj99.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-15-205-128-169.us-gov-west-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221731; rev:1;) alert tcp $HOME_NET any -> [104.248.18.233] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cqvip888.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pay.rockhvn.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221729; rev:1;) alert tcp $HOME_NET any -> [182.160.6.136] 50000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221728/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_19; classtype:trojan-activity; sid:91221728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"breakfastchanneljw.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221727; rev:1;) alert tcp $HOME_NET any -> [192.153.57.20] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221726/; target:src_ip; metadata: confidence_level 60, first_seen 2023_12_19; classtype:trojan-activity; sid:91221726; rev:1;) alert tcp $HOME_NET any -> [222.211.73.134] 5766 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221725; rev:1;) alert tcp $HOME_NET any -> [109.248.151.72] 2179 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221723/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91221723; rev:1;) alert tcp $HOME_NET any -> [109.248.151.72] 7770 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221724/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91221724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"preferencesubwaywad.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221668; rev:1;) alert tcp $HOME_NET any -> [45.144.152.86] 44635 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221719; rev:1;) alert tcp $HOME_NET any -> [152.89.217.190] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221722; rev:1;) alert tcp $HOME_NET any -> [164.132.115.9] 8082 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"89.185.85.186"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dreamtelevisiongues.fun"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221707/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91221707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"speedslumpachierew.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221708/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91221708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"betstamprareempiewa.fun"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221709/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91221709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"absorbbiblowskinj.fun"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221710/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91221710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nestpatchfillfavo.fun"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221711/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91221711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"differentliftwelanew.fun"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221712/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91221712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stereotypebushexch.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221713/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91221713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"virtuereplacerentj.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221714/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91221714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"theoristnationalprow.fun"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221715/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91221715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"winnerparagrapdierw.fun"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221716/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91221716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eternalchopflattyo.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221717/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91221717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"captivatechimpanzeef.fun"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221718/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91221718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"searchupgrader.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221693/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"exclusive-mysearch.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pwordgenerator.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cleanmystorage.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mytodo-list.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"colorchangeme.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221698/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thetimechecker.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weather-checker.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"todonowext.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221701/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mycustomlinkext.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221702/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theautocleanerext.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221703/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wipecache.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221704/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"searchforspeedext.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amazingplanetext.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221706/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221706; rev:1;) alert tcp $HOME_NET any -> [101.37.117.0] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221692/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_19; classtype:trojan-activity; sid:91221692; rev:1;) alert tcp $HOME_NET any -> [45.76.119.22] 13724 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221691/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5pj6o/"; depth:7; nocase; http.host; content:"easycartbd.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221690/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vjx/"; depth:5; nocase; http.host; content:"empreenda.vc"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221689/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qwn/"; depth:5; nocase; http.host; content:"allengi.com.ng"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221688/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ouiujyu/"; depth:9; nocase; http.host; content:"mrenterprises.tech"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221687/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n44a38c/"; depth:9; nocase; http.host; content:"newsnarayan.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221686/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8cwnbp/"; depth:8; nocase; http.host; content:"nacolnist.edu.np"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221685/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ow8i/"; depth:6; nocase; http.host; content:"bajarangabali.com.np"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221684/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/define/cookies/j7y8xv07bjq"; depth:27; nocase; http.host; content:"139.155.97.79"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221683/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"165.154.131.126"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221682/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"sanjianke.icu"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221681/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221680/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"service-dlsvfir0-1319620322.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221679/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"123.207.45.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221678/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"111.230.53.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221677/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"120.78.155.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221676/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221675/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"31.44.184.73"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/ajax/jquery-3.0.1.min.js"; depth:29; nocase; http.host; content:"powellfamilydentist.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/universallocal.php"; depth:19; nocase; http.host; content:"537201lm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221672/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221672; rev:1;) alert tcp $HOME_NET any -> [18.162.193.5] 9191 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221671/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_19; classtype:trojan-activity; sid:91221671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"104.168.68.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"8.222.155.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221669/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221669; rev:1;) alert tcp $HOME_NET any -> [41.215.243.24] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221667/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_19; classtype:trojan-activity; sid:91221667; rev:1;) alert tcp $HOME_NET any -> [95.216.100.213] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221666/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_19; classtype:trojan-activity; sid:91221666; rev:1;) alert tcp $HOME_NET any -> [116.202.177.141] 3000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221662/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221662; rev:1;) alert tcp $HOME_NET any -> [116.203.164.22] 3000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221663; rev:1;) alert tcp $HOME_NET any -> [128.140.5.127] 3000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221664; rev:1;) alert tcp $HOME_NET any -> [5.75.209.154] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221665/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.178.5"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221660/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221660; rev:1;) alert tcp $HOME_NET any -> [78.46.250.172] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"168.119.58.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221659/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.209.154"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.5.127"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221657/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.164.22"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.46.250.172"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.177.141"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221654/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n0sca"; depth:6; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199583900422"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221652; rev:1;) alert tcp $HOME_NET any -> [103.145.106.109] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221651/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_19; classtype:trojan-activity; sid:91221651; rev:1;) alert tcp $HOME_NET any -> [103.67.162.154] 4040 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221650; rev:1;) alert tcp $HOME_NET any -> [78.141.223.212] 1194 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221649/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91221649; rev:1;) alert tcp $HOME_NET any -> [124.223.176.109] 9999 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221648/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91221648; rev:1;) alert tcp $HOME_NET any -> [45.77.252.224] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221647/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91221647; rev:1;) alert tcp $HOME_NET any -> [189.253.250.171] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221646/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91221646; rev:1;) alert tcp $HOME_NET any -> [74.12.145.104] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221645/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91221645; rev:1;) alert tcp $HOME_NET any -> [188.49.121.152] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221644/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91221644; rev:1;) alert tcp $HOME_NET any -> [79.130.49.76] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221643/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91221643; rev:1;) alert tcp $HOME_NET any -> [200.44.216.55] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221642/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91221642; rev:1;) alert tcp $HOME_NET any -> [46.243.226.248] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221641/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91221641; rev:1;) alert tcp $HOME_NET any -> [85.254.194.66] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221640/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91221640; rev:1;) alert tcp $HOME_NET any -> [13.69.129.74] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221639/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91221639; rev:1;) alert tcp $HOME_NET any -> [16.171.112.33] 993 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221638/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91221638; rev:1;) alert tcp $HOME_NET any -> [16.171.112.33] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221637/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91221637; rev:1;) alert tcp $HOME_NET any -> [45.134.173.229] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221636/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91221636; rev:1;) alert tcp $HOME_NET any -> [166.0.233.102] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221635/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_19; classtype:trojan-activity; sid:91221635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"en.voiceaichanger.pro"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"en.voice-ai.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221615/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ed.softaipro.fun"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221616/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"promo.voiceaichanger.pro"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221608/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ens.voiceaichanger.site"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221610/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"enz.voiceaichanger.site"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ena.voiceaichanger.store"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221612/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ena.voiceaichanger.pro"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221613/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/user/513/voiceaibeta-5.13.exe"; depth:39; nocase; http.host; content:"comediantes.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ns.voicechangeai.pro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221609/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"voiceai.attyclaim.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"premiums.voiceaichanger.pro"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221607/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221607; rev:1;) alert tcp $HOME_NET any -> [93.123.85.41] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221620/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91221620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"game2030.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bukkva.space"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"china.dhabigroup.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/somzx.exe"; depth:22; nocase; http.host; content:"china.dhabigroup.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221589/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/plugmanzx.exe"; depth:26; nocase; http.host; content:"fresh1.ironoreprod.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221590/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221590; rev:1;) alert tcp $HOME_NET any -> [193.106.175.18] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221593/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"circuspride.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221594/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fresh1.ironoreprod.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221592/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221592; rev:1;) alert tcp $HOME_NET any -> [158.160.106.57] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221595/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"193.233.254.80"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221603/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_19; classtype:trojan-activity; sid:91221603; rev:1;) alert tcp $HOME_NET any -> [89.163.146.42] 5000 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221634/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91221634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masterunis.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221633/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221633; rev:1;) alert tcp $HOME_NET any -> [207.246.99.159] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221632/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_19; classtype:trojan-activity; sid:91221632; rev:1;) alert tcp $HOME_NET any -> [120.24.179.84] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221629/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_19; classtype:trojan-activity; sid:91221629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m9341/index.php"; depth:16; nocase; http.host; content:"dbxk.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221628; rev:1;) alert tcp $HOME_NET any -> [101.37.117.0] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221627/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_19; classtype:trojan-activity; sid:91221627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bll341/index.php"; depth:17; nocase; http.host; content:"bblx1.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221626/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gya.com.bo"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221621/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onucleo.com.br"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221622/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"la-box-de-ginette.fr"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221623/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"verdemanzana.com.bo"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221624/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.crash-it.it"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221625/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_19; classtype:trojan-activity; sid:91221625; rev:1;) alert tcp $HOME_NET any -> [46.1.21.123] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221619/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_18; classtype:trojan-activity; sid:91221619; rev:1;) alert tcp $HOME_NET any -> [116.198.46.64] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221618/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_18; classtype:trojan-activity; sid:91221618; rev:1;) alert tcp $HOME_NET any -> [172.81.61.59] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221605/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_18; classtype:trojan-activity; sid:91221605; rev:1;) alert tcp $HOME_NET any -> [120.46.94.192] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221604/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_18; classtype:trojan-activity; sid:91221604; rev:1;) alert tcp $HOME_NET any -> [70.34.196.219] 2226 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221596/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221596; rev:1;) alert tcp $HOME_NET any -> [208.76.221.253] 13724 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221597/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221597; rev:1;) alert tcp $HOME_NET any -> [45.76.22.139] 13786 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221598/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221598; rev:1;) alert tcp $HOME_NET any -> [45.33.15.215] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221599/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221599; rev:1;) alert tcp $HOME_NET any -> [172.232.188.4] 2226 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221600/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221600; rev:1;) alert tcp $HOME_NET any -> [155.138.140.156] 13720 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221601/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221601; rev:1;) alert tcp $HOME_NET any -> [216.238.79.12] 2221 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221602/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221602; rev:1;) alert tcp $HOME_NET any -> [107.174.245.122] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221591/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_18; classtype:trojan-activity; sid:91221591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"solutionoutlineplaint.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221587/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221587; rev:1;) alert tcp $HOME_NET any -> [64.176.13.28] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221586/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221586; rev:1;) alert tcp $HOME_NET any -> [121.199.78.3] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221585/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221585; rev:1;) alert tcp $HOME_NET any -> [72.27.24.13] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221584/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221584; rev:1;) alert tcp $HOME_NET any -> [85.98.100.107] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221583/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221583; rev:1;) alert tcp $HOME_NET any -> [31.117.121.90] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221582/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221582; rev:1;) alert tcp $HOME_NET any -> [41.227.231.93] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221581/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221581; rev:1;) alert tcp $HOME_NET any -> [188.54.54.75] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221580/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221580; rev:1;) alert tcp $HOME_NET any -> [24.190.116.5] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221579/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221579; rev:1;) alert tcp $HOME_NET any -> [206.189.54.226] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221578/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221578; rev:1;) alert tcp $HOME_NET any -> [94.228.118.45] 25760 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221577/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221577; rev:1;) alert tcp $HOME_NET any -> [18.190.106.65] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221576/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221576; rev:1;) alert tcp $HOME_NET any -> [120.79.240.212] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221575/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221575; rev:1;) alert tcp $HOME_NET any -> [222.211.73.134] 5666 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221574/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221574; rev:1;) alert tcp $HOME_NET any -> [45.15.156.2] 25096 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221573; rev:1;) alert tcp $HOME_NET any -> [45.141.87.63] 15648 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221571/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shakyastatuestrade.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221568/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"buildmateindia.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221569/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"seovdetech.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221570/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"66.175.212.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221567/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalpipegamesqltestwordpresslocalpublic.php"; depth:47; nocase; http.host; content:"sosunsasun.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221566/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221566; rev:1;) alert tcp $HOME_NET any -> [172.232.54.192] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221563; rev:1;) alert tcp $HOME_NET any -> [65.20.85.39] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221564; rev:1;) alert tcp $HOME_NET any -> [172.232.189.166] 1194 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221565/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221565; rev:1;) alert tcp $HOME_NET any -> [45.56.71.218] 13724 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221558; rev:1;) alert tcp $HOME_NET any -> [51.161.81.190] 13721 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221559/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221559; rev:1;) alert tcp $HOME_NET any -> [45.76.96.172] 2223 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221560/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221560; rev:1;) alert tcp $HOME_NET any -> [78.141.200.111] 5938 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221561/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221561; rev:1;) alert tcp $HOME_NET any -> [149.28.100.66] 5243 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221562/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221562; rev:1;) alert tcp $HOME_NET any -> [216.48.181.191] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221557/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221557; rev:1;) alert tcp $HOME_NET any -> [110.43.68.78] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221556/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_18; classtype:trojan-activity; sid:91221556; rev:1;) alert tcp $HOME_NET any -> [93.115.79.196] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221555/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_18; classtype:trojan-activity; sid:91221555; rev:1;) alert tcp $HOME_NET any -> [62.234.19.7] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221554/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_18; classtype:trojan-activity; sid:91221554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/10bfb33db816f4b6.php"; depth:21; nocase; http.host; content:"138.201.196.248"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seohomee.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221552; rev:1;) alert tcp $HOME_NET any -> [192.99.152.153] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221551/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_18; classtype:trojan-activity; sid:91221551; rev:1;) alert tcp $HOME_NET any -> [177.52.83.169] 333 (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221549; rev:1;) alert tcp $HOME_NET any -> [141.255.151.240] 333 (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221550; rev:1;) alert tcp $HOME_NET any -> [109.248.151.48] 1997 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.109.77.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.112.137.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"124.221.145.245"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metersphere.zenmen.cloud"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.112.137.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"metersphere.zenmen.cloud"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221542; rev:1;) alert tcp $HOME_NET any -> [67.43.234.48] 80 (msg:"ThreatFox Yellow Cockatoo RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221540; rev:1;) alert tcp $HOME_NET any -> [217.138.215.85] 80 (msg:"ThreatFox Yellow Cockatoo RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ritualaccidentrepu.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221539/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"testifypiecefarst.fun"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221536/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"coastperfumeoslan.fun"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221537/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"feedbackspidermate.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221538/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221538; rev:1;) alert tcp $HOME_NET any -> [3.79.103.101] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221535/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_18; classtype:trojan-activity; sid:91221535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"62.109.5.118"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"102.50.247.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"45.120.177.17"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"172.111.239.90"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"18.191.246.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"54.38.193.134"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"177.124.72.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"176.119.35.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"103.30.126.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"f0880739.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"82.66.185.138"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"135.181.11.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"130.162.178.229"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"82.147.85.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"8.218.155.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"140.238.173.180"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"212.64.217.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"82.147.85.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"8.218.175.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.35.42.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"43.153.206.194"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"interactivetreadrel.fun"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221494/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"arresthorrodrw.fun"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221495/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"couragedistributeoeo.pw"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221496/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"subwayspellprotiso.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221497/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"solutionoutlineplaint.fun"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221498/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"teardesertfreewo.fun"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221499/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"breakfastchanneljw.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221500/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"viewconceivegiw.fun"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221501/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"twinconstellationjkal.fun"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221502/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"winterrescueplwo.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221503/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"advancefishexeedw.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221504/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"driftpasssingeriuw.pw"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221505/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"idealruinrewardesw.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221506/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bombertublestylebanws.fun"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221507/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"muggymidnightleanuu.fun"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221508/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jewelassertivebop.fun"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221509/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"illusionqualifiedj.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221510/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rarevaluediscow.fun"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221511/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"leaffountainla.fun"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221512/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"folkloreinviteex.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221513/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"175.178.14.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"210.87.108.237"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vsdjcn3khs/login.php"; depth:21; nocase; http.host; content:"91.92.247.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ybhdjklss23/login.php"; depth:22; nocase; http.host; content:"freepcgamee.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221490; rev:1;) alert tcp $HOME_NET any -> [141.98.102.187] 11274 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221489/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_18; classtype:trojan-activity; sid:91221489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"fsdxda2eedasdc.atwebpages.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"13.230.162.146"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1221468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"20.90.160.195"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1221469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"31.42.190.137"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1221470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"38.54.96.204"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1221471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"62.146.226.39"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1221472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.91.68.52"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1221473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"88.210.11.112"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1221474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.23.103.41"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1221475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.249.240"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1221476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.215.85.133"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1221477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"103.30.76.189"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1221478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"123.99.200.131"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1221479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"144.21.58.37"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1221480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"154.198.245.50"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1221481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"188.120.234.10"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1221482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"194.33.191.18"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1221483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"195.10.205.18"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1221485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"194.87.31.108"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1221484/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"195.85.207.218"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1221486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"195.85.207.219"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1221487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221487; rev:1;) alert tcp $HOME_NET any -> [47.92.197.176] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221467/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221467; rev:1;) alert tcp $HOME_NET any -> [163.53.219.216] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221466/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221466; rev:1;) alert tcp $HOME_NET any -> [41.96.127.60] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221465/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221465; rev:1;) alert tcp $HOME_NET any -> [149.74.155.98] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221464/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221464; rev:1;) alert tcp $HOME_NET any -> [146.185.22.149] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221463/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221463; rev:1;) alert tcp $HOME_NET any -> [31.41.244.85] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221462/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221462; rev:1;) alert tcp $HOME_NET any -> [59.103.171.17] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221461/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221461; rev:1;) alert tcp $HOME_NET any -> [115.186.25.31] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221460/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221460; rev:1;) alert tcp $HOME_NET any -> [52.77.170.230] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221459/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221459; rev:1;) alert tcp $HOME_NET any -> [54.150.226.102] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221458/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221458; rev:1;) alert tcp $HOME_NET any -> [80.92.205.115] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221457/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221457; rev:1;) alert tcp $HOME_NET any -> [80.92.205.115] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221456/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"octopanel.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221455/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221455; rev:1;) alert tcp $HOME_NET any -> [91.92.254.42] 443 (msg:"ThreatFox Coper botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221454/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_18; classtype:trojan-activity; sid:91221454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/get.php"; depth:15; nocase; http.host; content:"lindarealtytulum.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/qzwewmrqqgqnaww.php"; depth:26; nocase; http.host; content:"lindarealtytulum.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getimagedata.php"; depth:17; nocase; http.host; content:"fulfillityourself.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221438; rev:1;) alert tcp $HOME_NET any -> [77.105.132.161] 48505 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"62.113.112.27"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javascriptgamedbwindowstestwpcdn.php"; depth:37; nocase; http.host; content:"630956lm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_18; classtype:trojan-activity; sid:91221453; rev:1;) alert tcp $HOME_NET any -> [47.113.145.142] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221452/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_18; classtype:trojan-activity; sid:91221452; rev:1;) alert tcp $HOME_NET any -> [62.234.27.204] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221451/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_18; classtype:trojan-activity; sid:91221451; rev:1;) alert tcp $HOME_NET any -> [52.66.87.194] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221450/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_18; classtype:trojan-activity; sid:91221450; rev:1;) alert tcp $HOME_NET any -> [34.154.152.95] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221449/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_18; classtype:trojan-activity; sid:91221449; rev:1;) alert tcp $HOME_NET any -> [180.73.180.15] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221448/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_18; classtype:trojan-activity; sid:91221448; rev:1;) alert tcp $HOME_NET any -> [193.109.85.35] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221447/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_18; classtype:trojan-activity; sid:91221447; rev:1;) alert tcp $HOME_NET any -> [159.65.150.184] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221445/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_18; classtype:trojan-activity; sid:91221445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"attachmentartikidw.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221443; rev:1;) alert tcp $HOME_NET any -> [8.219.228.210] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.219.228.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221441; rev:1;) alert tcp $HOME_NET any -> [47.106.235.23] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.106.235.23"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221439; rev:1;) alert tcp $HOME_NET any -> [38.147.171.167] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221435/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91221435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"twinconstellationjkal.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1221434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"main.young.wo.tc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mandanga.blogdns.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"martin.game-server.cc"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morcoy.duia.ro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mouse986.gnway.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"will.staticcling.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sexn.codns.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tist01.codns.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"selling.staticcling.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serverdp2pdowload.cable-modem.org"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oscarpenelo.synology.me"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onehost.mylftv.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mtmrd10.ddn.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updated.homeip.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brhoooma.selfip.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wwcn.ssl443.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3gyd.22ip.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brostod.jumpingcrab.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"061.toh.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"about.info.tm"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aploz.preetycoin.work"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crysisnet.twilightparadox.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cz35-gr98tk.is-a-chef.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fvool.gicp.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gerdab.gotgeeks.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heihei.12sf.cn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hell010.selfip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hkcn77.vicp.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hp500.spdns.eu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"internet.game-host.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"justme.dyndns-server.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kimkardas.eating-organic.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lenny2012.tzo.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lisa.homesecuritypc.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lokia.mine.nu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"new.homeip.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nodio.homeip.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"google.serveblog.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spamfighter.serveblog.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vnc.serveblog.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skyper2.dyndns-free.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kev12.dyndns.tv"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oen20.dyndns.tv"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tuhe88.dyndns.tv"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nonelove.dnsalias.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"homesite.homedns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crysis.thaieasydns.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crysisupdate.thaieasydns.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1337brocki1337.ath.cx"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"checkwise.ath.cx"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kucingtikus.ath.cx"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pruebasnuevas581.ath.cx"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowws.ath.cx"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winux.ath.cx"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"license-itself.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"djouhellh.serveblog.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"the.warnet.ignorelist.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thesexyone.myvnc.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windows.myvnc.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"natco2.no-ip.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anasek5.dyndns-ip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkmulder.dyndns-ip.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratmain.dyndns-ip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"huxx.ftpaccess.cc"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windows780.ftpaccess.cc"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boxdmz.freeddns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"retretret3.dyndns.dk"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guarderia1.mywire.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bartsimpson.ignorelist.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crysis.ignorelist.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sidaction.ignorelist.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"systems.ignorelist.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eazy94.myvnc.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giandiep.myvnc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hqn.myvnc.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mafiaidol.myvnc.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skype.myvnc.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynet83.myvnc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testapp.myvnc.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d3wn.gotdns.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft-s03.serveftp.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stylesasif.serveftp.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"defydestiny.dnsdynamic.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tserver.dnsdynamic.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yemozyno4u.dnsdynamic.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"avpp2.strangled.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brosto.strangled.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biforst.dyndns.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnsupdate.dyndns.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdown.dyndns.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llama2.dyndns.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nervkind.dyndns.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stonecold.dyndns.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"achref20.no-ip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marcoshck.no-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"safcb.no-ip.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"babas.ishidden.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crysis.ishidden.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221335/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crysisnet.ishidden.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ishidden.ishidden.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asasasasasas.servemp3.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chrome.servemp3.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deadzer0.servemp3.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jovemhits.servemp3.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221331/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"micrsoft.servemp3.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tonecc-com127001.servemp3.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1cowsound.mooo.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fritz123.mooo.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hgcp.mooo.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ligtv.mooo.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reene.mooo.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221327; rev:1;) alert tcp $HOME_NET any -> [106.52.251.233] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221322; rev:1;) alert tcp $HOME_NET any -> [154.88.24.89] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221321; rev:1;) alert tcp $HOME_NET any -> [210.87.108.237] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moise.bounceme.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myenternet.bounceme.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"needhelp.bounceme.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nod32system.bounceme.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pingme.bounceme.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1997.bounceme.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a.servecounterstrike.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221299/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crackpick.servehalflife.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eidkleofjglfo.servecounterstrike.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221301/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"facbook.servecounterstrike.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"image36.servepics.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"keng.servecounterstrike.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malboro.servecounterstrike.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirimati.servepics.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miropo.servehalflife.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"severcounterstrike.servecounterstrike.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sextacy.servepics.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skry.serveirc.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sss.servepics.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"steamshild.serveirc.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thanks.servepics.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goex.myq-see.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"safahkarbala.myq-see.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221296/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wwxx1.myq-see.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221297/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zaidhak.myq-see.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221298/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yahalawa.dyndns.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zezo0o.dyndns.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"83dns.dyndns.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergates.dyndns.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221285/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dxfocus.dyndns.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221286/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fmsserver.dyndns.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221287/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gameua15.dyndns.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msh-msh.dyndns.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shakur2.dyndns.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thexman.dyndns.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trx3000.dyndns.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pchacked.redirectme.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221280/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taskmgr.redirectme.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thilg.redirectme.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vs.redirectme.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221283/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fkzkedim.redirectme.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iam.redirectme.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iuheck.redirectme.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mediawindows.redirectme.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft32.redirectme.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221278/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nc.redirectme.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221279/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns3.3utilities.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnssync.3utilities.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft-update.3utilities.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vista.3utilities.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updatingmsnmessengerw.redirectme.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gilberelin.publicvm.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmmww.publicvm.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oluwalogbon.publicvm.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shkis.publicvm.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"popos.myftp.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s0l1ng3n.myftp.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shiguang77.myftp.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zoroo.myftp.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"irwinner.myftp.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221253/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jenanazem.myftp.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221254/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kilebantick.myftp.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221255/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m00dl3ss.myftp.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muw.myftp.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myftporg.myftp.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nemm.myftp.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221259/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onewinged.myftp.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antivirus.myftp.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackshades.myftp.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dzdz.myftp.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221248/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fb-net.myftp.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacer1.myftp.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamaj.myftp.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221251/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iam.myftp.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221252/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221252; rev:1;) alert tcp $HOME_NET any -> [190.232.148.50] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221245/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91221245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apiedoe.servebeer.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blitz.servebeer.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"comeon.servebeer.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"durarat.servebeer.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faceb00k.servebeer.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hannesplease.servebeer.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hostnuevo.servebeer.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcclane.servebeer.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221242/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"system.servebeer.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221243/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vir.servebeer.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221244; rev:1;) alert tcp $HOME_NET any -> [34.204.194.46] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1221234/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91221234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"66461.servehttp.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221223/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aspnet.servehttp.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conhost.servehttp.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"di-rs.servehttp.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dllhost.servehttp.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haunter.servehttp.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"homeofgod.servehttp.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ident41.servehttp.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft11a.servehttp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taskmgr.servehttp.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"transferhost.servehttp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dumpsdumps.noip.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guri.noip.me"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jabruslan.noip.me"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seldos.noip.me"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agent.serveftp.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emulate.serveftp.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"netbios.serveftp.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pussy75.serveftp.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"site-google.serveftp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"svupdate.serveftp.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taskmgr.serveftp.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trinity.serveftp.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221216/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowslive.serveftp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winlog.serveftp.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"computer1.myftp.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"creed.myftp.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evollutionhack.myftp.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"infect0r.myftp.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mastercaster.myftp.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mootmitt.myftp.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poret2000mo.myftp.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"salih199.myftp.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shell32dll.myftp.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vic.myftp.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whybifii.myftp.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yellowcybergate.myftp.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"00doom00.myftp.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baaaaaaad.myftp.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bif.myftp.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mediafire.chickenkiller.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poblado.chickenkiller.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sasaze.chickenkiller.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smokie.chickenkiller.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smokie666.chickenkiller.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thecomputerjacka.servegame.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winrarupdate.servegame.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"withoutlimits.servegame.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zerocool.servegame.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anderclas.servegame.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blazed.servegame.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"danielhorus.servegame.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elsantisabe.servegame.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gamesgate.servegame.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221174/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gamesrox.servegame.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hotmail-enter.servegame.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"indetectables.servegame.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iraese.servegame.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"johnlockebr.servegame.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kf-ts3.servegame.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msnliverocker.servegame.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mspointgen.servegame.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pumba123.servegame.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subzeroz.servegame.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zeus666.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"endbbevrdm.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"galoucura.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackertrap.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"intothe.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kingspy.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"narutao.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pointblankbrasil.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"videomp4.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abgx.duckdns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suckit.hopto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sweatheartloula.hopto.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"u7.hopto.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x1221.hopto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z19543.hopto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mayday.hopto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mokordo.hopto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newplan.hopto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prueba2.hopto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwerty12345.hopto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scuba.hopto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"semah1995.hopto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goog.hopto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"humba234.hopto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"keineahungso.hopto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kurt47.hopto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lal909.hopto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lazer.hopto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"luckhacking201zv.hopto.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magirock.hopto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alentejowesthost.hopto.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anas.hopto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crossfire.hopto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finders.hopto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freefree13.hopto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zafer.linkpc.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221134/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bacrop1.linkpc.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"camfrog.linkpc.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221126/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"docti.linkpc.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enitan.linkpc.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moh-2014.linkpc.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221129/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newwind.linkpc.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uske.linkpc.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmark.linkpc.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.charcuterie.linkpc.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221133/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adeboyeking.linkpc.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antivirus3scan.linkpc.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"warpilein.dyndns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x3r0x3.dyndns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mousething.dyndns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poison1.dyndns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"retretret.dyndns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"satstars.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seko1230.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sezaix123.dyndns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tarekchebbi.dyndns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taringon.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thermyte.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fake1993.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdown.dyndns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freecoolstuff.dyndns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ggib1.dyndns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"homepepe.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaidman.dyndns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221109/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mekor.dyndns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221110/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"missmollymars.dyndns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conhecidos.dyndns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkman2010.dyndns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dasgensu.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"delikralll.dyndns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"desibeat.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"donkey01.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"exper.dyndns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221102/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f3j.dyndns.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221103/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3radic8.dyndns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"avast5.dyndns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"walido.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windns.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221087/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winupd42.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wolfieboy.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221089/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xiilliix.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221090/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xllwilldmllmnllw.sytes.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221091/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xtaticx.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221092/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zigy.sytes.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221093/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sonologirl.sytes.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221075/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spyn3t.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221076/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynet2.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stmpdwn.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221078/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"supportservice.sytes.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221079/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test-traphier.sytes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"troyanospesao.sytes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update-14.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221082/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"upedat.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdcasa.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"voa.sytes.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ricarditoortiz89.sytes.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"roxx.sytes.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saskiasommer.sytes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sbr100.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"silverfuelz.sytes.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"simpleman.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skatemax.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skyvb.sytes.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221072/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"snayperhost.sytes.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"snprueba.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221074/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loodyhack.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221055/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lukevaj.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221056/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"megahac.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221057/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moneybiz.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221058/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muffinis1337.sytes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221059/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myfacebookpic.sytes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221060/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"only.sytes.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osna-ware.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poky.sytes.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ppa.sytes.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerbrasil.sytes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerholodm.sytes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamas.sytes.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221046/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hobbatlibres.sytes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"home22.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221048/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ialomita.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jess-gza.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221050/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"khalid123.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"khld.sytes.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221052/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kpaugu.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221053/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"latcha.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221054/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fang.sytes.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flashplayerupdate.sytes.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fnns.sytes.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gerd.sytes.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221037/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h0st00.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221038/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"habbo-fu.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221039/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"habboburger.sytes.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"habbocalle.sytes.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221041/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"habbocallejeros.sytes.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221042/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker2010.sytes.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221043/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"colombiahack.sytes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crackerzinho.sytes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crysiss.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybertest.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darck666.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"destroya.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dhomix.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"digdag.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"efccvoopeer.sytes.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elvinybambina.sytes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ataturke.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221014/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atoor.sytes.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221015/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blacksnake.sytes.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221016/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bocio.sytes.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221017/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buceta.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221018/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bucetahacker.sytes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cbgtime.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chow.sytes.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clean12.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"codigohacking.sytes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7896.sytes.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221006/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"90011.sytes.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221007/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adobeupdatemanager.sytes.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221008/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adres34.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221009/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adres35.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221010/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"afromu.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221011/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"al7oo0oot.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221012/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asser.sytes.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221013/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yemozyno4real.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221004/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"youtubedns.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221005/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"virtualnet2484.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vitorgraciano.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220995/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"viva-la-vida.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220996/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vouterektei.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220997/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wananas.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wandersongay.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"watchdogsrox.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221000/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web2014.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221001/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wesleylucasz.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221002/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wwc.ddns.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1221003/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91221003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testedeip1.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220985/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testehackernoob.ddns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220986/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thzinhacker.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220987/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tkfxxt.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220988/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tr4ne.ddns.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220989/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trampudo.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220990/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"troyanos.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220991/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tukojan.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220992/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ultimateplay.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sajaaliraqe.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"satellite-5g.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220976/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"server0221.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shokoladka.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynet12345.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220979/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssenato.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stackover.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220981/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stoptryfindme.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220982/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"susandias.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220983/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sweetmoney.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220984/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maksoudm.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220965/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myslaves.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nacanela123456.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nsx.ddns.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oluwalogbon1100.ddns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220969/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"patinhosmill.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220970/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pelonocu.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"porta15963darker.ddns.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220972/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pronet.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220973/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"renanss22.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220974/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jacthepr0.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"javaupdate.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220958/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jesusct944.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"justinqewe.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karalho122.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220961/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laurentayat.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220962/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lkss.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220963/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lokimaster.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220964/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frostziniss.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fucklife.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gameonline.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackclock.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220951/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackius2018.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220952/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamoodie.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220953/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hienalouca.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220954/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hu3darua.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"isaac69.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crocrocro35.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220939/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergot1.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220940/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddnshost1dll.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220941/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diogorlrlrl.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220942/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"disagne.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220943/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"draymfrdaym.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220944/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fakhorg.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220945/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"firerat17.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freevendedor.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220947/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adrian15.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220929/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anonymosvqv.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220930/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arslanahmedawan.ddns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220931/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assistitvonline24.ddns.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220932/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bennoii01.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220933/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bukin1928.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220934/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bw000.ddns.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220935/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chickendipper.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220936/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chuckymauuzz.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220937/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crocro.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220938/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3333123.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220927/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adana01l.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"luppycraft.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220923/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"razodroid.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220924/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hoota.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"madra.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jamesrat.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220916/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hazemmatrix.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220917/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bluewolf2.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220918/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyber2.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tudasuda.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220920/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"datonflans.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aguto.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220922/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cannotseeme.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220909/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medievalscape.zapto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220910/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glass-best.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220911/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"logotroncyber.zapto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220912/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flaboyserver.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220913/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nzrocks.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220914/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mazuoon.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220915/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azweb.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"midogalaxy.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220907/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hnp872806.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220908/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"merosh.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saba3nee.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220900/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lolwut1337.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220901/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jamzawe.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220902/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fir3wall.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipconfig1.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220904/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bluelightning.zapto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkashnkjcl.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"findlink.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220890/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subblaze.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220891/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lastrat.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zlmreis.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerdgn.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kievrada2.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lule16.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"black-cat.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lov3nj0y.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a7mad.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220879/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dj-ich3ab.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220880/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quienyo.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220881/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"perrillin11.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220882/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieplore.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220883/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"everythinglol69.zapto.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220884/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ir0kz.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220885/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"short-tar.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220886/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"codr00t.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220887/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stopwar.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220888/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zabi0007.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220870/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hysoka.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220871/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"waham1405.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220872/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hint.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220873/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shouky34.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220874/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"danielinciarte.zapto.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fars00.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220876/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"calabassas.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220877/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zoulou.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220878/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lolo4ever.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220862/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"julienbb.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220863/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lebano.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jayden1213.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220865/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"badmalik.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwaszx.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamadi007.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220868/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servinpetraca.zapto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220869/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"retrohost.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220853/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cekmeol.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220854/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rappelz2.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220855/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tou3ban.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220856/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"konamus.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220857/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mastersusesuse.zapto.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220858/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"divinescape.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220859/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"annonymous007.zapto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220860/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mokordo.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220861/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratattack.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220844/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zapateroteta.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ou.zapto.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brutalchaos.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"celsodns.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blacksky.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220849/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cehennem93.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220850/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shehapbakkar2.zapto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220851/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"checkwise.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220852/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dem0nic.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"astora.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"filas0.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaizuma911.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pga.zapto.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"30hack300.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fadimetal.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kodjiz.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mastermind.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220826/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trojanx.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jajeji.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masashi55.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kursat205.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"djohacker.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sniperssss.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nadanada.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myahadnan1.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shinedown.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noiphacker1.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220818/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hakpro83.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"edis22.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poison.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220821/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soso1990h.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plsbest.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220823/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9zzz6.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220824/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minecraft76.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220825/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"khdt.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fei-coder.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yheya.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"julijan13.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220811/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sliggywag.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220812/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gate5.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220813/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"please23.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220814/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cupidon.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"runescapewow.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mranarchist11.zapto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220817/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notegraw.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x4k0s.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thala.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stunning1.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bifsurf.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220804/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"venom123.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gul.zapto.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jokerhackerbad.zapto.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"johaker.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medoseleman.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pizdes.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergateratvirus.zapto.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bubloomg.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"allanpb.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pertenemene.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyber102.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"re0rganize.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sixcore.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enigmahack.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yas-sir.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adeboyeking.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paradine.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pradous.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gatassexys.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unclewong.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sarahlove.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zen-boss.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jheqill.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muahhahahahxfsafsa.zapto.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mamamia.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rat999999.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kimnet.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220775/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oussam007.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geridondum.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"venecos.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"explorers.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns1234.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"victim111.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"black-blood.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m3xy01337.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220766/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxsxx.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bshades.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onetwothree.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220769/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boosiebadazz.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220770/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rap007.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyberjack.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kdrcn.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jemre.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220756/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bruninha.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220757/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yobyobx.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"afterlive.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"melodicity.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reder123.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220761/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ryl2brasil.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220762/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ninja007.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ibrahacker.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"interbarcellona.zapto.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"googleupdate.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rooomyo.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"introworld.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rafon.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mahdis91.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"khdt1.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nortiux.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jetfadil.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akooos-hakr.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"togastand.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"keklik.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gittua.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerthiago.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"margaretmm.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aldkffd.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hakdon.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220726/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thebigmisterio.zapto.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mstlj.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"infordc.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"younesstop1.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"byali.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thebest10.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serkan58.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"camfrog-ir.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"memet1.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rost.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220716/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerulubey.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"123navy.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220718/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zatoor.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yasr-q4.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rakibalikayvalik.zapto.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackrhackromar.zapto.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faisal.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"danaibrahim.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0027.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neon2.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220708/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shldanz.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sexpistolstr.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220710/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"01526523328.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220711/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suzzidantas.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220712/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrigel.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"andreas1222.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yobex.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220715/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dimkinfunnypics.zapto.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220698/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"choripan.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testman3000.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rahmale.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220701/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ehack.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220702/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dunggttn.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220703/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d-zk.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220704/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"btcminer.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wa3r.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220706/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yassonee.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220707/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fernandoap.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220689/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hatimx.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220690/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teresa489.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220691/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mbh9.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220692/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"denemetest.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220693/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a7med.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epill.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liiion333.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hero00.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yokki14.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220680/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"genjuro.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220681/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratxlsk.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220682/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usset.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220683/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llooll.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220684/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mn8ar.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220685/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thegrifi2.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220686/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmmm661.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220687/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sf3.zapto.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220688/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tanne0214.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220672/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"walid893w.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haha2424.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"walidoo.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220675/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergatehacking.zapto.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220676/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybgrat.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220677/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dyloser.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220678/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rasim1371.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220679/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newnewnewdslnew.zapto.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rami153.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220665/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"roro3696.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220666/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"parfumerus.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alnajjar1.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ajeeb.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220669/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agnieszkabus.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noiphackrroro.zapto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"title.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ready4u.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220657/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hcowmln.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"danielbezman.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220659/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"koreanelite.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220660/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ativa.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cobra-viris.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220662/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saberalhabbash.zapto.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orc.zapto.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zikanzikanzikan123.zapto.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inextremi5.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poizdes.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"idcaboutallshit.zapto.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220654/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"firfir.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ak474.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lolohost1.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alexsoftpro.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220647/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testandohacker.zapto.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clippico.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c0mrade.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"esmer1.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"failsafe.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220640/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddiimmaa.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220641/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pythorat.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spy-booster.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hatimnabil.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usher.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamzabejaoui.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rylbr.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jozefmim-dz.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220633/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"esta.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220634/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"as2622.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"docdoc.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220636/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shoaib381.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bymustihacker.zapto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220622/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axweb.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220623/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnabe.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220624/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thisistheway.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220625/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bywelat.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220626/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"netsp.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rulin.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghgh.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ja3fer007.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220615/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alevkaya.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220616/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mx3x3.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"siber.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220618/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smellyass.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220619/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"root33.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220620/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haked2020.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220621/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r051.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220608/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ccpassc.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220609/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gordolfo.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220610/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crymevip.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emperors1995.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220612/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"silviasaint.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220613/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gu3st-x.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybing.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220603/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thomsonportatil.zapto.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220604/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jenanazem.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220605/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ekkx.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oladhk.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220607/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gabrieltoro.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220597/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackrm3arek.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220598/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tester58294304.zapto.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220599/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gorgantum.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220600/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"denis77.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220601/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wolver.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220602/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"besirevic91.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220592/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rima2.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220593/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vgamez.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220594/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anonsecreto.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220595/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azo0oz20100.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220596/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imw4rlock.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220586/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dd8d819sika.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220587/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamadaosa.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkhack.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220589/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hack02.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220590/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mishack.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220591/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mulenrug.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220579/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"funkrio.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220580/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serpent-kobra.zapto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220581/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nikname2011.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220582/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"playboy.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220583/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"camfrog-2r9.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220584/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prixe.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220585/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x3r0x3.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220572/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aliawais.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yemen.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220574/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dragou.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220575/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xnt.zapto.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220576/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackhack.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220577/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ze-hack3r.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220578/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alaneeq.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220567/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trolli.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220568/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyberaperture.zapto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220569/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cabrakan.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220570/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lopo88.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220571/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vacamea.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220561/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zopto.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220562/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liarhack.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ossama-hacker.zapto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jurizaran0ff.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220565/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s1s1s1.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220566/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bengt1337.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220556/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worldworld.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220557/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chik101.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ovadiayosef.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220559/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacknose.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220560/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"o511.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elebrecht.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kazj.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220554/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"o000l.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mn123.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"camelpc.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"explorer75.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marinecorps.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohsine-b.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abade2009.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"118host.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"divinitycheatz.no-ip.info"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hasoon999000.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zif.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nadjafatic.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glegle.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haveckay.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8noseqwa.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"woahmanfirst.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mastergreen2011.no-ip.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sofnetmayn.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hakan.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anonymous.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwqwqwqwqw.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mengo2.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fakerr24.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xs2.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"camfrog-iq.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alexalex.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"habbohacking.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elquesapemucho.no-ip.info"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kelvincybergate.no-ip.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d9g.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xs7.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toto2.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdh.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"curtsom.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"andrei.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ypovrixios.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xsasax.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"horse3400.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8s4.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker09.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"timdaly.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noales.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gyt09.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ireformedi.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xr4.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foda.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkcomet321.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dwpiratesonline.no-ip.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohamed11.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220484/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"startserver.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdance.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"28r.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hkr07.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boschips.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220489/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybercress.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shark5.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkdns.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zz9.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"barbarous14.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kalamkkasarny.no-ip.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"six17.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thanh1590.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"letsgoboom.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220498/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"snake777.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goodgamelol.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220500/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcenes78.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hack4imvu.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hotgirl.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xf.no-ip.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pontocomminas.no-ip.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mr-maxim.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ma2000.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xkiller.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chabchoub.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"runadmin.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"catchme.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"legnalive.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmedsyq.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"silverfuelz.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxmxx.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ramos-10.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azooz-hackr.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hack4ps.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hasan.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muawayspy.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"khalid.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirrabo.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helpmelol.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skypekhasssn128.no-ip.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratoslovaque.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s8g.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"youfail.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shokoladka.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacking-gp.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s0litude.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servercrypt.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twoshank.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aganaking.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saltar.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohdlom.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bif5.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z2a.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spraslhivai.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sprite089.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cutesweet.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7noseqwa.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"immigration.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sexx.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyberanton.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bacrop.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spidrman.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chatthas.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h1n1hack.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miwebhost.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyberserver.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m2p.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w2w.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdown.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lovemessy.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adelfbi.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faresm.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chonchonito.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loveu.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"india.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tiakachai.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hcika.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dzxdz.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hfisthebest.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sa3eka86.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bluffer.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5noseqwa.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spark1929.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"il0vey0u.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"merabti01.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fros.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m1e.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x2xmsf.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"powerpc.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwe.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elstar.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rndaso.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hichambak30.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"100love.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mosagal.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alexwele.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"autoswitcherpro.no-ip.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gua.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ambition.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amjd.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stephack5.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkk1.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"98z.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"game-play.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elyess-fenni.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freshfire.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"virus00.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yahoo.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syronik.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyberbroken.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"back2life.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ppyfdxa.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"za3bour.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skorehaclol.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proratip.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anonimous.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"runeo.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackermibb.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skynetfreedom.no-ip.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aussillon.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botbot.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fun420.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gavitt1.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"risegr.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bmwm311.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"musexu.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w906w.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b60p.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"satzbeiber.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sargent11.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minipepitoo.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacked13.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taco00.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"avastupdat.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mbk123.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"titi78340.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaaaaaaaaa.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"del.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unavailable.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t-system.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6noseqwa.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wemersawy.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aboodhacker511.no-ip.info"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wormboy.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0wned1337.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asd505.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fbi177.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mahboul10.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hhhhhhhh.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mad-spot.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"n4p2.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suchthefool.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gardel73.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jenanazem.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220331/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"18abril2011.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"basouma.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewf.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shooterclub.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220335/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiggleswins.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"devpoint.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"macaracar40.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tnwrestler.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abcserver.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"khaled9879.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inject.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fireskull.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w0rm.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mitramitraam1.no-ip.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"souhilo05.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d12.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"krkrme.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kasper-s1.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigxan.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ilikedicksinmyass.no-ip.info"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maom23.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ee41.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"j230uy.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thorsss.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft-updater.no-ip.info"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sami-d880.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servertest.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z8w.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"angkung-spy.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hurt2101.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"svanskivar.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cell10.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wifesex.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rpcodec.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soulchecker.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"algoker2.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jenn.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"argentina24.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220297/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nego564.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220298/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servidor50.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220299/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ziddi-rajput.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hyper99.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220301/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elmundo.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vitimas888.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"supermetroid2015.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"securenetworks.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"n0tkrozo.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conquer1000.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adilhacker.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdown.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"342223rr.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"americo5.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alfa252.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigsmoke.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220259/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"binladen1337.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"downsppp.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tony157.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sadamzadam.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joker1.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lanzer.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zequekubr.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"difusao.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haythamn.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meddiahh.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aimenutchiwa2.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"copiador.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gchacker.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddeivson.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erdavidesent.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data22.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hoocking.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unknownone.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dudu2011.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220278/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xfruud.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220279/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"devil-joker.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220280/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winx32updateserver.no-ip.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ofcorp.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grifter.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220283/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x4x-iq.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bulletxxx.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220285/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1991.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220286/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samantabreder.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220287/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipthailand1.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"johngb.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mafia007.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juninhocaoiohacker.no-ip.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fuckyouspy.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmedhamdy.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mstbkyeni2.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pakistani.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"di4blo.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220296/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guerreiroghost.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vitima002.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewjll1.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220223/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arankarus.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cometidoh.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pandirat.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackrevo.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"system32bits.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"facebook-visitors.no-ip.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"narutohacker181.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"felipe123.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mylifemylife.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rafaelsilva121.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"user45234.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220234/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gandanoia.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"olegqg.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chocolaterain.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tunsiano-server.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"no-ip7000.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hostbooter2011.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feanor84.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juegosbuenos.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220242/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toto44.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220243/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lcssh.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"synopsys.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"khabab.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"videotutorial.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ikhackjou.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220248/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leeosz.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chu-ki.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ayress.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220251/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dvdymgb.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220252/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bolinha130.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220253/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lumilagro.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220254/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lordinsane.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220255/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3fight.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"superlol.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergate1997.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mafija.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbvictimas.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pommier85.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergate15.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trojand.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foxbank7.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teeheeftw.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thebaste98.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xadrez.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"domo123.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"the-diego.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scorpiona.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bernardo10.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windows2010-linux.no-ip.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mikechitto.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morenaa.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panteacristi.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"madmanip.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cwaraxis.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker2kech.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stefancar.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"esynico.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sadikovskiller.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gamer9090.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackers1337x.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wedsonsilva.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2022rf.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raidenhack.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daknobvuln.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omexi.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deluxhackes.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drzlzal.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"privaterat.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"in-look.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"business71.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220216/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drakerizz.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pannter1507.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lance11111.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skymodz.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pctool.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"textefeliz.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xuxuzinho.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theprocs.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nostra.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerjj.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tr1umzhacker.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"painkiller142.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"edds.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prohackerhacker.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nomanvirus.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"barbarela.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkmarc.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eddreerf.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blueivy2004.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paulo4i20.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"novatto.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mouse123w.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inf4ntil.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"psychotoxic.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morenadanadinha19.no-ip.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"venox.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hack123.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prototypevirus.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"devcoder.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elbutanero2009.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yogeneral.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"detallado.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ultimade.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aronzika.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saqartvelo.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spycronicjn.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220174/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alrewesh3.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minkie.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grimfuck.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aidemu-virus.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hechizad0.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pswnio.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"corregedoria.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naixem.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220103/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toninho157.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hoor.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsrasta.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hiltoncoimbra.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kebapattack.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aleacc32.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220109/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sikira.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220110/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"invassao.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pilongas.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackedmate54.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"babajee.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lejyon1537.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnetdarh1.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kralcoder.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spycronic2012.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahtakafa99.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"judas100.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"navjot1.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacktivist.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"091220110003.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hoota.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eminem1.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erdem34.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220126/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrsmoke.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"n00tkrozo.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d3c0t4g.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220129/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pedologiciel.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elbutanero2012.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oboty.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aland22.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220133/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dansla.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220134/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gl.no-ip.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"q1w2e3r4.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynetfud.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loardering.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"monkydluffy.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serverpassw.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"demolidor22.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lucaskiller01.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pvpgothic.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"celsodns.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mawk.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"massmail11.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abrindoportas.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ownyou78.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3r9-99.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"streetking.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220072/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nelsoon.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fuckoff1.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220074/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mh47.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220075/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cattzzz.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220076/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p0is0n.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mojrem.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220078/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igotchurawrlol.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220079/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trojan49.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaara.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thisishost.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220082/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alieisa.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"untraceability.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jemali.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"duquesr.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lcode.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220087/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scopelitist.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"habbfm.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220089/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sombra777.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220090/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adelson3x.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220091/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackermanias.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220092/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"27junio2011.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220093/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karazt.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evair.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ragaginda.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"accored92.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heroin-87.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biscoitorecheado.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v4-team.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkanadolu.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sweetgilrs.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220102/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"habboemblemas.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tomatomaya.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vallecascity.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magnetoh4cker.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dehzcker.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"111220402011.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tarik775.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eduhsixx3.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"felipecalais2009.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bommbum.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grup-yanlizz.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ambipon.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220037/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sadokbest.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220038/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"explorers.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220039/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fabots.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vipc2.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220041/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coquetelmoltof.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220042/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgdevils44.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220043/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"synbx.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miki0105.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lanetlidost3131.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220046/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wdd3any-hacker.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxxxhkr.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220048/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackwood.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miserverspynet.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220050/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maaxhak.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bruxinhorat.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220052/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elvergomez.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220053/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brasilhost.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220054/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsuname157.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220055/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teclivex.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220056/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"catxxx.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220057/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sub-zero88.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220058/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piratakike.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220059/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ambotv18.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220060/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"roko84.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finnrunzthis.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marcos157.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coded34.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vyrezrat.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219989/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spydofus.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219990/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neon01.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219991/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aequitas1337.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219992/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"di4blobl4ck.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fyib.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h33t.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219995/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dexterandnexter01.no-ip.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219996/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hsshieldd2.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219997/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awsomehacks21.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"don31.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serviciobif.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220000/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frankrat.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220001/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"y3r0nny.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220002/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"intercenter.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220003/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redeflv.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220004/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nou.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220005/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ufc.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220006/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hasan331.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220007/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"airhunter.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220008/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ilyasdx.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220009/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jok3r-game.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220010/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alejitos.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220011/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vitlop.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220012/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sizehacker.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220013/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magux.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220014/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"codandchips.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220015/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"turkojancaraio.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220016/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"niketamere.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220017/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jechercheuntruc.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220018/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emine.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doido1500.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coursework.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sophies3.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"svschost.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newrotdll.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theshow.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1220025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91220025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kangoo1958.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219954/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerjoka.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"estudos.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zaxxtre.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muawayeu.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219958/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trevorit3.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bard5.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"luctesting.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219961/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jjrn.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219962/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joaotwd.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219963/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m79w.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219964/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wicked4343.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219965/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sayhaaa.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"santos1.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tntgody.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"simo307.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219969/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stehulme.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219970/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chaveshk.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbchorizo.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219972/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogait.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219973/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ha17mada.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219974/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerkevin.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackmail.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219976/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"djzel.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maniac666.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dondns.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219979/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdt-operador.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kanani.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219981/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hostjack.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219982/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nexou7.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219983/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"longinos000.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219984/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerdecontas.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219985/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackergood.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219986/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rafa0800.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219987/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nofldead.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219988/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zohaibbutt.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219916/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maistro.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219917/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haitham98xzx98zaid.no-ip.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219918/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nitrohacker.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coyotte760000.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219920/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"staezx.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coringalouco.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219922/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sougostoso.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219923/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bossy.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219924/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ameer.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipsx.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"steup.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219927/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panico171.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wfghkl.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219929/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qarushtk.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219930/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bobox1983.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219931/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chacabug.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219932/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sensiseeds.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219933/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmed1992ahmed.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219934/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skynetglados.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219935/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imane13.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219936/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ohmygod.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219937/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myratloldie.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219938/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zengiscar3.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219939/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kostik.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219940/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"discadaaff.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219941/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leofelevil.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219942/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nador.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219943/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bard6.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219944/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mk35.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219945/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"by-brunix.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anaconda32.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219947/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkstealer.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sabre2ut.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hosted22.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akv007.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219951/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amin1111.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219952/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orlokehh.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219953/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vayamonstro.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219878/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratrat.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219879/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"destemido222.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219880/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brunitim.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219881/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leofelvoltou.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219882/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xanonimohp.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219883/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dipzshhits.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219884/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dfre22.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219885/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dennyhacker.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219886/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"compartilhar.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219887/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xvx.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219888/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coded54.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rickards.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219890/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aatim.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219891/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"franklin0000.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"penesviolentos.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d4rkscript3r.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ovatsug.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onemore-cy.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goldenpearl.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pexe.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"svv9.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"melissa2011.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219900/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynetshadow.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219901/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assasin4i20.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219902/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manos364.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"infecta.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219904/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jimmytest123.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spy-nets.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fridakahio.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219907/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"svhosts7.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219908/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gabrielpvh007.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219909/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gabriel.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219910/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aansteker.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219911/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ridooo.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219912/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"santacruz28.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219913/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"33712269.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219914/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mefumounpurito.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219915/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dannyn.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sistematryo2012.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newmawk.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackeruseroovoo.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"riskygambler.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219844/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"djk1k3.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pking-souls.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zgnoip.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kirschbom.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacking2020.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219849/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data33.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219850/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ali0.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219851/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxcc.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219852/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soyuncrack.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219853/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"granit727.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219854/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thewhitewox.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219855/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zelis.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219856/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trojan5.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219857/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thejoker222.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219858/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boucraa.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219859/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackergangst.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219860/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymine.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219861/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rare1.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219862/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mr-simoo.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219863/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cabaldns.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sogoodfr.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219865/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dark-sircharly.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thiagosoldier452.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syrianohacker.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219868/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thiaguitorox.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219869/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sory.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219870/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trojanfernando.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219871/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asade.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219872/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plow.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219873/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"murationline.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219874/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mineiiroinfecty.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xboxfreak.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219876/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"esqueci.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219877/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackpaka.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dangeradminhacker.no-ip.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bichler.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spectrun2008.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219804/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quaresma.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antivirus1scan.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maraki1989.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asignedassassin.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testmehdi.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msnmsgrftp.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cool003.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219811/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msmst.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219812/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wjwj.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219813/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xradar.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219814/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lokao.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juansantana.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hack.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219817/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hayzydarkcometrat.no-ip.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219818/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anonymous07.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"janvip.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"renatomandabemrs.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219821/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inesjarraya.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anthony2901.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219823/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6077host.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219824/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirelly27.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219825/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"youtubeproblema.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219826/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerlucas.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abou-fares.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toni2011.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pringao.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sperrowh.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdeds.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dedaloodak.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"europ.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ail313.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crakerneobot.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pega.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"huntercyber.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"denemee.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soufianecasa.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219762/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"currentname.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"susyx85.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wr6h.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tangula.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219766/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"infeccioneszc.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gizmofreak.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baytanada.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219769/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyberarab.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219770/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eduhsixx.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"willianjjj.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cccqq2ccc.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smartestone.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaioanesio123.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219775/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackedspy-net.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yah-crackers.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teddeyhost.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"virus-xp.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"funds-corp.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x-treme.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jorge-canteros.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"munakiller.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ainab.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spyusers.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saber1.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dhawyd.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dfrreaccountsnew.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pipo21.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nel1.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"balacousinous.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thiagomaior.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynetserveret.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rmdan90.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergateanonym.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"woti.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gp1990.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fathack.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackzak.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ilovejana.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ttttt.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"737ngx.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"schr1psy.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219726/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hahaha12.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jilsonjilson.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diegojda.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leoefelvoltou.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"revobrasilia.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"delzinho.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manouche.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"habbo-mawer.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacke.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lalala.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"levent0119.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magaiver2.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"symeon3melrich.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fb1.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dodykaedro.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"patatasyqueso.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haccker123spyone.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynetpbxd.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sever21.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"silentx7.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"turkojanmortal.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aulas2012.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joel.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rickroll2012.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linep.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zapatista.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sabido.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"braveturk57.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackers11.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chapolinsbt.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219756/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meindertdijkgraaf.no-ip.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219757/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loucao22.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"relow.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guinaa5.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peleioi.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219761/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redisson.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219686/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rooll.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219687/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dinoss.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219688/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"managermagic.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219689/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"new-hacker.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219690/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanoxa.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219691/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azerty28.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219692/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giovanih1.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219693/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerfrench95160.no-ip.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"snowfox64.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cocuk.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stanleyss.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marakimc.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219698/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worldte.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mozilla309.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxzero86.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219701/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aleezica.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219702/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hgfl3322.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219703/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spybet.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219704/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wahmii.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imbaah.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219706/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amgip.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219707/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conections2012.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219708/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sweet5.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cobaiu.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219710/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3ldiosfenix.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219711/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spypa.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219712/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"32482333.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shootersiker.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xvtrin.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219715/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"refended1.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219716/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joaolino.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drhasoon.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219718/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suricatotrojan.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kksretrohotel.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juliosouza.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"getbreached.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tehunseen.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dewilarasati.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newone.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clientzip.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7zn12sh.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"comptessaie.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testos.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rahuljamui.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219654/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xdnet.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"colorusa.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alkatrazx.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219657/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amacamhensem.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkladze.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219659/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"destroypc.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219660/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackermu2011.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m-1992.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219662/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ifucksyoudog.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynetcy.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bygarip.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219665/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d123.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219666/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maique.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ayoubeuro.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"j230uy.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219669/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pkrguide.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tupapa1.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6non-alhkrge.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219672/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uhbhckd.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bb-25cdd2c5.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackx9.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219675/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"etakstata.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219676/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serpent.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219677/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pkloldie.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219678/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brutushacker2013.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219679/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spyhacking.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219680/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muhammed999.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219681/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zgr-99.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219682/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raaboo00.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219683/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyberoot.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219684/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zemapt.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219685/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kanabis-projects.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219609/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kurt26.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219610/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kalakas.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sh2y.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219612/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"44u.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219613/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"torreamare.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xupetinha15.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219615/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wow123.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219616/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rams3s.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yuribalz1.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219618/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratsout.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219619/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frankspecht.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219620/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dffh.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219621/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"putitas.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219622/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bshades95.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219623/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dofusxdxd.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219624/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piazinho123.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219625/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"decalag.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219626/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dallouldali.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teeus-anonymous.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"combatarmas.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"melvin.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"electric84.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker-157.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"victim001.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219633/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"greybot.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219634/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wendelandrade.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"carlottiii.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219636/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bolacharada.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hancook.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teemy.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arhackbe.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219640/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hydrahacker.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219641/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"painkillerdarkness.no-ip.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alialwani.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nico40567hack.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iraq1234.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tomata.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nogdr.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219647/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bladez654321.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219572/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"djaanie123.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cjbr.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219574/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"160120120732.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219575/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nilsio.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219576/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mertc.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219577/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"okz.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219578/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juninpc.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219579/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panik0.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219580/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"devastor50.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219581/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackex9.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219582/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beautybiz.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219583/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ofpc.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219584/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noxiousleet.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219585/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goku007.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219586/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muawayhackerteam.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219587/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerseal.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alucardcybergate.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219589/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"regis1007.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219590/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mercerx.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219591/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mozmoz911.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219592/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elpana.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219593/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sheppodoes.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219594/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"burkinahack.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219595/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asushack9424.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219596/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alessiocitt84.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219597/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v1rtu4lz.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219598/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"danny1680.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219599/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"solosavoia.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219600/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aspireprueba.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219601/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testzigui.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219602/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hostype.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219603/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"everydaypcrepair.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219604/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vicky241.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219605/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker-evo.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rxgmo.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219607/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrelems.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219608/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergateratcam.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"milktoddy.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atiradoresdeelite.no-ip.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reylocoip.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yal5bal.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bananachickens.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xzx2010.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pesadelo.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frostyrats.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masterhacker.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"canssss.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"y7lmon.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hdtv.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"galo111.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alexbastie.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jul113.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vitimas321.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sku2du.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkcum.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moadmed-max.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219554/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerdr.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nataliem.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219556/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"expst.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219557/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pedrologue.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dakneeul.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219559/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guitarhero5.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219560/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tjejporr.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219561/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aistarli-hacker.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219562/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerms.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kakami.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bla4kra1n.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219565/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kingcobra.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219566/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seeyourmom.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219567/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m6hbl.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219568/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bata.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219569/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"copagold214.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219570/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjunior.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219571/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karuna.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bxavier.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219500/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"the-mayhen.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piratadanet.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coder1221.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xltb.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyberrat.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcclance.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cafeteros.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servertrojan11.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faraonkiller1.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kovolamateam.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"labys.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crown6000.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wilsito2011.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chaboomm.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faroukmcee.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dogipza.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stabillo.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybertroyan.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muzdarip.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6666.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vidaltower.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joabexd.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noobfruit.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jack-12.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sucamilla.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evlat26.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ninga-japan.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xkinq19.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mr-unkown999.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sodaraproba.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"no2kingstar.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"andiroba.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ay0b.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8mo9hq8.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shark-tchingo.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahjoderahoijo.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"almoslhi.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shniwel.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"admin20.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daly00.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onski123.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uomoombra.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"olliih.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219498/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"megahack.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arcangelx5.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bouchra.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x7c.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saleh1.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rojoloco47.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"demonio17.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anibus2342.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naif-nawaf.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sh3h7ad.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aznqmamrat.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antalya-comet.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuki1997.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hnokna.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kinghacked.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jojojojo666.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxxhackerxxx.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kirliisler001.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uploadedlzipzapdo.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zorra.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tijiti.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrayoub.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"createhack.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pornflakes1338.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"markz98.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mot8hr.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pr00-x.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thisismine.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cicick.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"itdoesnotmatter.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"voix22.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vikiscape.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hasn12.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219484/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zakdu631.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hostmaster1337.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"222www.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eix.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yaqoob12.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219489/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"takutaku1.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hooon123.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ko4258.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srcdsremote.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rayku.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anmarie0811.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baocaosu.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"demonedscape.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dingdong.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwerty12345.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoftupdater.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"capitanroot12.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darknighthacker.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c-302.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wizardry.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"birlesiksuclar.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dotking.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w3edstar.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdphackzikasz.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chocolate.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"virtualhacker.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"87x.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"losdelsur.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"intel2.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jpb.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mony.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kjfears1.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swoom.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"20835230.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybersecks.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theowner123.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lisasamir.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"issam95.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"porti21.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"psdkpsdk.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"catchmeifucan.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wildcard.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test011.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"silent-hilll.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrdemonlord.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hakar.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"salah.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spreadservice.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h4mmerh4rt.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbp2012.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lieees.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tebib1984.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mafiadu48.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"creatorsrat.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zbatata.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ikvhack.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"example-hacks.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meshalmshal.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klarkai.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"girl2woman.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyberkiller.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thanksnospam.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kevin09.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akri3333.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"koko5.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"matrex-host.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moon25.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hkcmd.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alkaser144.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moi1000.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rapphykravmaga.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"felipe123.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"istardust.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sexxpower.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"youowned.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klashnkof.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nos123mat.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"petero.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahteraf.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaspersky.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"romeoooo.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wannn.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h4m3l.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybermy5.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erogo93.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zx6n.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"princ3.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loveerrorrr.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ikude7.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gat0.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ripper47.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmed1111.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ivandrago.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panulayhosting.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"king120.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"35k.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xavi6.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"youratted.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hmidahacker.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shadowplayer.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"djo11.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shahin7777.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leo-punisher.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bugos.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"19216811.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seen7zeen.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftptrojanconecta123.no-ip.biz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"robiip.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dahmani.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbc12345.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rotasizkptn2.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmed9099.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"volagon.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rush95.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pardo123.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"youssie.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joeweezy.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marutza07.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evil1.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spyderspy.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"carbonratv2.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219299/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jarjeer.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"511s.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219301/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ibibik.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wpn9.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clx.me.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kalakin.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abdrahim900.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doris112.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bycml.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"semihhh.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f0r3v3r21.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"king711.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"remote.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hotjohncool.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spoiler.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ihateyou.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lassekongo.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spymahsen.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coldkiller.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shadow1dark.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gassper.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bagir.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker-xman.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bad-girl.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omarion.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anthrax010.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saleem.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"programmerz.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ungc.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kakaka22.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"burncs.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mzko.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219331/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chibo7.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"angham.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"progta.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arminarmin.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219335/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trottel1234.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"repuhlsive.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"black-angel.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erence21.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rshrs.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ladrao.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l3z-kech.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zoglala02.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zenovia.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dspw.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lauraz.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bodom-kid.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yesno.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rooom111.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slprofessional.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masaki.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssxx.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tarek-hacker.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219278/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gnevion.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219279/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sha6h20120.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219280/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nosabine.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evlat.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gdog333.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219283/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lord00008.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmed-kpz.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219285/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sey69.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219286/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaza73.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219287/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chericherif.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rlndeep8.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epictesting.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mykatliam.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"becha.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twiti239.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"junaid114.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a9f0.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joneco11.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219296/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lodr007.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219297/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"caylak.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219298/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hichamreal198.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lesmona.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raiz.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219223/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"creepaownz.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paroxysmmm.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"forcerx.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imustkeylog.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xtheravenx.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yahacker.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ttnet-smile.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zombica.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aorarmzii.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hippo.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"citoshd.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219234/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"milleniumdbate.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kendero.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z1l.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l2sombrios.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arturasd.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"victimasrenzo123.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cab1995cab.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alsfa7-joordan.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219242/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"casawn.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219243/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"superhilaly1.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neruel.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eman9020.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lahore786.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drissxxboost.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219248/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sa3eed.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liber.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v9b.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219251/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nkg.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219252/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assiot.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219253/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3xch4ng3.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219254/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adilrana.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219255/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mr-jnoon.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zzxcascse333wqwe2.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pola.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"patron12.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219259/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kayiiiit.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"salahtimes2.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ch001.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sniper-hack.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"power2142.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doido1500.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thecaosmaster.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouss2525.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrdemon34.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mooreyy.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stealtre.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hkhkhk.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergatehost1337.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emre33800.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buenasondas.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"farrousafm.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gokusdog.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daimmahroom.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spider2.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adelal3nzi.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hack-k.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spy17.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"madrereaper.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuklovod.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"revolutionhacker.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cazador2000.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"siklis5.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"forthev13.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minds5558.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"homealone.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mixbyte242.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"log2.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"admbruno.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smartkhanjee.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bulent2004.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syric.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m5dorishe.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219216/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdaa.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gtek700.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"garrudowolf.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aliaaalaaali.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"midox-wac.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyberwolrd.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"choclata88.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"legolas8.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nlive.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xzxjesperxzx.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abady07.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ikweet.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spycronic157.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dancingbear.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kokoeg.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marutza09.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"med99.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tarik-siker.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"caponi.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meagainsttheworld.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"avraly00sec01.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"voinmraka.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3le123.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hugui-201181.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gallent.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lordhacker09.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaaskop.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rex32.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"looost.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwakpeyek.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metaflz027.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jailbreakem.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karitano.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rsauthrat.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nassreddine1b29.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lahmazy.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"barthsss.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"albo.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219174/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seize.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"germany.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moi1100.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"essam-siko.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zgzag.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirzajatt.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c0r1ng4.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"th3w1zard1.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faycel23kbb.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dardesh.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spyghost01.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219102/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahatsha3r.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219103/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qatee.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l1f3hacking.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tehown0.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3fight59.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ua07amir3.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marutza08.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219109/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"priapunyaselera.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219110/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"debili39.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abdouthief.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"facebookchibai.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"besstforever.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deltafaisca.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"achref5930.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aljmahoo.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crinnack2.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gatehost.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"monkeybreak.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"towards.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thirumullai.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyber1.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zebzebzeb9.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erence.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker012088.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219126/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cihan.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zaferayyas.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiimozahacer.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219129/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dargstar.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stickker.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x33.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nekisamja.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219133/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"choha.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219134/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hardick.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dominance.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"warrior0007.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"josephno.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clancss.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ixam.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sifreciler.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kakah.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"esam3at.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jmddesai08.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"insalahstar.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyberonic.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brutik.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zarko01.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"343.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anonymofdp.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkcomet9911.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nachorulea.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219072/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zxxz122.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hitman54.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219074/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iflynn.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219075/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"connorb93.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219076/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"momohe.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"njdevil900.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219078/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergate1333.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219079/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glider.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zonz.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuentasdesbaneadas.no-ip.biz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219082/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buzzbozzy.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hiz80.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awesomedancer.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rabatrix.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"police69.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219087/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"batmanl172.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sari.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219089/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdown.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219090/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hassen.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219091/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"resakon90.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219092/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ofwgkta.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219093/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"captanblack.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teeekox.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zaval01.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zethit.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mehdi2012.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pornhubrat.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"themadman05.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dh4.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"umerbutt.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"valdytojas-nerasit.no-ip.biz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bowo.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boostcyber.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nono-irrash.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sn0.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eto.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manss90.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"codeur.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"napel.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hiss.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x357x.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mjzd.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rangerover.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219037/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lemaina.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219038/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jpegrta.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219039/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackedbyda.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blah311.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219041/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b4y23.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219042/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boubacs2.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219043/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrhappyness5493.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mineconstruction.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"20four7.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219046/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"datacenterl337.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ronaldoxmbk.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219048/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usernamee.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wonpron.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219050/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adnanchf.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glorg.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219052/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crazyass77.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219053/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmipk.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219054/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sayyam786.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219055/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bighacker.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219056/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juguete.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219057/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wweee2345.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219058/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lolohme.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219059/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testuser123.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219060/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"angkung-cg.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218981/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hassen1.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218982/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hbooob.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218983/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x2d.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218984/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"koots2.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218985/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aymen1982.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218986/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nothinghack.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218987/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hugo2001.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218988/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"al5eaaal.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218989/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boutch.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218990/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elgitanoremix.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218991/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lewisxi.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218992/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mixbyte.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abu.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"otocukk.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218995/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkt0wn.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218996/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6packplaya.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218997/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cambatta.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shytos.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"godrats.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219000/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"extralol.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219001/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacksworks.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219002/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fluckker.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219003/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaa1.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219004/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker1994.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219005/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"razmo.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219006/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmownage.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219007/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"santirio.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219008/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naila.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219009/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pepedique1.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219010/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"q0i.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219011/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynet393.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219012/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grimbo151.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219013/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anonimous.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219014/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zerocool6.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219015/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmmx.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219016/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jokersprey.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219017/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eqonix123.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219018/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cikobikociko.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yazeed51201.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1219020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91219020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emhacker2014.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218942/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ali010201.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218943/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxpeacelovexx.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218944/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sarpdeniz.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218945/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asa.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blacklord5.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218947/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrazoz010.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gfbthemask.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moaaah.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grumpyemo.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218951/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"krypt.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218952/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5057koma.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218953/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bobojump.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218954/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xp10x.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dragunosnn.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zboz.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cgrat.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218958/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m7mad11.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sefadenemeee.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wasou.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218961/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cachuera.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218962/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arcaneskycyber.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218963/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hbooob1.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218964/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"my-cracker.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218965/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apolon.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"superstonersrule.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reesfarrington.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"madhack.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218969/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trojanduc.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218970/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vooov.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aseer30512.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218972/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"top511.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218973/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lonelyboy85.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218974/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nooblike2504.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerlazy.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218976/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amdb08.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bebekler.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tamaliyoio.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218979/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"commande1.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7sh.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnett.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218904/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"himbirik.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meshalmrb.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bucac.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218907/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bublu.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218908/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"almm.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218909/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmedsp.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218910/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"betaia.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218911/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thel33ch0r54u.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218912/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mimo0.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218913/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panicwow.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218914/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reham19.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218915/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ygd.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218916/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hazeprogamer.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218917/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkcometfirat.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218918/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bifrost67.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bedda-mhamdi.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218920/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5z2z.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"motanish.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218922/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oblique07.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218923/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bulletxxx.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218924/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medoo.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tradaday.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"djitonk.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218927/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"novianade.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dangerline.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218929/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"midogalaxy.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218930/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xpedoear.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218931/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"megx.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218932/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"admin10.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218933/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"powapowa.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218934/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"michatata.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218935/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hack-exe.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218936/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pghrats.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218937/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t5f.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218938/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaizor.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218939/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mryasso.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218940/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tarajist1919.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218941/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"younameonyourhost1.no-ip.biz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"j600.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218865/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jrooo7y.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soadremi.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mikropbisey.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218868/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fontom.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218869/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nav232.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218870/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"341337.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218871/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"razor1991094.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218872/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"micosto.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218873/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p4nicoh4ck3r.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218874/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tare-hacker.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"than.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218876/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ownedbeyatch.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218877/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sendenbundan.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218878/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"black-spy.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218879/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hakan01.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218880/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxffxx.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218881/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utubeproxylistdns.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218882/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sakura.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218883/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ad3s.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218884/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"solarianass.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218885/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ksa-ksa.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218886/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pownagezorlol.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218887/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swadida.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218888/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sweetalomari2012.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wstxx.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218890/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"levieux.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218891/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"troyanos123jaja.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"troyanosmsc.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pratikpise92.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ndunlop.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohmoh.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spay2121.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mr1mo0om.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dancuk.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"silentassassin54.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218900/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkcomet1.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218901/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"petryca-pc.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218902/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jesiiccaa.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218824/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"micetang.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218825/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proyectofinal.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218826/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loversdrown.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anoattack.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hakancanyakan.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servicepub.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ali205.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"entha-zmank.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slaktzoorr.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boykanyon.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"birkan99.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sanchy.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uarista.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"calvinluga.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aymano1.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"viko89.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a-virus.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rtm16.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jaaekm.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"duracellhf.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218844/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"millwood.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azqq.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samo1903.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thegreatsun.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"monsieur663.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218849/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c9v.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218850/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zfotoz.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218851/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blueparrot.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218852/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ambassy.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218853/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peruxd.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218854/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mazotek.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218855/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pokpok.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218856/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ned.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218857/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"matrix-30.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218858/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hyaty10.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218859/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redtanga99.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218860/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"powpowxd.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218861/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mlux81.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218862/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jenanazem.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218863/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergateexample.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hosturl.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kikijade21.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"network923.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fahdtest.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dreisternen.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theviper.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elverangesnew.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ihackedyou.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maske.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chiheb.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shahg1992.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dragonovop.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serverteam1234.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrcr3zy2012.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacksouf.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tmax22.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goforit.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notti.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoyoyo123456.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adminrat.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218804/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"benimellal.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"parawoodston.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jackerjumper.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kikou275.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adri14gay.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bestwowhacks.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evilsideofme.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218811/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dunderburken.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218812/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boludo.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218813/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"almoomia10.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218814/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lorena82.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sumboku.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bykeles.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218817/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fadyfofo.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218818/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alkh20.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ultrahack.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rofi571.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218821/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanoo.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxxtheerrorcode.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218823/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tomeramar.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"binladen1337.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bazooka07.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"al-tomihy.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alwaysnumba2.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"experimentalhost.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"no0blike-b.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"homebrand.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agustincuestas.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tunisia-sat.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kleenexforall.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"razzy.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"larryking.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218756/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ihost12.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218757/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"funtaged.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sllele.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lalo1999.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asmodianscape.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218761/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lyone.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218762/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aloo2.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uncontroller.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"denia.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lucasfranca19.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218766/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"timetest.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abod055566.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smola.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218769/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fasil.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218770/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agentmaxserver.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuzandonoz53.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ilovemoneycash1.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmaaxx511.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cry1.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218775/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaaasdeqqqqqq.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergate00.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glubba.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sara3.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hpnotiq.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gurgelgurka.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"user6teen.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jam99.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unnamed.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218706/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cedano-hack.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218707/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microlab.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218708/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bonkar.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aliawais.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218710/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biofaction.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218711/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mymyno.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218712/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poisoned.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naitsen.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trx4000.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218715/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"system74.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218716/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adore.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kyfen.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218718/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kingfrancais.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rbj7000.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myslavesbitch.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fashionhot.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rking.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jayhax.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vodafone007.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vipb2a.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218726/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ukgunner.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loll1.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"simo1mag1.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohammad2010.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmoteeb.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alabady.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fabhacku.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ulvradar.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jjjjjjjjjjjjjjjjj.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flambohack.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daytime.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ramzii.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metin4community.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r9.no-ip.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kooooooooooooooo.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oo7bond.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ilikeuiseeu.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tchequeneris.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218666/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"digor12.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"michel213.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrdeathspynet.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218669/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raja147.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gugnlinun.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hiddenx.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218672/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"king-life12.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"autoclicker.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anything100.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218675/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergateserver.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218676/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pirategamer.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218677/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ah0tninja.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218678/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmedboss123.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218679/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"picim.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218680/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rsmacroing.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218681/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"turko.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218682/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuteboy22.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218683/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jaratali.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218684/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ibliscybergate.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218685/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xp8.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218686/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"200320102218.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218687/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahaat.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218688/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mispynet.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218689/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jjo.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218690/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"honest-fucker.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218691/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sohiljia.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218692/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theundertaker.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218693/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kissmyarse.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aminecoco.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"root-l.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zandekaron.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmicrosoftx.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218698/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yahacker.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sal123.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chotilnw.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218701/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hat1mftw.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218702/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srge.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218703/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bymusti71.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218704/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lordz.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fjeden.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thisgameskuxx.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ow.no-ip.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bfperu.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obedahbook1.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tehown00.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"purehate.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218633/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alteregohdv.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218634/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buddy.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"russianhacker.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218636/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackid3.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwe123.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybermonkies.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmetozdemir.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218640/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3z8zrgzr7kltr.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218641/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"picmisin.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdshjdsdh.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blaastz.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amadouw21.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boubacs123.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"admin10.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218647/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oseant.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blitzgamer.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baretta.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azoz.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fisherman7.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynetz.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erimaksoy.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218654/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"idontknowme.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aissani.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"txfaas.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218657/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kakoooo.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suliman-000.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218659/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hack.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218660/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"takutaku.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sniper24.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218662/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kolaphin.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybermy.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"patr0n.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218665/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"homd.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"farman.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218589/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"danywar2010.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218590/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dragonworleds2.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218591/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"milly888.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218592/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bpkmorte.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218593/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gangstar.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218594/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"system32x.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218595/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tinkuz.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218596/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amigo191.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218597/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shiv.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218598/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xemeax.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218599/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iprogrammer.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218600/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lixx.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218601/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"superhilaly3.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218602/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m5m5-hacker.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218603/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x6.no-ip.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218604/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"devilfromrs.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218605/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"streppone.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deemon.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218607/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lincolnhawk.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218608/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"khench.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218609/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"htnouk.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218610/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohmed113.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mahmoud1337.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218612/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"belrus.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218613/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x4s.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deadessence.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218615/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratxlsk.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218616/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jeremyore.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ayarbaban.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218618/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmor4ever18.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218619/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jalouka.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218620/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ch.no-ip.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218621/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mami06.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218622/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hhhgt.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218623/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zombie1.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218624/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"example.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218625/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kinkiboy.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218626/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iatxam.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fredom45.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prapappapo.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tata01111.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"defaulthost.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"monster2020.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218554/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"host-5555.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghosthack12.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218556/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"korusu38.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218557/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"holyshit.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rr6600oo.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218559/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alm3a8p.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218560/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alwasn2.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218561/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"itxdevil.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218562/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blida09.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fakemu.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zived.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218565/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaaaaaaaaaaaa.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218566/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arshaviin.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218567/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sf-hkr.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218568/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmad.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218569/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergatero07.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218570/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noliife.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218571/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aswwqexc.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218572/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kardelen.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"all.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218574/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jnooon123.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218575/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zzzenemigoszzz.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218576/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test06.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218577/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"causajeje.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218578/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cliconfg.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218579/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hissain11.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218580/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"147852369.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218581/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"farfouch-hacker.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218582/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fakerr23.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218583/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ldjkldkdlkdl.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218584/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"carlostutor.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218585/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackhond.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218586/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seven2x.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218587/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modgamingpro.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crazy06.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218548; rev:1;) alert tcp $HOME_NET any -> [94.131.107.199] 47090 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tndeatcamside.sytes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trackmoney.dynuddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"varo12l.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w3llstore.mywire.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"win009.theworkpc.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowsddns.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wins23octok.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xcrew1990.kozow.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xdatarfree.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zhangfeng123.eu.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knowledge-variance.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loribard.ddnsfree.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"luci2023.kozow.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mxrecordsipcordsss.ddns.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"national-pension.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nationalteams11.publicvm.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noescorrecto2023.kozow.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pasgoingcrewmoviand.3utilities.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pibirat.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pythondsh4.loseyourip.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reply.gl.at.ply.gg"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test56654.myddns.me"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fhfgjghkgh.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flitryuzoneu.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frostycheats-30646.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"getting-roommate.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gnbeatscagig.sytes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gtitryuzoneorji.zapto.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hdr.theworkpc.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hexrxr.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hostynjrat222.hopto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ibat21.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iced.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agent-thumbnail.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aniuus.linkpc.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218498/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"basgoingbrewca.serveirc.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"best-recycling.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218500/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bold-bush-09147.pktriot.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"browse-classic.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cn-bj1-kvlqs4ee.frp.cool"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coffee.ddns.me"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"country-wellness.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dlitryuzoneu.sytes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doradp.gleeze.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecuadorasyn.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enviofinal.kozow.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"extra-hack.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fat7ola07.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fee-harmful.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.err.line.pm"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a0880508.xsph.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218496; rev:1;) alert tcp $HOME_NET any -> [45.84.199.34] 7000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218488; rev:1;) alert tcp $HOME_NET any -> [62.234.175.104] 9000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218489/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218489; rev:1;) alert tcp $HOME_NET any -> [68.10.7.227] 5620 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218490; rev:1;) alert tcp $HOME_NET any -> [81.11.198.38] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218491; rev:1;) alert tcp $HOME_NET any -> [82.165.213.242] 7771 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218492; rev:1;) alert tcp $HOME_NET any -> [82.64.54.249] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218493; rev:1;) alert tcp $HOME_NET any -> [91.92.241.17] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218494; rev:1;) alert tcp $HOME_NET any -> [31.214.243.202] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218474; rev:1;) alert tcp $HOME_NET any -> [38.55.197.206] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218475; rev:1;) alert tcp $HOME_NET any -> [42.51.39.90] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218476; rev:1;) alert tcp $HOME_NET any -> [43.248.186.20] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218477; rev:1;) alert tcp $HOME_NET any -> [43.251.16.74] 5342 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218478; rev:1;) alert tcp $HOME_NET any -> [44.193.61.216] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218479; rev:1;) alert tcp $HOME_NET any -> [45.125.46.201] 57469 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218480; rev:1;) alert tcp $HOME_NET any -> [45.141.215.230] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218481; rev:1;) alert tcp $HOME_NET any -> [45.145.224.40] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218482; rev:1;) alert tcp $HOME_NET any -> [45.145.229.151] 8803 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218483; rev:1;) alert tcp $HOME_NET any -> [45.145.229.151] 9603 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218484/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218484; rev:1;) alert tcp $HOME_NET any -> [45.152.66.153] 8807 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218485; rev:1;) alert tcp $HOME_NET any -> [45.152.66.165] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218486; rev:1;) alert tcp $HOME_NET any -> [45.152.66.165] 9608 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218487; rev:1;) alert tcp $HOME_NET any -> [198.13.34.134] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218465; rev:1;) alert tcp $HOME_NET any -> [2.56.245.187] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218466; rev:1;) alert tcp $HOME_NET any -> [202.63.172.63] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218467; rev:1;) alert tcp $HOME_NET any -> [206.119.117.179] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218468; rev:1;) alert tcp $HOME_NET any -> [206.123.140.95] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218469; rev:1;) alert tcp $HOME_NET any -> [206.233.132.232] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218470; rev:1;) alert tcp $HOME_NET any -> [206.233.240.31] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218471; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 15224 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218472; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 4824 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218473; rev:1;) alert tcp $HOME_NET any -> [185.81.157.19] 3310 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218460; rev:1;) alert tcp $HOME_NET any -> [185.81.157.19] 3314 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218461; rev:1;) alert tcp $HOME_NET any -> [185.94.29.178] 4477 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218462; rev:1;) alert tcp $HOME_NET any -> [188.148.105.135] 3113 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218463; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 41254 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218464; rev:1;) alert tcp $HOME_NET any -> [156.251.19.50] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218452; rev:1;) alert tcp $HOME_NET any -> [159.69.85.54] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218453; rev:1;) alert tcp $HOME_NET any -> [163.172.165.144] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218454; rev:1;) alert tcp $HOME_NET any -> [167.71.56.116] 22942 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218455; rev:1;) alert tcp $HOME_NET any -> [176.129.191.64] 5123 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218456; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 14444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218457; rev:1;) alert tcp $HOME_NET any -> [182.43.76.21] 7788 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218458; rev:1;) alert tcp $HOME_NET any -> [185.196.9.95] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218459; rev:1;) alert tcp $HOME_NET any -> [154.91.229.111] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218449; rev:1;) alert tcp $HOME_NET any -> [154.91.229.36] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218450; rev:1;) alert tcp $HOME_NET any -> [154.91.230.208] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218451; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 2276 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218441; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 3767 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218442; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218443; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218444; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 8264 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218445; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218446; rev:1;) alert tcp $HOME_NET any -> [154.12.87.251] 8301 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218447; rev:1;) alert tcp $HOME_NET any -> [154.12.87.251] 9601 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218448; rev:1;) alert tcp $HOME_NET any -> [124.248.69.71] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218433; rev:1;) alert tcp $HOME_NET any -> [125.64.108.85] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218434; rev:1;) alert tcp $HOME_NET any -> [134.122.133.177] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218435; rev:1;) alert tcp $HOME_NET any -> [143.92.32.18] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218436; rev:1;) alert tcp $HOME_NET any -> [143.92.35.85] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218437; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 49190 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218438; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 20761 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218439; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 22684 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218440; rev:1;) alert tcp $HOME_NET any -> [111.173.89.39] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218420; rev:1;) alert tcp $HOME_NET any -> [111.229.116.176] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218421; rev:1;) alert tcp $HOME_NET any -> [121.62.23.71] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218422; rev:1;) alert tcp $HOME_NET any -> [123.99.200.134] 2351 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218423; rev:1;) alert tcp $HOME_NET any -> [123.99.200.157] 2450 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218424; rev:1;) alert tcp $HOME_NET any -> [123.99.200.157] 2991 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218425; rev:1;) alert tcp $HOME_NET any -> [123.99.200.175] 4595 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218426; rev:1;) alert tcp $HOME_NET any -> [123.99.200.184] 2650 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218427; rev:1;) alert tcp $HOME_NET any -> [123.99.200.188] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218428; rev:1;) alert tcp $HOME_NET any -> [123.99.200.191] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218429; rev:1;) alert tcp $HOME_NET any -> [124.156.160.52] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218430; rev:1;) alert tcp $HOME_NET any -> [124.221.43.13] 5222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218431; rev:1;) alert tcp $HOME_NET any -> [124.248.69.70] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218432; rev:1;) alert tcp $HOME_NET any -> [103.186.215.91] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218412; rev:1;) alert tcp $HOME_NET any -> [103.193.188.13] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218413; rev:1;) alert tcp $HOME_NET any -> [103.193.188.13] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218414; rev:1;) alert tcp $HOME_NET any -> [103.207.165.25] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218415; rev:1;) alert tcp $HOME_NET any -> [106.53.119.74] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218416; rev:1;) alert tcp $HOME_NET any -> [109.205.214.146] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218417; rev:1;) alert tcp $HOME_NET any -> [111.173.80.91] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218418; rev:1;) alert tcp $HOME_NET any -> [111.173.80.92] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218419; rev:1;) alert tcp $HOME_NET any -> [103.186.215.91] 3390 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stlia.net"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suit1-fax.myhome-server.de"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"upbeat-water-13533.pktriot.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"us-west-11608.packetriot.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winter-dew-56140.pktriot.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zex.cable-modem.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"news.coris-bank.fr"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nucleardom.is-a-geek.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plugins.dynamic-dns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"snow.rule-de-game.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goldfiner.dyn-ip24.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"home-comp-8390.dyn.home-webserver.de"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"home.no-ip.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jesus-christ.redirectme.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"justme.dyndns-server.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft.btc-crypto-rewards.cash"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amanai.net-freaks.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aylmao1337.tk"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bore.pu"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"budahhsegnemich88.home-webserver.de"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dd.fedex-shipping.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dico.is-a-designer.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dv-sec.hopper.pw"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e-businessloader.mywire.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eu-central-7075.packetriot.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"funnypic.dyndns-remote.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gameserver-789.duia.ro"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"714745cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218381; rev:1;) alert tcp $HOME_NET any -> [38.46.30.192] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218380/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218380; rev:1;) alert tcp $HOME_NET any -> [154.247.199.149] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218379/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218379; rev:1;) alert tcp $HOME_NET any -> [154.247.212.17] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218378/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218378; rev:1;) alert tcp $HOME_NET any -> [212.70.96.40] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218377/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218377; rev:1;) alert tcp $HOME_NET any -> [72.27.153.72] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218376/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218376; rev:1;) alert tcp $HOME_NET any -> [151.48.156.112] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218375/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218375; rev:1;) alert tcp $HOME_NET any -> [90.4.96.247] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218374/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218374; rev:1;) alert tcp $HOME_NET any -> [141.164.205.231] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218373/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218373; rev:1;) alert tcp $HOME_NET any -> [178.78.86.226] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218372/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"83.97.73.144"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218278/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"a1b2c3d4e5f6g7h8i9.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218279/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"j1k2l3m4n5o6p7q8r9.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218280/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"s1t2u3v4w5x6y7z8.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218281/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"o1p2q3r4s5t6u7v8w9.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218282/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"x1y2z3a4b5c6d7e8f9.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218283/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"g1h2i3j4k5l6m7n8o9.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218284/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"v1w2x3y4z5a6b7c8d9.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218285/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"k1l2m3n4o5p6q7r8.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218287/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"m1n2o3p4q5r6s7t8.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218286/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"u1v2w3x4y5z6a7b8.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218288/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"a1b2c3d4e5f6g7h8i9.ru"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218289/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"j1k2l3m4n5o6p7q8r9.ru"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218290/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"s1t2u3v4w5x6y7z8.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218291/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"g1h2i3j4k5l6m7n8o9.ru"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218294/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"o1p2q3r4s5t6u7v8w9.ru"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218292/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"x1y2z3a4b5c6d7e8f9.ru"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218293/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"v1w2x3y4z5a6b7c8d9.ru"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218295/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"m1n2o3p4q5r6s7t8.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218296/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"k1l2m3n4o5p6q7r8.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218297/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"u1v2w3x4y5z6a7b8.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218298/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzfmmjgxndfknde0/"; depth:18; nocase; http.host; content:"macavalaesl485.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218299/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzfmmjgxndfknde0/"; depth:18; nocase; http.host; content:"movlysanems296.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218300/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzfmmjgxndfknde0/"; depth:18; nocase; http.host; content:"tenchroouslam248.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218301/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzfmmjgxndfknde0/"; depth:18; nocase; http.host; content:"bountyhlsena45.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218302/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzfmmjgxndfknde0/"; depth:18; nocase; http.host; content:"archevlasmenes8.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218303/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzfmmjgxndfknde0/"; depth:18; nocase; http.host; content:"condeansleksmsnf87.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218304/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fixedfolderpath/"; depth:17; nocase; http.host; content:"akksdkmmfsak2.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218305/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fixedfolderpath/"; depth:17; nocase; http.host; content:"vanced.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218306/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fixedfolderpath/"; depth:17; nocase; http.host; content:"fjasodfjmoas32.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218307/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fixedfolderpath/"; depth:17; nocase; http.host; content:"qwojqkwefpok324.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218308/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fixedfolderpath/"; depth:17; nocase; http.host; content:"qppwefpeqwpepap25.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218309/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"days-jd.gl.at.ply.gg"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"and-tim.at.ply.gg"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"driver-computational.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"man-organized.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"message-epic.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pro-ethiopia.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218362; rev:1;) alert tcp $HOME_NET any -> [170.64.204.218] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218371/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218371; rev:1;) alert tcp $HOME_NET any -> [192.46.215.47] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218370/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218370; rev:1;) alert tcp $HOME_NET any -> [3.149.246.173] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218369/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218369; rev:1;) alert tcp $HOME_NET any -> [185.196.9.238] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218368/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218368; rev:1;) alert tcp $HOME_NET any -> [43.139.241.58] 131 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218367/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218367; rev:1;) alert tcp $HOME_NET any -> [192.121.113.129] 4073 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218366/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218366; rev:1;) alert tcp $HOME_NET any -> [20.62.199.199] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218365/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218365; rev:1;) alert tcp $HOME_NET any -> [103.185.249.231] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218364/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218364; rev:1;) alert tcp $HOME_NET any -> [103.185.249.231] 9999 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218363/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"larbivps.freemyip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juhanirats-22583.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kutas54645-53485.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marquinhos-36228.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"safe242-28278.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sm94-21612.portmap.host"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218355; rev:1;) alert tcp $HOME_NET any -> [18.229.146.63] 12537 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218350; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 12537 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218349; rev:1;) alert tcp $HOME_NET any -> [18.229.248.167] 12537 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218348; rev:1;) alert tcp $HOME_NET any -> [54.94.248.37] 12537 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eset-antivirus.ydns.eu"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"host-l6w.mooo.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218345/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"realtopg-40301.portmap.io"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"andrew566-21312.portmap.io"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helixsohum-59977.portmap.io"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ibidado-62758.portmap.io"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"krazzy-61352.portmap.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"krypzo-41088.portmap.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magicme-54389.portmap.io"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"portmapuser9999-40587.portmap.io"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akamegakill.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gl.no-ip.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magsi.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noname38.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218335/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noname381.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"card-conversation.at.playit.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chivalrous-condition.auto.playit.gg"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"color-premises.at.playit.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"france-barely.at.playit.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"george-pressing.at.playit.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"interest-border.at.playit.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"this-france.at.playit.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"warm-voyage.auto.playit.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"woebegone-smoke.auto.playit.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218331/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7077life.myq-see.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bornsinner.myq-see.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"corsi111.myq-see.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gracemultiply.myq-see.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kozatkr.myq-see.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maggii.myq-see.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morelogs2020.myq-see.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myseason.myq-see.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"new2021.myq-see.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newzebi.myq-see.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"positivemikey.myq-see.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"public4750.myq-see.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tonypeter96.myq-see.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sidactionorg.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sn00k131nc.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unswattables.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wharfedale.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xkr0wnx.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"123ram777.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218251/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"20141129server.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218252/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"74cosmefun93.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218253/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"77caliescali77.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218254/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"77nwo77.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218255/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqo.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asusdriverupdate.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beastyyou.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dawood00.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218259/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dawood02.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dreamswitchd.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"duncan01.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fmw87907.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geekmind1.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"khkeur.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lakes14.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrlee0740.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nkmzizbest4.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"personalosas.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piratebox.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rizzla.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sgt-strik3r.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antivirus-helper.publicvm.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lizzerdminecraft.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mapec.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanodell.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanso.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"robbertwayne.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218242/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rogerboy12.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218243/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"routess.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sifenajma.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smokiez94.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"volomo223.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windosupdater.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218248/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xkr0wnx.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aawwssdd2.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apananco.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bemery2.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bravebizzle.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brunoonochie.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"businessdb01.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"businessdb04.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"captainbulusss.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fromfirsttolast.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218234/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"group3.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hexrex.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jegs.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"23.251.32.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jesus-redirectme.chickenkiller.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218223/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ze-slade.chickenkiller.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.120.37.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1218222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updats.hopto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update-system.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nojewsjwooujweq.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bivkaniva.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xavi-bales.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swift-copy.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sysupdate24.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218216/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saurondark75.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rat-val.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gracealloverme.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"google-service.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doc-file.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dagnag.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bebis2.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigwlat.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alaincrestel1900.ddns.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218206; rev:1;) alert tcp $HOME_NET any -> [159.203.16.166] 8383 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218203; rev:1;) alert tcp $HOME_NET any -> [206.189.20.127] 53896 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218204; rev:1;) alert tcp $HOME_NET any -> [43.249.192.204] 41166 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-http.servehttp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"settings8888.geoiplookup.live"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"upbeat-water-13533.pktriot.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"us-west-11608.packetriot.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"volve.system-ns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"za3tour.no-ip.cam"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magas69.tk"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mimo-salah.bo-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"misty-sun-47407.pktriot.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ms-punisher.no.-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msn-web.ddnsking.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msspools.https443.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net.sells-it.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"petite-bars-raise-82-45-123-4.loca.lt"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hip-snakes-trade-82-45-123-4.loca.lt"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"j0k3r420.ddnsking.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kdns.org"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kind-resonance-23542.pktriot.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"andriod-apk.bounceme.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"android-update.servehttp.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anysh0p.servebeer.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asia-south-36774.packetriot.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moriartynjratka.myftp.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"server-online.myftp.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dofus-hack.myftp.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myvnc.myftp.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sxtrm.myftp.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assessment-epinions.at.playit.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boy-amy.at.playit.gg"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"business-fuel.at.playit.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cash-title.at.playit.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"contents-burn.at.playit.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"girls-definitely.at.playit.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"il-prince.at.playit.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"indian-knowledgestorm.at.playit.gg"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"journal-serial.at.playit.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jumpy-advice.auto.playit.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"needs-unlike.at.playit.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"perpetual-pollution.auto.playit.gg"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"positive-be.at.playit.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"property-served.at.playit.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"receive-dating.at.playit.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"understand-recommendation.at.playit.gg"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218174/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weak-edge.auto.playit.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"discordsh.kro.kr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"runtime.kro.kr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218158; rev:1;) alert tcp $HOME_NET any -> [216.48.184.52] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218156/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_17; classtype:trojan-activity; sid:91218156; rev:1;) alert tcp $HOME_NET any -> [13.127.240.175] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218155/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91218155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"volkatv500.sytes.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windows-servers.sytes.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skype-all.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghaithkassar999-47454.portmap.io"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"openport5327-59758.portmap.io"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"owais5050-61656.portmap.io"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"picobis-20350.portmap.io"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ranjeethubb-47583.portmap.io"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sadatsdays-32203.portmap.io"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"speedplayers-23540.portmap.io"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z0rdexx-24386.portmap.io"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackid-48411.portmap.io"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghaithalkassar-42536.portmap.io"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"5683812xs-43939.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218123/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"alonewolf-45132.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218124/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"alshareeftwtw-28524.portmap.host"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218125/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"falcon-56657.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218126/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gaymerval05-47556.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218127/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kassar963-63714.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218128/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lorixo-40605.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218129/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lorixo666-43778.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218130/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mark76666-52473.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218131/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mys7ery-22338.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218132/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mys7ery2-20549.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218133/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nndmb-42891.portmap.host"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218134/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"oldtwenty123123-59308.portmap.host"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218135/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"privatekey-41054.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218136/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"privatekey-64986.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218137/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"startitit2-23969.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218138/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"thisismylifemimeyo-22560.portmap.host"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218139/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tolga182-49359.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218140/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"wasted9sss1-51443.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218141/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91218141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yazanabbas11.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zal3ahack.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arabfucktania.no-ip.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218089/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asil66.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218090/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"badrya2.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218091/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"betabetabetabeta.no-ip.info"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218092/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chrom.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218093/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cleenjordancleen.no-ip.info"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eloahsh.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"farid79.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"google.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h5214h1.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamagamer.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hogr.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ibrahima7mad.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"islamhackerdz.no-ip.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218102/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kha2012lid.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218103/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"khalid-2015.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kjsf6gj9.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"korabika198.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laith204.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maruku.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"memo.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218109/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohamadkalary.no-ip.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218110/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohhope.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"monahu.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrdos11.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"njrat1231.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onepiece.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwertyuiop-2015.no-ip.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r3volution.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rooting.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s7spomp.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sisoko.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"i-br.noip.me"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218087/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loco-repo.noip.me"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chrom1.myq-see.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cololo.myq-see.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkghost.myq-see.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dzspoukadz2.myq-see.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emad1987.myq-see.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frifra.myq-see.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fsociety.myq-see.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghilas16.myq-see.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h3q.myq-see.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackers-012.myq-see.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218072/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hbj1.myq-see.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaka1286.myq-see.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218074/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kamaly.myq-see.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218075/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karrar44.myq-see.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218076/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m6no0o5.myq-see.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"max-payne.myq-see.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218078/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moon2015.myq-see.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218079/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omgmek.myq-see.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"superstart.myq-see.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tigano0724.myq-see.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218082/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toothless.myq-see.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xbbu.myq-see.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xterm.myq-see.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yassineouhaniii.myq-see.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abu3mrh.myq-see.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218060/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aliabodabbos.myq-see.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"besoo952.myq-see.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antivirus-helper.publicvm.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218057/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"facebook-sports.publicvm.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218058/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smile-111.publicvm.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218059/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web3.hopto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218056/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vlad71.hopto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218055/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrwan.hopto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218054/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvd19.hopto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218052/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218052; rev:1;) alert tcp $HOME_NET any -> [213.152.161.20] 17149 (msg:"ThreatFox Loda botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1218053/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hostbolvan.hopto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dark100.hopto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkfag1337.hopto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218050/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nj-microsoft.linkpc.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218046/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns11-l11.linkpc.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windows-services-udpate.linkpc.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218048/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"google-1.linkpc.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"results-ownership.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"score-told.craft.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"send-diversity.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"should-conjunction.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soon-lp.at.ply.gg"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"source-seconds.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"specific-algeria.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"street-shut.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"structure-tour.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"study-silly.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subject-assure.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"summer-semester.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"supply-recorders.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"system-reported.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218037/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"there-carol.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218038/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"topic-jacksonville.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218039/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"topics-junior.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toys-bouquet.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218041/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uk-brakes.at.ply.gg"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218042/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"van-turtle.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218043/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winter-rd.at.ply.gg"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chapter-julia.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217984/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"considered-arrest.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217985/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"construction-circles.gl.at.ply.gg"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217986/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"debt-bar.at.ply.gg"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217987/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"default-flashing.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217988/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"display-trade.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217989/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"driver-computational.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217990/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"earth-sw.at.ply.gg"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217991/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"end-purchases.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217992/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"england-disability.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"even-house.at.ply.gg"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"existing-ultimate.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217995/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"experience-cage.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217996/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feature-trade.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217997/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"female-boost.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"female-javascript.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"image-attitude.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218000/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"interest-throwing.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218001/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"item-religious.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218002/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"j-gig.at.ply.gg"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218003/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"japanese-valid.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218004/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"keep-carbon.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218005/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knowledge-winds.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218006/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"line-calls.at.ply.gg"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218007/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"london-banned.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218008/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"members-path.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218009/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"might-doe.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218010/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minimum-certainly.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218011/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mission-panels.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218012/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ms-slovakia.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218013/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"no-sofa.at.ply.gg"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218014/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"numbers-characterization.at.ply.gg"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218015/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"office-smoke.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218016/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"opportunities-rendered.craft.ply.gg"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218017/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"outdoor-geo.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218018/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"outside-fine.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"package-read.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paul-positive.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"potential-singer.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"problem-download.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1218023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91218023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"account-stevens.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217972/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ago-shopper.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217973/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amazon-engineers.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217974/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"applications-tri.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"availability-cafe.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217976/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"back-effort.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"being-awards.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"browser-bangladesh.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217979/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"budget-centre.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"camera-shadows.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217981/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"carolina-electro.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217982/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cart-updates.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217983/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thuramtfm.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217970/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windows-defender-update.duckdns.org"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secded21.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servicios-cne.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217969/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"petrol-chem108.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quintoelemento22.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nzul13-3-23.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217965/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft-ipv6.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217964/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"internet-explorer-background.duckdns.org"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217962/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kevinmitnick121.dushengsistema.duckdns.org"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217963/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"estreno1-caso.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217961/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"discord-proxy.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dominicananjv.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"001anonimo.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adminash.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amman.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217958/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stiktiktik2014.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217932/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"strangler89.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217933/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syriablackhackers.no-ip.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217934/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"system111.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217935/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test333.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217936/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theponasher.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217937/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"viperr.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217938/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wafe000wafe.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217939/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"waywayeyey2014.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217940/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wolfsniper22.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217941/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xandy239.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217942/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xav.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217943/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xekko.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217944/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xssx.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217945/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yamanisickk.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yassine-hacker.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217947/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ym96.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"youssef-el.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoyojoee.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yyytuit7rt.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217951/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zabanahacker.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217952/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zhiyar98.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217953/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zrxdctfgvbhnjkm.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217954/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zulex.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nahas.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neelixtop.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217900/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noxytng.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217901/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nseael3.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217902/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nwsarrrrr.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omar25.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217904/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omerhost.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"othmanbugi.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oussama092.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217907/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pivtgavera.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217908/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"potdark.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217909/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raymondong.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217910/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rebaz.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217911/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rootydead5454.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217912/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rrs123.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217913/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sahinerol1.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217914/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saladz.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217915/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"salemsalemas123.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217916/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"salouh-20.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217917/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samirleash.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217918/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"savvxcs.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sco-sco.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217920/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shaiya-hemen.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shamir11.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217922/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shibatrampos.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217923/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shshsh.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217924/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skorepyo1.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smadihack.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sniper-speed.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217927/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sobhiismyname.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynet2016.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217929/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"starton.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217930/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"steamuser1.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217931/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hnn.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hxps15.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ihackv247.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217868/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imed19.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217869/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ippoo.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217870/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iraqa6536.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217871/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"justme10.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217872/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kazimali00.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217873/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kimoo156.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217874/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kussaisouf.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lammer2001.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217876/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"last-last.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217877/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lbghost.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217878/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lindaevans323.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217879/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"love100.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217880/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magnetico7.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217881/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maistro.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217882/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"majdi-ard.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217883/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maserati77.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217884/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"max900.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217885/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maxhackme0088.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217886/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mhamadhasan8.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217887/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mimoj47no.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217888/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minhkhanh62.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmo.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217890/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modelove.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217891/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moudi1997.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mouhamedrez.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mourad-bba34000.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrasim98.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrjuniorkarriba.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muath0592.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nabile444.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"danamuhammad12.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dawlatalislem.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcom11.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dedo.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dlink.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dr-camex98348.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drazmatik56.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dzdzkacker.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"europ.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ezelraed.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fereswael.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gehtdichnixan.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217844/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghaithadeeb.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghayth.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"googly95.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gothambodh.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gwly.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217849/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"habbotanji.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217850/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hack9.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217851/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hack90.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217852/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker-120.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217853/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker2015.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217854/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackermasrpro.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217855/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackersmorocco.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217856/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackpb85.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217857/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haked100.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217858/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamada50.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217859/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamo2600.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217860/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamzakamali.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217861/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hasony2334.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217862/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hassonali.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217863/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hellwin.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heroman1.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217865/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmedbsy.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmedjoy.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmedwind.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahriman.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217804/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aimbotcs.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akrab48.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alaa2017.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alaisnoob.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"almodamir.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ameerof.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amgas2015.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217811/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"andrei24.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217812/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anemosajdabya2000.no-ip.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217813/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anonghosts.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217814/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backdoor25.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backtrack1991.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"basha19992015.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217817/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baypal.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217818/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bilou04.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"black36.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackblader11.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217821/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boxylibya.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boyangle.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217823/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bpsta.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217824/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ca30.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217825/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chalohacker.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217826/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chedy83.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chiko-chiko.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"choukiba.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"codhacker.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"combatserver.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuorematto.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0788878940.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"192lol.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"40028922123.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9alo-garo.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abdullahackiran.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abuzhrh.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adelhacker04.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adelsami123.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rafael-2014.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x-black.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kamikaz-hacke.zapto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217790; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmed-hacker.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217787; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baxom-anonm.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker-dz.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217789; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xoxoyi.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217762/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xozgahacker.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xplackx.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xtremerat2016.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxxx008.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217766/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yahmanioi.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yaman82.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yaserhacker.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217769/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yassineouhani.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217770/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yesyehya.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"younameonyourhost3.no-ip.biz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yusifhacker123.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zahro2013.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217774; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zakariabouziane.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217775/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zarga1234.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zargo77.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zeen-ahmed.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217778; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ziedsalama.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217779; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zizou07biskra.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217780; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zmz-zmz.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217781; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zmz-zmz10.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217782; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zola777.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217783; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zydx.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217784; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zzaz10dz.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zzdczzrdasxcd.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217786; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"th3-jazzz.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"th3pro2014.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thamerr.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"the-monible.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thedangerous619.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thedark1988.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tony20051.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tophack.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"topmath.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"topsayed223.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"totti250.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tougrih.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tv5.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"u34.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ulisse-31.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"untilwemeet.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usseralsaher91.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vantora.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vendetta.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vhackteam.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"virustop.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"waelwaheed2014.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"walidyour12.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weldtn.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"who-hack.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windeeo.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wizzer09.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wrdx321.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsam1987.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x7modxx.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217756/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x99vnw.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217757/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xcheater.589.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xersqil237bvcxz.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xhxixx.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xnxxxx.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217761/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sidahmed132013.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217692/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"silent1213.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217693/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217693; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"simben158.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"simoxhacker98.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217695; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sinane.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skoon1234.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skovichhack.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217698/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skrooo.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slerim.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slowmo.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217701/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smndr123.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217702/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sniperghost.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217703/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sofe2424.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217704/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"softdev.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sosamail1211.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217706/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soso.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217707/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sould.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217708/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spartacuse88.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sphack7.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217710/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sqsameh9.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217711/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sror001.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217712/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sss2013.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"startx12345.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"steve17.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217715/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stx3000.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217716/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"supermorad.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swordfish.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217718/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"system77.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t612.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tanyakurd.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tdfshell3d.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tearlach-154.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tefa83.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tester123.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testnjrat.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217726/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"riadhacker.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217657/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rivax01.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"riz0.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217659/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"robinhood122333.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217660/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"romel1.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"runawayclan.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217662/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217662; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sa3eka7.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217663; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sadeqq.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saifdanger.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217665/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saifmuhannad.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217666/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217666; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sajad123455sajad.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sajadgode.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sameazz.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217669/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217669; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samir123.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samirsamir12.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"santa94.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217672/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sarafindlove.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saralol.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sarmad122.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217675/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saror.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217676/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"satan2.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217677/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"savioanon.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217678/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"savioanon.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217679/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdeeeek.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217680/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"semper01.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217681/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"setokaiba.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217682/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sex4233.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217683/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sey69.no-ip.bisey69.no-ip.biz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217684/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sey69.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217685/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217685; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sezar19900.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217686/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sezohac.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217687/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shfloot.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217688/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shniederdk.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217689/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217689; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shvan123.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217690/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217690; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sidahmed-1973.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217691/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217691; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obadahamad.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217621/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omarooney.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217622/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omarzzt.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217623/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omezzine.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217624/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omis.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217625/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oommaaww.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217626/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osamaali.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oussama.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oussamalakhtiri.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paloma.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panda2014.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pet105.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"phenokami00.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217633/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piikou.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217634/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pooi222.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"port5552.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217636/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pspspsmoo.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"punizzer.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qarsan-al-dora.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoroiu25442.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217640/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qrga11.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217641/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r45w45e56464hw.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"radouan-oujdi.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217643; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rafde2015.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ragbr010.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217645; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ragheb.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217646; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ralacapeta.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217647/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ramzyyss22.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217648; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ranouchabiba.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217649; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rattesting.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rawaz.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rbg.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217652; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"red-devil.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"refuseniks.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217654/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rekan123.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"revengeee14.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muqtd1999.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217589/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mustafa123hack.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217590/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mustafaalbzone.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217591/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mustafahack12.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217592/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muzikas.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217593/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mynameisne0.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217594/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mzeona.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217595/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"na33waaf.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217596/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nabile444.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217597/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nabilou.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217598/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naceurhackerz.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217599/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nazarfraih97s.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217600/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nazeerkira99.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217601/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nene24.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217602/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nihad474.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217603/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"niks123.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217604/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ninoahmed.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217605/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nishica.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nj1rat.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217607/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"njrat-akramkader.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217608/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"njrat-haloul.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217609/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"njrat2012.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217610/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"njrat2k.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"njrat712345.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217612/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"njrathakcer.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217613/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"njrathost.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noip-1111.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217615/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nomemt.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217616/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nono111.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noriaz-hack.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217618/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noxx.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217619/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oaoaoaoa.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217620/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mizaje.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkawyhack.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217554/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmmk88.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmmooommm.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217556/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmss19901990.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217557/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mnqatqathackernym.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mo7ameed.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217559/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moh20142014.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217560/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohamedmed.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217561/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohamednjrat111.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217562/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohamedsami1234.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohamedtota.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohamiiid.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217565/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohammadbkar.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217566/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohammed119.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217567/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohammed2.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217568/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohmad95.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217569/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohqwew.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217570/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohundm.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217571/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mokla.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217572/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"molham.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"momo-ha.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217574/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"monshbido.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217575/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moradjojo.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217576/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mosratos.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217577/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"motaga8.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217578/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moussagroup.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217579/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mpyass.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217580/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mr-ahmadov.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217581/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mr-ybyb.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217582/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mram12345.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217583/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mramer12.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217584/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrsahier.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217585/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msboukadoum.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217586/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mu7a.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217587/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muhamadaboeltih22.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kontolanime.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ktkot12345.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kurd199221.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laith23.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laith7714008223.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leofire.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loaimajdi.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loldzezhack2015.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lonayara79.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lonlyman.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lool123lool.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loosseer1212.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lovleymedo88.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m2321.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maaher1.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"madomc.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mahboldz.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"majhoul.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mandohegazy.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mantk123.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"markwawy.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"martonerds.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masterhaxor786.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mbahuck.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mc-blacklife.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medalwaely.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medo979.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medoowo20140.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medou0099.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medoyho.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"memoalaa.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mhsozmen.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft-team1.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"midohack.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miki228.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mikpektis.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mila56.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hohohoho12.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hoomanbvb.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hostmorning.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"houssem2014.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217484/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hshli123.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hussen-wael.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ibrahim123200.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icantfor.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iliassfox1.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217489/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inconnu.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"intouchable.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iraqiiraqi.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"islam1988.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ixml7os.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jack2336.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jamal16a.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jerry193000.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joker111111.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217498/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joker1787.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jookerjooker.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217500/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joune14.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jounjoune.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kachkot.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kalil12.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kararalmhnaoi.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217505; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karkarkar.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217506; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karkouba535.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217507; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"khaled132.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"king120douz.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kinghacker1.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kinghackers10.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kingmalkawe8.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kirkukihama.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kissme1988.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kissmi.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerhader.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerred.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackersela7rosea.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackersteam12.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerwwar.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerzes.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackmadoxx.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hak55essa.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hakeemo.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hakimkaniro.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"halbzhardn112233.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamid-bk.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamod2001.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamodi-hack1234.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamouda25.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamydal.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hanskazan.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"harde1.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hardysalah.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hassandes.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hbooob.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hcker17.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hdtv1.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hema11020.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heroznt1.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hevarkurd.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hexerhasone.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hh2000.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hhheeedddiii1.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hhhh.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hhhhh11111.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hicham3062015.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hitcherhacker.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hkrooz.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hkrz123.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hogr.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"farman33.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"farouk2014.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feellovedud.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feras9999.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fewrgfg.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ffaass212.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ffff99fff.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fh-oode.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fighttodie.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"firehacker.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"forfaitnet.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fourat852.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freesyrian-army.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fthbhd.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fuq-gg0313.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gagamoga8.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gazwan99.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghassira0530.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghostaway.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghostfreak.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghsan.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghssan7833.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjigja2015.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gt500r32.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gulfup.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackali12121.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackana.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker-140.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker009.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker12345678.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker4884.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker5389282.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerahmed123.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerback.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerbkc.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerboy0505.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerbyoz2014.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerdz16.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"didodido123.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dimadz.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"directlink.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dmedqwe2.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dmx22.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dolaaultra.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"domdam.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dracula00.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drmido.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drnaif.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dz39.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dz4u.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dzmafia05.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dzsaw10.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dztopac123.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ebrahem100.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"edu2015.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"el-punisher.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elgzar201.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elie-asper2.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elkbigfootnjrat.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elmamlka1.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elwahyelasil.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eslam33432.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eslam512.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eslamali209070.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evan-evo.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evanov-evo.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evanov-evoo.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"example32.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"facepook.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fade-2e7.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fakeasda.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faressss.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faressyria.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bixo33.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackman00000.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackovy.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bnl-hacker.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bojnas.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bool12.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bosra2014.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bosshacker.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnetnotepad1.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boumadda.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boysdark.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"byahmedmido.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"callmeosos.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"captinsp.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"carapuce-2014.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chawg.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chiheb147.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chlbo9.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chrom.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"commandant30.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"congratulation.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crazydz.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d0e.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d3sxhack.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dad4me.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dadsatefa.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dadude007.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daniihack1989.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daninasr190.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkhorsehacker.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkspamer-17.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darwnhacker.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deko2010.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dex4madara.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anwarmaxa.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arsenal.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ashqataqtaqi.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asmat-kochar.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asra0.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atallah15.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atoo5050.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"attia.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"attiya-dz.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"avgika.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ayman1.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aymen-emino.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aymen-mouffok98.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aymendos.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aymenuryaz201.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ayoub1997.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ayyad99.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"az3r-hh.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aziz.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"babiyo123.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"badino213.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"badprince.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"badrmesbahi1998.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bahamass1.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baladarin3.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"balagyan.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bando222.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"barbaros-dz.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bas2532.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217331/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"basharalassad1.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"batman2015.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bearkassad.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biggsmall.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217335/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigshow2020.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bilel0770.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmedali.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmedalsisi.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmedesam13.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmedfav15.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmedlosha.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmednasser201523.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmedop.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahyatezy15.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ailail07821532043.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aissaaissa.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ak477.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akamhk2.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217278/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"al.no-ip.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217279/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alaaadly2.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217280/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alagha12345.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aliahmahhmod.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alialassad1.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217283/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alihack1234.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alihack12345.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217285/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alihacker2015.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217286/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alikasm111.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217287/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alloiwalasadi11.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alpha-7.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"altyyarabdoo.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ameen-haker2.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ameerhacker2012.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amer123nofal.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aminadz.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ampelmajek.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anakhaled20.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217296/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anapop.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217297/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anasfater.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217298/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anass-nj.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217299/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anonghost0.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anonymous5552.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217301/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anonymous93.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abdalahhaker.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abdellah21.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abdokhoua.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217234/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abdou05dz.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abdou1230.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abdou1999abdou.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abdulahacker3.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abdullh2424.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aboody-16.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aboodydody.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aboudmonster.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217242/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"achille123.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217243/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"achrafz1.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"achwakkoukou2015.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adel007711.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adelame.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"admadm.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217248/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adminirq.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"admralnet.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adnan7yousf.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217251/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adnan99.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217252/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adnanza.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217253/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"advengence.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217254/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adventurousxxx.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217255/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"afghan.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agord.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmad112233.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmad12test.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217259/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmadayad2014.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmed-070.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmed-080.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmed12300.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmedabkareno.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmedahmed10.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmedalfurjani.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"01287288615.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"03130.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"100009755836320.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217223/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3bood1100.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4kurdistan.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7azimoo.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a777a.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aa22aa.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaaffaay.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aadd.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abasrab16.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217231; rev:1;) alert tcp $HOME_NET any -> [87.65.150.78] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217194; rev:1;) alert tcp $HOME_NET any -> [89.23.99.53] 332 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217195; rev:1;) alert tcp $HOME_NET any -> [37.209.239.84] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217190; rev:1;) alert tcp $HOME_NET any -> [45.67.229.124] 7777 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217192; rev:1;) alert tcp $HOME_NET any -> [82.117.255.113] 1525 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217193; rev:1;) alert tcp $HOME_NET any -> [31.28.240.86] 1080 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217189; rev:1;) alert tcp $HOME_NET any -> [45.141.27.54] 6522 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217191; rev:1;) alert tcp $HOME_NET any -> [185.38.142.252] 443 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217185; rev:1;) alert tcp $HOME_NET any -> [212.90.36.66] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217188; rev:1;) alert tcp $HOME_NET any -> [211.46.138.35] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217187; rev:1;) alert tcp $HOME_NET any -> [209.126.4.184] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217186; rev:1;) alert tcp $HOME_NET any -> [146.19.230.52] 4456 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217182; rev:1;) alert tcp $HOME_NET any -> [172.94.4.171] 7772 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217183; rev:1;) alert tcp $HOME_NET any -> [185.254.37.137] 7788 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217184; rev:1;) alert tcp $HOME_NET any -> [103.212.81.159] 4001 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217180; rev:1;) alert tcp $HOME_NET any -> [107.2.6.1] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217181; rev:1;) alert tcp $HOME_NET any -> [90.151.150.173] 5189 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1234567bbbhasn.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmed-ghost.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alawi-123.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"argentina1100.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atefyatef.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dahom502.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"damential.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnsbase505.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dr-mesho.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdsasda.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaisosnavas17.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ksa-99.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m5tlhackerwlak.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login-servers.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mhamad-l.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mariatroianos.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mstafa-king1.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"njrat-serv.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sofe-hacker.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saoudi-004.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217216/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ser-multi2015fuck.ddns.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updatesystem.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windows-background.ddns.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217220; rev:1;) alert tcp $HOME_NET any -> [90.11.66.45] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"luci2023.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217117; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mxzaa.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mybabygirl.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nazareno77.con-ip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"novbillions.myddns.me"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"retghrtgwtrgtg.bounceme.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"playman0101.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217123; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"satura.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suntit.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217126/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wealthy2023.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217133/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wealthyman.freemyip.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217134/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217134; rev:1;) alert tcp $HOME_NET any -> [38.170.239.48] 7506 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217135; rev:1;) alert tcp $HOME_NET any -> [95.168.174.55] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aimbotexee-22359.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"androidonline.ddnsgeek.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aimbotexee-47825.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217139; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bluemail-fax.home-webserver.de"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ca-fax123.home-webserver.de"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217142; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"designed-nodes.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217144; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cfr.eur-import.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217143; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doldbolcein.crabdance.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217145; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mesa12.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gservicese.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"listpoints.click"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"listpoints.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gfojhvousdovisovosjoisdovn.con-ip.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217110/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gospel.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"horsesnje.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gggb2.dvrdns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eweo9264gtuiort.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"felipito24.con-ip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217109/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdvijkrfdsojnlmrfsdojnlmfrdvcj.con-ip.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dxxxxza.dynamic-dns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eterno.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"datastream.myvnc.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217102/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"delamanodedios777.con-ip.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217103/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dfghgfrdsdcvgtrdxcvplkopsdsdsz.con-ip.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"comercio223.con-ip.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"astucia77.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"center.onthewifi.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217100; rev:1;) alert tcp $HOME_NET any -> [5.181.80.139] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217098; rev:1;) alert tcp $HOME_NET any -> [45.137.22.136] 8087 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217097; rev:1;) alert tcp $HOME_NET any -> [192.161.184.21] 24053 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217096; rev:1;) alert tcp $HOME_NET any -> [111.90.147.133] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217094; rev:1;) alert tcp $HOME_NET any -> [172.93.164.62] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"funkytothebone.giize.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"general.wifi-app.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217147; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gggb.dvrdns.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grace.adds-only.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"just-fax303.home-webserver.de"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217150; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marknagy44565-36386.portmap.host"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"members-path.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217152; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft-update-tool.duckdns.org"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217153; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"online-3450.home-webserver.de"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osiarus.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p2.is-by.us"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peterzag63.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgexserver.hopto.orgmodify"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"satgobleien.jumpingcrab.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"superherocan.mywire.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217162; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"titus102023.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wealthalways.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tincaanii.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217129/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tmsuccess.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"svdjvhinvosdhfojsdfdffhdoflsnj.con-ip.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tesoro.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"securedbag2021-48502.portmap.host"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spoudel.mywire.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"werberyouse.kozow.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wrzone-srvr-connector-port.windows-updates.co"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wapt.myhome-server.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wtwrrtxhssbqsm-fk.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxxxza.dynamic-dns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zone.facebook-shoping.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zonewar.ddnsking.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"udooiuyt.dynamic-dns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217170; rev:1;) alert tcp $HOME_NET any -> [103.14.48.18] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217172; rev:1;) alert tcp $HOME_NET any -> [103.78.0.111] 444 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217173; rev:1;) alert tcp $HOME_NET any -> [146.190.178.31] 606 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217174/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217174; rev:1;) alert tcp $HOME_NET any -> [93.123.85.116] 23456 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217175; rev:1;) alert tcp $HOME_NET any -> [93.123.85.5] 6969 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217176; rev:1;) alert tcp $HOME_NET any -> [93.123.85.6] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217177; rev:1;) alert tcp $HOME_NET any -> [94.142.139.228] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dvrsoc.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1217179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217179; rev:1;) alert tcp $HOME_NET any -> [91.92.248.48] 53081 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217171; rev:1;) alert tcp $HOME_NET any -> [185.244.111.216] 1608 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1217137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91217137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"boridqh.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213684/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_17; classtype:trojan-activity; sid:91213684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bvhangh.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213682/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_17; classtype:trojan-activity; sid:91213682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bonudgd.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213683/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_17; classtype:trojan-activity; sid:91213683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"buyfejn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213685/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_17; classtype:trojan-activity; sid:91213685; rev:1;) alert tcp $HOME_NET any -> [185.196.8.22] 80 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213681/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vosal78394-35496.portmap.io"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1214193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91214193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dfwfdsfsdasd.project-nightfall.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1214183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91214183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f.zapto.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1214184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91214184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flutrdp.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1214185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91214185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"groups-opportunity.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1214186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91214186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"island-households.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1214187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91214187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kisliycorporait.hopto.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1214188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91214188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"living-progressive.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1214189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91214189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s7vety-47169.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1214190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91214190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s7vety-64001.portmap.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1214191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91214191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"satanishere-48375.portmap.io"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1214192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91214192; rev:1;) alert tcp $HOME_NET any -> [120.78.217.180] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1214182/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91214182; rev:1;) alert tcp $HOME_NET any -> [15.207.247.39] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213680/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91213680; rev:1;) alert tcp $HOME_NET any -> [5.75.147.113] 3000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213679/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_17; classtype:trojan-activity; sid:91213679; rev:1;) alert tcp $HOME_NET any -> [43.143.225.93] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213678/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.143.225.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213677/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.48.96.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213676/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213676; rev:1;) alert tcp $HOME_NET any -> [5.78.41.126] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213675/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ruggioil.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/communicate/v1.13/fkgmjlrn"; depth:27; nocase; http.host; content:"ruggioil.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213673; rev:1;) alert tcp $HOME_NET any -> [107.148.42.97] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213672/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"torusdt.vvvvvbeng.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"torusdt.vvvvvbeng.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/communicate/v1.13/fkgmjlrn"; depth:27; nocase; http.host; content:"5.78.41.126"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213669/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213669; rev:1;) alert tcp $HOME_NET any -> [5.188.86.24] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/produce/txt/rdi34hri85"; depth:23; nocase; http.host; content:"5.188.86.24"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/produce/txt/rdi34hri85"; depth:23; nocase; http.host; content:"microsoftsyst3m.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213666/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213666; rev:1;) alert tcp $HOME_NET any -> [94.228.168.51] 48315 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213665/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/authapiwindows.php"; depth:19; nocase; http.host; content:"650602cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"idealruinrewardesw.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"silveraquariumjwu.fun"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213662/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213662; rev:1;) alert tcp $HOME_NET any -> [185.222.58.239] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213661; rev:1;) alert tcp $HOME_NET any -> [173.212.199.134] 212 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213660/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213660; rev:1;) alert tcp $HOME_NET any -> [103.178.235.42] 9999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213644; rev:1;) alert tcp $HOME_NET any -> [185.172.128.31] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213651; rev:1;) alert tcp $HOME_NET any -> [120.48.96.69] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213659/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91213659; rev:1;) alert tcp $HOME_NET any -> [149.28.189.244] 2222 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213658/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91213658; rev:1;) alert tcp $HOME_NET any -> [104.233.210.19] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213657/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91213657; rev:1;) alert tcp $HOME_NET any -> [74.12.146.140] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213656/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91213656; rev:1;) alert tcp $HOME_NET any -> [118.161.10.249] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213655/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91213655; rev:1;) alert tcp $HOME_NET any -> [146.90.54.217] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213654/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91213654; rev:1;) alert tcp $HOME_NET any -> [162.19.175.57] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213653/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_17; classtype:trojan-activity; sid:91213653; rev:1;) alert tcp $HOME_NET any -> [1.94.67.222] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213652/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91213652; rev:1;) alert tcp $HOME_NET any -> [222.252.4.89] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213650/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91213650; rev:1;) alert tcp $HOME_NET any -> [107.172.201.247] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213649/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91213649; rev:1;) alert tcp $HOME_NET any -> [194.28.225.34] 27120 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213648; rev:1;) alert tcp $HOME_NET any -> [120.48.96.69] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213647/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91213647; rev:1;) alert tcp $HOME_NET any -> [135.181.227.91] 4307 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_17; classtype:trojan-activity; sid:91213646; rev:1;) alert tcp $HOME_NET any -> [185.62.87.239] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213645/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_17; classtype:trojan-activity; sid:91213645; rev:1;) alert tcp $HOME_NET any -> [148.135.18.94] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"148.135.18.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"107.172.81.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213641/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213641; rev:1;) alert tcp $HOME_NET any -> [170.130.55.206] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213640/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"170.130.55.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213639; rev:1;) alert tcp $HOME_NET any -> [5.188.86.24] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/produce/txt/rdi34hri85"; depth:23; nocase; http.host; content:"5.188.86.24"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoftsyst3m.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213636/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/produce/txt/rdi34hri85"; depth:23; nocase; http.host; content:"microsoftsyst3m.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213635; rev:1;) alert tcp $HOME_NET any -> [114.132.238.70] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213634/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213634; rev:1;) alert tcp $HOME_NET any -> [5.78.41.126] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213633/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213633; rev:1;) alert tcp $HOME_NET any -> [85.108.113.75] 1604 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213632; rev:1;) alert tcp $HOME_NET any -> [195.20.16.103] 18305 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213631; rev:1;) alert tcp $HOME_NET any -> [45.79.116.226] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213630/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213630; rev:1;) alert tcp $HOME_NET any -> [172.232.163.182] 2222 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213629/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213629; rev:1;) alert tcp $HOME_NET any -> [78.168.169.13] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213628/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213628; rev:1;) alert tcp $HOME_NET any -> [59.88.27.251] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213627/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213627; rev:1;) alert tcp $HOME_NET any -> [154.246.129.44] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213626/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213626; rev:1;) alert tcp $HOME_NET any -> [37.210.152.94] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213625/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213625; rev:1;) alert tcp $HOME_NET any -> [85.113.125.169] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213624/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213624; rev:1;) alert tcp $HOME_NET any -> [121.121.101.66] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213623/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213623; rev:1;) alert tcp $HOME_NET any -> [20.246.192.211] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213622/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213622; rev:1;) alert tcp $HOME_NET any -> [107.174.115.43] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213621/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213621; rev:1;) alert tcp $HOME_NET any -> [37.221.197.42] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213620/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213620; rev:1;) alert tcp $HOME_NET any -> [110.93.229.98] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213619/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213619; rev:1;) alert tcp $HOME_NET any -> [103.12.198.163] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213618/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213618; rev:1;) alert tcp $HOME_NET any -> [91.92.246.215] 53535 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213617/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213617; rev:1;) alert tcp $HOME_NET any -> [91.92.246.215] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213616/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213616; rev:1;) alert tcp $HOME_NET any -> [193.3.19.167] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213615/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/carsalepanel/api/endpoint.php"; depth:30; nocase; http.host; content:"94.156.71.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213610/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updater.exe"; depth:12; nocase; http.host; content:"94.156.71.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"91.92.250.149"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213614; rev:1;) alert tcp $HOME_NET any -> [95.164.17.248] 25647 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213613/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213613; rev:1;) alert tcp $HOME_NET any -> [13.127.166.232] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213612/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"42.193.178.194"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213609/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"152.136.128.162"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213608/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213607/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213605/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213604/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/detect/remove/90j6clsknaiii"; depth:28; nocase; http.host; content:"192.124.176.11"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213603/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"60.205.115.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213602/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"186.64.113.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213601/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"77.242.250.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213600/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"leaffountainla.fun"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213599/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213599; rev:1;) alert tcp $HOME_NET any -> [154.55.135.102] 8888 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213598/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213598; rev:1;) alert tcp $HOME_NET any -> [154.55.135.102] 6666 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213597/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213597; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 12419 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213596/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213596; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 12419 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213595/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213595; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 12419 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213594/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213594; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 12419 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213593/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213593; rev:1;) alert tcp $HOME_NET any -> [49.235.72.127] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213592/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213592; rev:1;) alert tcp $HOME_NET any -> [37.220.31.58] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213591/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213591; rev:1;) alert tcp $HOME_NET any -> [45.145.4.165] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213590/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213590; rev:1;) alert tcp $HOME_NET any -> [124.221.145.245] 8787 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213589/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213589; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 18064 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213588; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 18064 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213587/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213587; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 18064 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213586/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213586; rev:1;) alert tcp $HOME_NET any -> [39.100.85.157] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213585/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213585; rev:1;) alert tcp $HOME_NET any -> [186.64.113.28] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213584/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213584; rev:1;) alert tcp $HOME_NET any -> [91.92.249.243] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213583/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213583; rev:1;) alert tcp $HOME_NET any -> [121.36.226.214] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213582/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213582; rev:1;) alert tcp $HOME_NET any -> [43.139.182.57] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213581/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"124.220.59.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213580/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213580; rev:1;) alert tcp $HOME_NET any -> [139.155.97.79] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213579/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213579; rev:1;) alert tcp $HOME_NET any -> [120.55.188.217] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213578/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213578; rev:1;) alert tcp $HOME_NET any -> [104.238.149.178] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213577/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213577; rev:1;) alert tcp $HOME_NET any -> [220.69.33.225] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213576/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213576; rev:1;) alert tcp $HOME_NET any -> [5.42.65.126] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213575/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"catsndogz.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213534; rev:1;) alert tcp $HOME_NET any -> [103.77.240.57] 43957 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213558/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_16; classtype:trojan-activity; sid:91213558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"botnet.atakehosting.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213559/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_16; classtype:trojan-activity; sid:91213559; rev:1;) alert tcp $HOME_NET any -> [66.135.31.146] 2078 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213574/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213574; rev:1;) alert tcp $HOME_NET any -> [189.140.71.71] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213573/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213573; rev:1;) alert tcp $HOME_NET any -> [78.18.253.32] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213572/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213572; rev:1;) alert tcp $HOME_NET any -> [189.239.108.4] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213571/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213571; rev:1;) alert tcp $HOME_NET any -> [172.174.227.97] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213570/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213570; rev:1;) alert tcp $HOME_NET any -> [37.221.197.42] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213569/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213569; rev:1;) alert tcp $HOME_NET any -> [87.121.87.101] 444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213568/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213568; rev:1;) alert tcp $HOME_NET any -> [193.181.23.43] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213567/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213567; rev:1;) alert tcp $HOME_NET any -> [43.138.25.26] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213566/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213566; rev:1;) alert tcp $HOME_NET any -> [199.232.251.221] 9031 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213565/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213565; rev:1;) alert tcp $HOME_NET any -> [202.70.144.241] 8443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213564/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213564; rev:1;) alert tcp $HOME_NET any -> [54.249.68.233] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213563/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213563; rev:1;) alert tcp $HOME_NET any -> [8.212.128.240] 8443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213562/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213562; rev:1;) alert tcp $HOME_NET any -> [47.108.117.51] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213561/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213561; rev:1;) alert tcp $HOME_NET any -> [47.108.117.51] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213560/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_16; classtype:trojan-activity; sid:91213560; rev:1;) alert tcp $HOME_NET any -> [35.233.57.111] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213557/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213557; rev:1;) alert tcp $HOME_NET any -> [187.135.128.206] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213556/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213556; rev:1;) alert tcp $HOME_NET any -> [187.135.128.206] 1926 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213555/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213555; rev:1;) alert tcp $HOME_NET any -> [162.0.237.99] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213554/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213554; rev:1;) alert tcp $HOME_NET any -> [35.157.111.131] 10888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213553; rev:1;) alert tcp $HOME_NET any -> [3.126.224.214] 10888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213552; rev:1;) alert tcp $HOME_NET any -> [3.68.56.232] 10888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213551; rev:1;) alert tcp $HOME_NET any -> [3.124.67.191] 10888 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213550; rev:1;) alert tcp $HOME_NET any -> [187.135.128.206] 2154 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213549/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213549; rev:1;) alert tcp $HOME_NET any -> [220.69.33.85] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213548/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"546346346dod.whiteproducts.ru"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_16; classtype:trojan-activity; sid:91213547; rev:1;) alert tcp $HOME_NET any -> [172.104.152.7] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213546/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213546; rev:1;) alert tcp $HOME_NET any -> [118.89.92.68] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213545/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213545; rev:1;) alert tcp $HOME_NET any -> [147.50.253.242] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213544/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_16; classtype:trojan-activity; sid:91213544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsrequestwindowstraffictestdatalife.php"; depth:40; nocase; http.host; content:"743823cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213543; rev:1;) alert tcp $HOME_NET any -> [105.97.32.221] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213542/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213542; rev:1;) alert tcp $HOME_NET any -> [187.135.128.206] 1925 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213541/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213541; rev:1;) alert tcp $HOME_NET any -> [187.135.128.206] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213540/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213540; rev:1;) alert tcp $HOME_NET any -> [80.87.193.253] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213539/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213539; rev:1;) alert tcp $HOME_NET any -> [104.237.233.103] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213538/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213538; rev:1;) alert tcp $HOME_NET any -> [89.40.206.72] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dofor/credentials/76stldex"; depth:27; nocase; http.host; content:"hahnevohjoo.spenserfitolife.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hahnevohjoo.spenserfitolife.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/btnyh95.bin"; depth:12; nocase; http.host; content:"85.209.176.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213533; rev:1;) alert tcp $HOME_NET any -> [85.209.176.46] 80 (msg:"ThreatFox CloudEyE payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213532/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213532; rev:1;) alert tcp $HOME_NET any -> [141.255.145.87] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213531/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213531; rev:1;) alert tcp $HOME_NET any -> [163.5.64.89] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213530/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sync.webappclick.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ping.cachespace.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213525; rev:1;) alert tcp $HOME_NET any -> [185.164.163.172] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213529/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213529; rev:1;) alert tcp $HOME_NET any -> [185.36.143.123] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213528/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213528; rev:1;) alert tcp $HOME_NET any -> [168.100.10.84] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213527/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b13/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213526; rev:1;) alert tcp $HOME_NET any -> [141.98.115.16] 80 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213523; rev:1;) alert tcp $HOME_NET any -> [187.135.128.206] 1795 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213521; rev:1;) alert tcp $HOME_NET any -> [187.135.128.206] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213522; rev:1;) alert tcp $HOME_NET any -> [84.54.13.154] 8080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213520; rev:1;) alert tcp $HOME_NET any -> [213.232.235.84] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213519/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_15; classtype:trojan-activity; sid:91213519; rev:1;) alert tcp $HOME_NET any -> [43.140.214.81] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213518; rev:1;) alert tcp $HOME_NET any -> [91.204.226.90] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213516; rev:1;) alert tcp $HOME_NET any -> [101.132.69.2] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213517; rev:1;) alert tcp $HOME_NET any -> [159.75.86.129] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213515; rev:1;) alert tcp $HOME_NET any -> [163.197.212.74] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213514; rev:1;) alert tcp $HOME_NET any -> [193.239.151.181] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213512; rev:1;) alert tcp $HOME_NET any -> [154.3.2.172] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213513; rev:1;) alert tcp $HOME_NET any -> [47.113.202.250] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213511; rev:1;) alert tcp $HOME_NET any -> [123.249.76.157] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213509; rev:1;) alert tcp $HOME_NET any -> [101.43.248.36] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213510; rev:1;) alert tcp $HOME_NET any -> [101.42.118.221] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213508; rev:1;) alert tcp $HOME_NET any -> [118.107.4.157] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213507; rev:1;) alert tcp $HOME_NET any -> [38.47.101.14] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213505; rev:1;) alert tcp $HOME_NET any -> [193.239.151.189] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213506; rev:1;) alert tcp $HOME_NET any -> [101.132.182.180] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213504; rev:1;) alert tcp $HOME_NET any -> [193.239.151.169] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213503; rev:1;) alert tcp $HOME_NET any -> [47.109.65.7] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213501; rev:1;) alert tcp $HOME_NET any -> [193.239.151.179] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213502; rev:1;) alert tcp $HOME_NET any -> [80.71.157.236] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213500/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213500; rev:1;) alert tcp $HOME_NET any -> [91.204.226.102] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213498/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213498; rev:1;) alert tcp $HOME_NET any -> [49.113.73.179] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213499; rev:1;) alert tcp $HOME_NET any -> [60.204.242.13] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213497; rev:1;) alert tcp $HOME_NET any -> [193.239.151.175] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213495; rev:1;) alert tcp $HOME_NET any -> [91.204.226.43] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213496; rev:1;) alert tcp $HOME_NET any -> [47.100.249.61] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213494; rev:1;) alert tcp $HOME_NET any -> [194.163.151.89] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213493; rev:1;) alert tcp $HOME_NET any -> [162.14.81.25] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213492; rev:1;) alert tcp $HOME_NET any -> [103.78.0.159] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213491; rev:1;) alert tcp $HOME_NET any -> [154.55.139.35] 8080 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213490; rev:1;) alert tcp $HOME_NET any -> [223.87.225.90] 8080 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213489/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213489; rev:1;) alert tcp $HOME_NET any -> [119.6.239.83] 888 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213487; rev:1;) alert tcp $HOME_NET any -> [154.37.152.123] 998 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nataniela.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"margesommers.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.abodetv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"internetsilo.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213484/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ufc1tv.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cmberland11.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icleanzer.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.vietnamesegourmet.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"commercialinvestmentspecialists.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.wezzyempire.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.tv1uk.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helpzoo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.wingbuffet.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cannabisbusinessguide.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.glassenclosedwine.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prozoneproducts.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.amourhealthcare.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"patentnyc.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213468; rev:1;) alert tcp $HOME_NET any -> [91.235.234.236] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faithworkspublishing.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.iqoptionlive.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.callmemitch.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mckeebler.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cannabisvotes.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wipopatentapplication.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"captainalpha.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wirtzzemik.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sgadstomative.loan"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213458; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worldsmostadmiredcompanies.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cannacannect.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hy-link.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lajosepithsts.me"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.helloproinc.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app.wallofmemes.io"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213453; rev:1;) alert tcp $HOME_NET any -> [206.166.251.52] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cannabisneed.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clodycats.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213449; rev:1;) alert tcp $HOME_NET any -> [5.180.114.88] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dakotapartyride.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.amourhealthcare.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.liannanielsen.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.globalheadmaster.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.glassenclosedcellars.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pdlmobility.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.leadlikeaunicorn.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mckeebler.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cannabisreleaf.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wezzyempire.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dpruttech.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"callmemitch.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freecatholicism.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clever-cohen.206-166-251-52.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yaaascreative.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2096503.hosted-by-vdsina.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213432; rev:1;) alert tcp $HOME_NET any -> [193.149.185.196] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"censormycrush.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.futboleu.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213429; rev:1;) alert tcp $HOME_NET any -> [193.149.129.86] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cucoaver21.freemyip.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dishesuypitact.loan"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.helloproinc.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usendowment.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.commercialinvestmentspecialists.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.aerosets.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213422; rev:1;) alert tcp $HOME_NET any -> [168.100.10.244] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213423; rev:1;) alert tcp $HOME_NET any -> [172.86.75.66] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inveess.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213421; rev:1;) alert tcp $HOME_NET any -> [185.164.163.172] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.leathermasterpro.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nettextz.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mightyairducts.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cannabisforamerica.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lynndelagrangeinc.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"condorinside.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213413; rev:1;) alert tcp $HOME_NET any -> [138.197.137.42] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aerosets.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213412; rev:1;) alert tcp $HOME_NET any -> [5.180.114.190] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leadlikeaunicorn.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gulahement.loan"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.makesherhappy.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yvews.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213407; rev:1;) alert tcp $HOME_NET any -> [168.100.8.42] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aworldmorebright.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213405; rev:1;) alert tcp $HOME_NET any -> [206.188.197.206] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gardenofedencannabis.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213403; rev:1;) alert tcp $HOME_NET any -> [151.236.30.123] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.drxhousecall.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dragonandwildrose.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213400; rev:1;) alert tcp $HOME_NET any -> [91.235.234.74] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.infin8love.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213398; rev:1;) alert tcp $HOME_NET any -> [168.100.10.60] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213396; rev:1;) alert tcp $HOME_NET any -> [168.100.8.223] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213394; rev:1;) alert tcp $HOME_NET any -> [193.168.141.152] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213395; rev:1;) alert tcp $HOME_NET any -> [168.100.10.84] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213393; rev:1;) alert tcp $HOME_NET any -> [45.129.199.250] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213391; rev:1;) alert tcp $HOME_NET any -> [193.42.36.174] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213392; rev:1;) alert tcp $HOME_NET any -> [185.36.143.123] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213390; rev:1;) alert tcp $HOME_NET any -> [185.174.135.12] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213388; rev:1;) alert tcp $HOME_NET any -> [64.227.147.152] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213389; rev:1;) alert tcp $HOME_NET any -> [168.100.10.217] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213387; rev:1;) alert tcp $HOME_NET any -> [45.129.199.15] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213385; rev:1;) alert tcp $HOME_NET any -> [159.89.160.41] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-202-179-126.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-85-136-8.compute-1.amazonaws.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213384; rev:1;) alert tcp $HOME_NET any -> [52.5.2.170] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-213-17-252.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"direwolf-e387f7d985-new-d419a80638dd.herokuapp.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213380; rev:1;) alert tcp $HOME_NET any -> [52.1.126.210] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-235-216-198.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213379; rev:1;) alert tcp $HOME_NET any -> [3.213.17.252] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213376; rev:1;) alert tcp $HOME_NET any -> [54.167.4.208] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213377; rev:1;) alert tcp $HOME_NET any -> [41.216.183.23] 8080 (msg:"ThreatFox Bandit Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213375; rev:1;) alert tcp $HOME_NET any -> [43.243.73.167] 8088 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213374; rev:1;) alert tcp $HOME_NET any -> [23.251.32.24] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213372; rev:1;) alert tcp $HOME_NET any -> [142.171.173.188] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213373; rev:1;) alert tcp $HOME_NET any -> [172.105.29.23] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213371; rev:1;) alert tcp $HOME_NET any -> [193.42.33.150] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213369; rev:1;) alert tcp $HOME_NET any -> [82.115.223.26] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213370; rev:1;) alert tcp $HOME_NET any -> [91.92.249.253] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213368; rev:1;) alert tcp $HOME_NET any -> [193.42.33.14] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213367; rev:1;) alert tcp $HOME_NET any -> [173.212.192.72] 3436 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213365; rev:1;) alert tcp $HOME_NET any -> [173.212.192.72] 3437 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213366; rev:1;) alert tcp $HOME_NET any -> [173.212.192.72] 3435 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213364; rev:1;) alert tcp $HOME_NET any -> [173.212.219.45] 3435 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213362; rev:1;) alert tcp $HOME_NET any -> [173.212.219.45] 3436 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213363; rev:1;) alert tcp $HOME_NET any -> [173.212.219.45] 3437 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213361; rev:1;) alert tcp $HOME_NET any -> [173.212.224.186] 3437 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213359; rev:1;) alert tcp $HOME_NET any -> [142.202.242.196] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213360; rev:1;) alert tcp $HOME_NET any -> [173.212.224.186] 3436 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213358; rev:1;) alert tcp $HOME_NET any -> [161.97.178.199] 3436 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213356; rev:1;) alert tcp $HOME_NET any -> [173.212.224.186] 3435 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213357; rev:1;) alert tcp $HOME_NET any -> [161.97.178.199] 3435 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213355; rev:1;) alert tcp $HOME_NET any -> [161.97.178.207] 3436 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213353; rev:1;) alert tcp $HOME_NET any -> [161.97.178.199] 3437 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213354; rev:1;) alert tcp $HOME_NET any -> [161.97.178.207] 3437 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213351; rev:1;) alert tcp $HOME_NET any -> [161.97.178.207] 3435 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213352; rev:1;) alert tcp $HOME_NET any -> [161.97.178.201] 3437 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213350; rev:1;) alert tcp $HOME_NET any -> [161.97.178.201] 3435 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213348; rev:1;) alert tcp $HOME_NET any -> [161.97.178.201] 3436 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213349; rev:1;) alert tcp $HOME_NET any -> [154.91.64.183] 7800 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213347; rev:1;) alert tcp $HOME_NET any -> [91.92.252.194] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213345; rev:1;) alert tcp $HOME_NET any -> [103.142.9.155] 6688 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213346; rev:1;) alert tcp $HOME_NET any -> [4.227.176.184] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213344; rev:1;) alert tcp $HOME_NET any -> [45.131.111.98] 7000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www2.nolog.no"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.tysers.ltd"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213342; rev:1;) alert tcp $HOME_NET any -> [191.82.205.177] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213339; rev:1;) alert tcp $HOME_NET any -> [91.109.188.4] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213340; rev:1;) alert tcp $HOME_NET any -> [191.17.127.135] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213338; rev:1;) alert tcp $HOME_NET any -> [5.161.225.245] 8008 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213337; rev:1;) alert tcp $HOME_NET any -> [91.92.253.185] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-238-196-57.ap-northeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bancsabadell-info.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213335/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213335; rev:1;) alert tcp $HOME_NET any -> [178.236.246.142] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"es-evobanco-info.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peace.rbear.ir"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213331/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.143-198-109-200.cprapid.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"es-info-bancamarch.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213330; rev:1;) alert tcp $HOME_NET any -> [139.162.128.215] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blissful-wescoff.195-85-207-218.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213328; rev:1;) alert tcp $HOME_NET any -> [188.120.234.10] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213325; rev:1;) alert tcp $HOME_NET any -> [51.250.100.208] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213326; rev:1;) alert tcp $HOME_NET any -> [193.42.33.102] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"157-230-101-205.ipv4.staticdns2.io"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vigilant-ritchie.195-85-207-218.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zen-wiles.91-215-85-177.plesk.page"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.eloquent-lehmann.195-85-207-218.plesk.page"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213321; rev:1;) alert tcp $HOME_NET any -> [163.5.64.105] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213318; rev:1;) alert tcp $HOME_NET any -> [85.209.176.55] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213319; rev:1;) alert tcp $HOME_NET any -> [158.160.64.192] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"avalexmebel.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213315; rev:1;) alert tcp $HOME_NET any -> [143.198.109.200] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elofffssamoilov2.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"postal2.crispoltd.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213314; rev:1;) alert tcp $HOME_NET any -> [38.6.187.146] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213312; rev:1;) alert tcp $HOME_NET any -> [45.150.65.142] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.xenodochial-burnell.195-85-207-218.plesk.page"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.fatimafoods.co.uk"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"journalofasianmartialarts.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-bancsabadell.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213308; rev:1;) alert tcp $HOME_NET any -> [161.97.107.72] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nerdmining.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213306; rev:1;) alert tcp $HOME_NET any -> [195.2.85.14] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213304; rev:1;) alert tcp $HOME_NET any -> [91.92.248.89] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213302; rev:1;) alert tcp $HOME_NET any -> [157.230.101.205] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213303; rev:1;) alert tcp $HOME_NET any -> [46.28.44.28] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213301/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pia.australiasoutheast.cloudapp.azure.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213300; rev:1;) alert tcp $HOME_NET any -> [4.198.144.143] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213299/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alderwood-staging.creativefolks.dev"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213297/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-132-68-205.eu-west-2.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213298/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213298; rev:1;) alert tcp $HOME_NET any -> [213.195.115.111] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213296/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213296; rev:1;) alert tcp $HOME_NET any -> [37.1.208.229] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213295; rev:1;) alert tcp $HOME_NET any -> [37.1.208.229] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213294; rev:1;) alert tcp $HOME_NET any -> [37.1.208.229] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213293; rev:1;) alert tcp $HOME_NET any -> [103.195.103.33] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213292; rev:1;) alert tcp $HOME_NET any -> [95.216.41.33] 81 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213290; rev:1;) alert tcp $HOME_NET any -> [185.62.87.247] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213291; rev:1;) alert tcp $HOME_NET any -> [91.92.248.72] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213289; rev:1;) alert tcp $HOME_NET any -> [142.202.240.78] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213288; rev:1;) alert tcp $HOME_NET any -> [187.24.7.81] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213286/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213286; rev:1;) alert tcp $HOME_NET any -> [136.175.8.57] 4545 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213287/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213287; rev:1;) alert tcp $HOME_NET any -> [5.161.200.142] 333 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213285/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213285; rev:1;) alert tcp $HOME_NET any -> [181.32.146.243] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213283/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213283; rev:1;) alert tcp $HOME_NET any -> [91.92.248.48] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213284; rev:1;) alert tcp $HOME_NET any -> [185.62.87.237] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213282; rev:1;) alert tcp $HOME_NET any -> [86.38.203.94] 10443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213281; rev:1;) alert tcp $HOME_NET any -> [45.129.199.38] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213280/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_15; classtype:trojan-activity; sid:91213280; rev:1;) alert tcp $HOME_NET any -> [192.109.119.100] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213279/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_15; classtype:trojan-activity; sid:91213279; rev:1;) alert tcp $HOME_NET any -> [46.246.98.47] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213278/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_15; classtype:trojan-activity; sid:91213278; rev:1;) alert tcp $HOME_NET any -> [47.100.87.211] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213277; rev:1;) alert tcp $HOME_NET any -> [104.238.181.236] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213276; rev:1;) alert tcp $HOME_NET any -> [193.201.9.69] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213275; rev:1;) alert tcp $HOME_NET any -> [174.138.19.103] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213274; rev:1;) alert tcp $HOME_NET any -> [101.34.79.168] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213273; rev:1;) alert tcp $HOME_NET any -> [101.34.79.168] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213272; rev:1;) alert tcp $HOME_NET any -> [45.152.66.91] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213271; rev:1;) alert tcp $HOME_NET any -> [206.119.117.215] 30005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213270; rev:1;) alert tcp $HOME_NET any -> [123.125.21.158] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213269; rev:1;) alert tcp $HOME_NET any -> [45.145.4.165] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213268; rev:1;) alert tcp $HOME_NET any -> [60.204.226.254] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213267; rev:1;) alert tcp $HOME_NET any -> [60.204.226.254] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213266; rev:1;) alert tcp $HOME_NET any -> [87.121.87.101] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213265; rev:1;) alert tcp $HOME_NET any -> [87.121.87.101] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213264; rev:1;) alert tcp $HOME_NET any -> [54.169.49.63] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213263; rev:1;) alert tcp $HOME_NET any -> [8.219.58.146] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213262; rev:1;) alert tcp $HOME_NET any -> [103.158.37.30] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213261; rev:1;) alert tcp $HOME_NET any -> [8.217.250.206] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213260; rev:1;) alert tcp $HOME_NET any -> [121.41.116.17] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213259/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213259; rev:1;) alert tcp $HOME_NET any -> [121.41.116.17] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213258; rev:1;) alert tcp $HOME_NET any -> [123.60.71.211] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213257; rev:1;) alert tcp $HOME_NET any -> [15.205.128.169] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213256; rev:1;) alert tcp $HOME_NET any -> [15.205.128.169] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213255/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213255; rev:1;) alert tcp $HOME_NET any -> [101.43.31.16] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213254/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213254; rev:1;) alert tcp $HOME_NET any -> [81.70.28.115] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213253/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213253; rev:1;) alert tcp $HOME_NET any -> [121.43.114.91] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213252/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213252; rev:1;) alert tcp $HOME_NET any -> [47.115.203.204] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213250; rev:1;) alert tcp $HOME_NET any -> [47.115.203.204] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213251/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213251; rev:1;) alert tcp $HOME_NET any -> [38.207.176.111] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213249; rev:1;) alert tcp $HOME_NET any -> [47.122.47.165] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213247; rev:1;) alert tcp $HOME_NET any -> [100.25.194.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213248/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213248; rev:1;) alert tcp $HOME_NET any -> [47.122.47.165] 28800 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213246; rev:1;) alert tcp $HOME_NET any -> [47.109.40.216] 833 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213245; rev:1;) alert tcp $HOME_NET any -> [116.62.33.0] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213243/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213243; rev:1;) alert tcp $HOME_NET any -> [47.100.180.123] 30005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213244; rev:1;) alert tcp $HOME_NET any -> [20.106.253.207] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213242/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213242; rev:1;) alert tcp $HOME_NET any -> [101.200.84.59] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213240; rev:1;) alert tcp $HOME_NET any -> [149.28.90.119] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213241; rev:1;) alert tcp $HOME_NET any -> [91.92.251.4] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213238; rev:1;) alert tcp $HOME_NET any -> [124.222.98.112] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213239; rev:1;) alert tcp $HOME_NET any -> [114.55.3.146] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213237; rev:1;) alert tcp $HOME_NET any -> [23.159.160.80] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213236; rev:1;) alert tcp $HOME_NET any -> [123.14.145.3] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213235; rev:1;) alert tcp $HOME_NET any -> [39.100.78.58] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213234/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213234; rev:1;) alert tcp $HOME_NET any -> [23.227.199.174] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213233; rev:1;) alert tcp $HOME_NET any -> [45.135.162.50] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213231; rev:1;) alert tcp $HOME_NET any -> [152.89.198.233] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213232; rev:1;) alert tcp $HOME_NET any -> [23.94.2.191] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213230; rev:1;) alert tcp $HOME_NET any -> [85.208.109.15] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213228; rev:1;) alert tcp $HOME_NET any -> [47.109.77.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213229; rev:1;) alert tcp $HOME_NET any -> [47.122.41.139] 28800 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213227; rev:1;) alert tcp $HOME_NET any -> [62.234.166.174] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213225; rev:1;) alert tcp $HOME_NET any -> [210.87.108.237] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213226; rev:1;) alert tcp $HOME_NET any -> [111.229.225.13] 8848 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213224; rev:1;) alert tcp $HOME_NET any -> [38.147.171.70] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213222; rev:1;) alert tcp $HOME_NET any -> [39.105.126.131] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213223/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213223; rev:1;) alert tcp $HOME_NET any -> [47.120.47.43] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213221; rev:1;) alert tcp $HOME_NET any -> [120.79.24.241] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213219; rev:1;) alert tcp $HOME_NET any -> [8.130.43.95] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213220; rev:1;) alert tcp $HOME_NET any -> [103.185.249.231] 18082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213218; rev:1;) alert tcp $HOME_NET any -> [91.92.241.141] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213217; rev:1;) alert tcp $HOME_NET any -> [120.55.90.44] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213216/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213216; rev:1;) alert tcp $HOME_NET any -> [43.139.208.76] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213215; rev:1;) alert tcp $HOME_NET any -> [120.76.250.13] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213214; rev:1;) alert tcp $HOME_NET any -> [47.243.236.236] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213212; rev:1;) alert tcp $HOME_NET any -> [124.220.59.220] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213213; rev:1;) alert tcp $HOME_NET any -> [94.156.65.112] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213210; rev:1;) alert tcp $HOME_NET any -> [117.72.39.83] 33333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213211; rev:1;) alert tcp $HOME_NET any -> [219.128.25.2] 4567 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213209; rev:1;) alert tcp $HOME_NET any -> [79.124.40.106] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213207; rev:1;) alert tcp $HOME_NET any -> [89.23.113.50] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213208; rev:1;) alert tcp $HOME_NET any -> [107.172.81.115] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213206; rev:1;) alert tcp $HOME_NET any -> [120.77.41.68] 7896 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213204; rev:1;) alert tcp $HOME_NET any -> [118.178.236.64] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213205; rev:1;) alert tcp $HOME_NET any -> [107.175.222.249] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213202; rev:1;) alert tcp $HOME_NET any -> [20.187.71.22] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213203; rev:1;) alert tcp $HOME_NET any -> [85.209.11.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213201; rev:1;) alert tcp $HOME_NET any -> [120.78.217.180] 50110 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213199; rev:1;) alert tcp $HOME_NET any -> [198.23.208.20] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213200; rev:1;) alert tcp $HOME_NET any -> [142.171.230.28] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213198; rev:1;) alert tcp $HOME_NET any -> [45.77.40.160] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213196; rev:1;) alert tcp $HOME_NET any -> [207.148.107.170] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213197; rev:1;) alert tcp $HOME_NET any -> [62.234.58.74] 8056 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213195; rev:1;) alert tcp $HOME_NET any -> [117.72.13.228] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213194; rev:1;) alert tcp $HOME_NET any -> [39.108.173.251] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213193; rev:1;) alert tcp $HOME_NET any -> [141.164.38.95] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-100-25-194-161.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213192; rev:1;) alert tcp $HOME_NET any -> [38.45.67.115] 8100 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213190; rev:1;) alert tcp $HOME_NET any -> [81.68.210.91] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213189; rev:1;) alert tcp $HOME_NET any -> [47.242.177.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213187; rev:1;) alert tcp $HOME_NET any -> [120.24.213.140] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213188; rev:1;) alert tcp $HOME_NET any -> [52.195.1.87] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213186; rev:1;) alert tcp $HOME_NET any -> [146.70.93.18] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213185; rev:1;) alert tcp $HOME_NET any -> [34.28.72.212] 40005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-124-71-84-65.compute.hwclouds-dns.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.rockhvn.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wm.yideng.co"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crm.zktaoli.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hssecinfo.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"publicstorage.tevora.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-144-104-21.us-east-2.compute.amazonaws.com"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213177; rev:1;) alert tcp $HOME_NET any -> [167.179.93.21] 1194 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213176/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91213176; rev:1;) alert tcp $HOME_NET any -> [45.67.228.166] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213175/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91213175; rev:1;) alert tcp $HOME_NET any -> [62.234.26.58] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213174/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91213174; rev:1;) alert tcp $HOME_NET any -> [38.59.124.61] 6666 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213173/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91213173; rev:1;) alert tcp $HOME_NET any -> [141.255.156.189] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213172/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91213172; rev:1;) alert tcp $HOME_NET any -> [37.210.173.38] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213171/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91213171; rev:1;) alert tcp $HOME_NET any -> [39.40.129.186] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213170/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91213170; rev:1;) alert tcp $HOME_NET any -> [197.1.173.131] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213169/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91213169; rev:1;) alert tcp $HOME_NET any -> [201.137.220.120] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213168/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91213168; rev:1;) alert tcp $HOME_NET any -> [38.133.206.231] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213167/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91213167; rev:1;) alert tcp $HOME_NET any -> [193.142.30.223] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213166/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91213166; rev:1;) alert tcp $HOME_NET any -> [13.237.247.254] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213165/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91213165; rev:1;) alert tcp $HOME_NET any -> [91.121.44.23] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213164/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91213164; rev:1;) alert tcp $HOME_NET any -> [136.244.66.89] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213163/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91213163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"my.makarna.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"lingerescapecleanwja.fun"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213160; rev:1;) alert tcp $HOME_NET any -> [34.152.28.134] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213161/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"needs.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"hitsturbo.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"hitsturbo.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213126/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"stoon.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"cream.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"never.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"needs.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"cream.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"stoon.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"hitsturbo.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"cream.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"never.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"cream.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"needs.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"hitsturbo.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"needs.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"needs.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"stoon.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"hitsturbo.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213109/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"hitsturbo.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213110/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"stoon.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"needs.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"hitsturbo.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"stoon.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"stoon.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213103/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"stoon.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"never.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213102/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213102; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"cream.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213129/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"cream.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"needs.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"cream.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"cream.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213133/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"cream.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213134/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"needs.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"hitsturbo.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"hitsturbo.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"needs.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"needs.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"cream.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"cream.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"stoon.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"hitsturbo.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"stoon.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"never.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"never.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"stoon.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"cream.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"stoon.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"stoon.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"needs.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"hitsturbo.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"needs.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"never.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"hitsturbo.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hitsturbo.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stoon.hitsturbo.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213157; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cream.hitsturbo.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"needs.hitsturbo.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtq4mmuxodbhmtvi/"; depth:18; nocase; http.host; content:"cccpakunataslasclass2.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213090/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtq4mmuxodbhmtvi/"; depth:18; nocase; http.host; content:"cccpakunataslasclass3.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213091/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtq4mmuxodbhmtvi/"; depth:18; nocase; http.host; content:"cccpakunataslasclass4.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213092/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtq4mmuxodbhmtvi/"; depth:18; nocase; http.host; content:"cccpakunataslasclass5.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213093/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtq4mmuxodbhmtvi/"; depth:18; nocase; http.host; content:"cccpakunataslasclass6.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213094/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"vilnodumci.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213095/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hntfixedfolderpath/"; depth:20; nocase; http.host; content:"163.5.169.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213096/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hntfixedfolderpath/"; depth:20; nocase; http.host; content:"163.5.169.35"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213097/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hntfixedfolderpath/"; depth:20; nocase; http.host; content:"163.5.210.86"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213098/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hntfixedfolderpath/"; depth:20; nocase; http.host; content:"6r0yncqzffklht1.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213100/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hntfixedfolderpath/"; depth:20; nocase; http.host; content:"i7s67moz66xl1zz.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213099/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hntfixedfolderpath/"; depth:20; nocase; http.host; content:"xssjtuc2ncu8xx1.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213101/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213101; rev:1;) alert tcp $HOME_NET any -> [95.164.89.155] 24026 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213089/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213089; rev:1;) alert tcp $HOME_NET any -> [13.233.131.40] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213088/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213088; rev:1;) alert tcp $HOME_NET any -> [193.201.9.69] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213087/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91213087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tidyrespectexpow.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1213086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213086; rev:1;) alert tcp $HOME_NET any -> [172.232.170.25] 13724 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213084; rev:1;) alert tcp $HOME_NET any -> [65.20.115.154] 5243 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213085; rev:1;) alert tcp $HOME_NET any -> [181.41.200.232] 1349 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1213083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91213083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"deletefateoow.pw"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213056/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"perceivedomerusp.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213057/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"showerreigerniop.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213058/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fortunedomerussea.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213059/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"offerdelicateros.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213060/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hearpoundesweety.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213061/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"musclechannelnomi.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213062/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"definefolkeloi.pw"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213063/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"settlehillcanne.pw"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213064/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"discriminationcagerf.pw"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213065/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"turkeyjoystickesp.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213066/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lawitemymodelefr.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213067/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fowlcirlenospp.pw"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213068/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"likehulkinggera.pw"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213069/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rosemoonsleeptoe.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213070/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"effluxcoltural.pw"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213071/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"linearcarerefs.pw"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213072/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"saffronmontybrisk.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213073/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"drilledtonerconc.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213074/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"massagemotipoole.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213075/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tropicanimjrka.pw"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213076/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"resortredrobenris.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213077/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tarantulamalaguenrr.pw"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213078/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"arrogantcatfishef.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213079/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"showpumpkicartsl.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213080/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"geminiflattyord.pw"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213081/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"macaronnicoccker.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213082/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"frighteninflatejuwi.pw"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213020/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"declineconclusioniwo.pw"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213021/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ribbonfolkcrownyy.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213022/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"beenovelskilleoiw.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213023/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ruleborderdynamiciw.pw"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213024/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quitstrikesizeowo.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213025/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cherryopposedii.pw"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213026/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"troubleexemptioni.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213027/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"baseballleadrwio.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213028/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"occupytapsessijk.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213029/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gracecassettecretw.pw"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213030/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dancenegotiationffi.pw"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213031/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"unawarealarmtwinjje.pw"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213032/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tankqueueipjsh.pw"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213033/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"funeralmaximumjsju.pw"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213034/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"assignmentfinalyy.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213035/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"referralpublicationjk.pw"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213036/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"secondrailroadoikj.pw"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213037/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"episodeterrifylat.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213038/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"flowseasonallissoo.pw"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213039/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"albumerrorregisetep.pw"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213040/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gatelistcoldyeisa.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213041/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"factorxharasswe.pw"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213042/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"conservationsownk.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213043/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"suppresssectionje.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213044/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"laborermemorandumjes.pw"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213045/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"swarmseasonbuckoo.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213046/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"formansnappybel.pw"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213047/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"banananationalists.pw"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213048/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"piggepawneillusio.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213049/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"possibilitydespaw.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213050/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"portionetensioaw.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213051/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"conceptcallewrige.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213052/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"speakeminoritetea.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213053/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stabsicknessord.pw"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213054/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wakereviewhuwee.pw"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213055/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sentimentprecisio.fun"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212990/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"crudeleavelegendew.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212991/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"issuefightgreetw.fun"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212992/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"delivernoteturnwjkl.fun"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212993/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cinemaretailermkw.fun"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212994/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"coldcoercekowja.fun"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212995/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eliminatechemistrywj.fun"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212996/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"healdieplayeriw.fun"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212997/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tidecharityhouseow.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212998/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"refereealivewhu.fun"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212999/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"baseballherdowf.fun"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213000/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"missileverdictwj.fun"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213001/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lingerescapecleanwja.fun"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213002/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"godlawyerfeelkw.fun"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213003/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"personalpromiseo.fun"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213004/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"climbavantgardefe.fun"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213005/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"diagramfiremonkeyowwa.fun"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213006/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dayfarrichjwclik.fun"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213007/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"neighborhoodfeelsa.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213008/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dominantwidthwuiw.fun"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213009/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sofacalendareffewx.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213010/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"activitymousetaitrwws.fun"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213011/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"soupinterestoe.fun"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213012/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"castlesideopwas.pw"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213013/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"neutralpastureop.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213014/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ensurerecommendedd.pw"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213015/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"limitedconvertjiw.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213016/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"societylaboratoryuw.pw"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213017/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"flatmourningdressow.pw"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213018/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"scanintegrutybatowss.pw"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1213019/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91213019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"moodanvoterowklam.fun"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212979/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"awareforcemouthwjji.fun"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212980/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"refusemiserableofka.fun"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212981/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"confineconcertjuuioa.fun"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212982/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tidyrespectexpow.fun"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212983/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"beachterminaldiff.fun"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212984/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hotcowerrecoreeew.fun"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212985/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"managertraditionwjua.fun"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212986/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"respectablegirlwfwa.fun"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212987/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"magazineaccountantw.fun"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212988/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"makegreatagaintwwi.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212989/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geosecure/cpu/http4voiddbprivate/6phpdownloadspoll/videovmlineprocessauthgameprotectbasetrackuploads.php"; depth:105; nocase; http.host; content:"188.120.254.27"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212978; rev:1;) alert tcp $HOME_NET any -> [91.92.241.115] 12393 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212971; rev:1;) alert tcp $HOME_NET any -> [103.143.248.179] 8098 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212977; rev:1;) alert tcp $HOME_NET any -> [5.188.183.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212976/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"5.188.183.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"103.146.140.99"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212974/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"121.40.254.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212973/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212973; rev:1;) alert tcp $HOME_NET any -> [45.139.10.69] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212972/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91212972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"voiceai.olimpiadidellacultura.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212910/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nz.voicechangeai.pro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212911/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212911; rev:1;) alert tcp $HOME_NET any -> [185.215.113.71] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212966; rev:1;) alert tcp $HOME_NET any -> [42.193.108.137] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212970/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91212970; rev:1;) alert tcp $HOME_NET any -> [172.232.173.141] 2226 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212967; rev:1;) alert tcp $HOME_NET any -> [45.76.98.136] 2221 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212968; rev:1;) alert tcp $HOME_NET any -> [154.211.12.126] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212969/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212969; rev:1;) alert tcp $HOME_NET any -> [154.38.188.188] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212965/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212965; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 14218 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212964/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212964; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 14218 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212963/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212963; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 14218 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212962/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212962; rev:1;) alert tcp $HOME_NET any -> [31.220.99.254] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212961/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212961; rev:1;) alert tcp $HOME_NET any -> [91.92.249.253] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212960; rev:1;) alert tcp $HOME_NET any -> [139.162.233.175] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212959/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91212959; rev:1;) alert tcp $HOME_NET any -> [39.100.85.157] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212958/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91212958; rev:1;) alert tcp $HOME_NET any -> [139.99.222.29] 5631 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212955; rev:1;) alert tcp $HOME_NET any -> [54.37.79.82] 2223 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212956; rev:1;) alert tcp $HOME_NET any -> [57.128.109.221] 13724 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"keebling.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212952/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"baumbachers.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212953/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ionister.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212954/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ts1m/0.9664885522260009.dat"; depth:28; nocase; http.host; content:"ionister.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212951/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wdmfb/0.3471177474760533.dat"; depth:29; nocase; http.host; content:"baumbachers.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y0j85xt/0.4035500292244842.dat"; depth:31; nocase; http.host; content:"keebling.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"occupytapsessijk.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"45.136.14.51"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212947/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"163.5.169.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"139.224.188.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212945/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"121.40.69.150"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212944/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"182.92.102.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212943/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"110.41.11.72"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212942/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"103.176.178.88"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212941/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212941; rev:1;) alert tcp $HOME_NET any -> [156.234.211.226] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212940/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212940; rev:1;) alert tcp $HOME_NET any -> [121.37.215.155] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212939/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.smwanyi1.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212938/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212938; rev:1;) alert tcp $HOME_NET any -> [5.188.183.171] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212937/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212937; rev:1;) alert tcp $HOME_NET any -> [116.204.98.225] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212936/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.qianxin.today"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212935/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212935; rev:1;) alert tcp $HOME_NET any -> [47.111.182.150] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212934/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.aliyunn.com.cn"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212933/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.aliyunn.com.cn"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212932/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.aliyunn.com.cn"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212931/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212931; rev:1;) alert tcp $HOME_NET any -> [117.50.178.197] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212930/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.microsoftgame.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212929/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"163.5.64.65"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.microsoftgame.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212927/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.microsoftgame.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"60.204.139.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212925; rev:1;) alert tcp $HOME_NET any -> [114.132.159.186] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212924/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c1.ericleexx.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212923/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212923; rev:1;) alert tcp $HOME_NET any -> [43.139.189.54] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212922/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"n1.johnchen88.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212921; rev:1;) alert tcp $HOME_NET any -> [124.223.7.200] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212920/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212920; rev:1;) alert tcp $HOME_NET any -> [155.94.182.212] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.sojuan.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212918/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.sojuan.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212917/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"8.222.162.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212916/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212915/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212914/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212914; rev:1;) alert tcp $HOME_NET any -> [114.132.48.232] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212913/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212913; rev:1;) alert tcp $HOME_NET any -> [213.109.202.219] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212912/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91212912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"31.44.184.232"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212909/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"85.208.109.15"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212908/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/questions/32251816/c-sharp-directives-compilation-error"; depth:56; nocase; http.host; content:"107.172.0.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212907/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212907; rev:1;) alert tcp $HOME_NET any -> [85.195.105.96] 4040 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/css3/index2.shtml"; depth:18; nocase; http.host; content:"146.70.87.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212905; rev:1;) alert tcp $HOME_NET any -> [152.89.198.233] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212904/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/broadcast"; depth:10; nocase; http.host; content:"152.89.198.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212903; rev:1;) alert tcp $HOME_NET any -> [57.128.103.99] 2078 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212902/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212902; rev:1;) alert tcp $HOME_NET any -> [141.95.108.252] 2078 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212901/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212901; rev:1;) alert tcp $HOME_NET any -> [121.36.82.215] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212900/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212900; rev:1;) alert tcp $HOME_NET any -> [64.176.225.140] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212899/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212899; rev:1;) alert tcp $HOME_NET any -> [8.137.59.132] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212898/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212898; rev:1;) alert tcp $HOME_NET any -> [74.48.37.231] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212897/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212897; rev:1;) alert tcp $HOME_NET any -> [103.146.179.69] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212896/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212896; rev:1;) alert tcp $HOME_NET any -> [18.162.41.97] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212895/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212895; rev:1;) alert tcp $HOME_NET any -> [143.198.82.71] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212894/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212894; rev:1;) alert tcp $HOME_NET any -> [39.98.204.142] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212893/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212893; rev:1;) alert tcp $HOME_NET any -> [142.171.111.176] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212892/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212892; rev:1;) alert tcp $HOME_NET any -> [83.110.95.233] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212891/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212891; rev:1;) alert tcp $HOME_NET any -> [41.99.104.159] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212890/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212890; rev:1;) alert tcp $HOME_NET any -> [154.247.69.81] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212889/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212889; rev:1;) alert tcp $HOME_NET any -> [142.154.4.9] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212888/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212888; rev:1;) alert tcp $HOME_NET any -> [94.49.43.7] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212887/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212887; rev:1;) alert tcp $HOME_NET any -> [83.110.94.40] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212886/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212886; rev:1;) alert tcp $HOME_NET any -> [92.97.230.204] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212885/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212885; rev:1;) alert tcp $HOME_NET any -> [20.16.84.136] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212884/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212884; rev:1;) alert tcp $HOME_NET any -> [164.92.183.96] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212883/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212883; rev:1;) alert tcp $HOME_NET any -> [134.209.38.29] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212882/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212882; rev:1;) alert tcp $HOME_NET any -> [216.146.25.85] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212881/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212881; rev:1;) alert tcp $HOME_NET any -> [4.227.178.226] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212880/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212880; rev:1;) alert tcp $HOME_NET any -> [35.79.47.244] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212879/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212879; rev:1;) alert tcp $HOME_NET any -> [34.125.64.58] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212878/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212878; rev:1;) alert tcp $HOME_NET any -> [8.220.195.135] 45887 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212877/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212877; rev:1;) alert tcp $HOME_NET any -> [8.220.195.135] 80 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212876/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212876; rev:1;) alert tcp $HOME_NET any -> [15.223.51.227] 4444 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212875/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212875; rev:1;) alert tcp $HOME_NET any -> [38.242.209.185] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212854/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212854; rev:1;) alert tcp $HOME_NET any -> [43.129.215.239] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212855/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212855; rev:1;) alert tcp $HOME_NET any -> [45.77.68.120] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212856/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212856; rev:1;) alert tcp $HOME_NET any -> [77.91.68.52] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212857/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212857; rev:1;) alert tcp $HOME_NET any -> [80.108.50.31] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212858/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212858; rev:1;) alert tcp $HOME_NET any -> [89.111.137.14] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212859/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212859; rev:1;) alert tcp $HOME_NET any -> [91.92.245.159] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212860/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212860; rev:1;) alert tcp $HOME_NET any -> [91.92.249.240] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212861/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212861; rev:1;) alert tcp $HOME_NET any -> [118.107.43.36] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212862/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212862; rev:1;) alert tcp $HOME_NET any -> [118.107.43.66] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212863/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212863; rev:1;) alert tcp $HOME_NET any -> [135.148.144.188] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212865/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212865; rev:1;) alert tcp $HOME_NET any -> [118.107.43.86] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212864/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212864; rev:1;) alert tcp $HOME_NET any -> [152.89.198.187] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212866/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212866; rev:1;) alert tcp $HOME_NET any -> [159.65.52.64] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212868/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212868; rev:1;) alert tcp $HOME_NET any -> [158.160.76.97] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212867/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212867; rev:1;) alert tcp $HOME_NET any -> [184.94.212.153] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212869/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212869; rev:1;) alert tcp $HOME_NET any -> [193.201.9.62] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212870/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212870; rev:1;) alert tcp $HOME_NET any -> [193.233.254.183] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212871/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212871; rev:1;) alert tcp $HOME_NET any -> [194.33.191.54] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212872/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212872; rev:1;) alert tcp $HOME_NET any -> [194.33.191.188] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212873/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212873; rev:1;) alert tcp $HOME_NET any -> [199.247.21.128] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212874/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212874; rev:1;) alert tcp $HOME_NET any -> [91.92.251.71] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212853/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212853; rev:1;) alert tcp $HOME_NET any -> [77.105.132.161] 5723 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212852/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212852; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 11009 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212729; rev:1;) alert tcp $HOME_NET any -> [216.170.120.141] 42069 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212730; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 11426 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212731; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 30202 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212732; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 41931 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212733; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 49810 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212734; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 51799 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212735; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 51972 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212736; rev:1;) alert tcp $HOME_NET any -> [31.44.184.52] 61946 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212737; rev:1;) alert tcp $HOME_NET any -> [46.55.218.169] 1337 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6012.punkdns.pw"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"betadns.phatbois.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dfwfdsfsdasd.project-nightfall.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dololow.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212743; rev:1;) alert tcp $HOME_NET any -> [173.249.26.59] 80 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212839; rev:1;) alert tcp $HOME_NET any -> [173.249.26.59] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212840; rev:1;) alert tcp $HOME_NET any -> [51.89.216.168] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212851/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91212851; rev:1;) alert tcp $HOME_NET any -> [157.245.12.168] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212850/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_15; classtype:trojan-activity; sid:91212850; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 13003 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212849/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212849; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 13003 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212848; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 13003 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212847; rev:1;) alert tcp $HOME_NET any -> [91.92.247.16] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212846/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"couriercare.in"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212845/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212845; rev:1;) alert tcp $HOME_NET any -> [91.92.250.149] 80 (msg:"ThreatFox Mars Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212844/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212844; rev:1;) alert tcp $HOME_NET any -> [77.91.76.47] 33144 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fks/index.php"; depth:14; nocase; http.host; content:"185.215.113.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212842/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_15; classtype:trojan-activity; sid:91212842; rev:1;) alert tcp $HOME_NET any -> [118.195.254.54] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212841; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 13549 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212838; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 13549 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212837; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 13549 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_15; classtype:trojan-activity; sid:91212836; rev:1;) alert tcp $HOME_NET any -> [91.92.246.39] 80 (msg:"ThreatFox Mars Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212835/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_15; classtype:trojan-activity; sid:91212835; rev:1;) alert tcp $HOME_NET any -> [101.35.4.152] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212834; rev:1;) alert tcp $HOME_NET any -> [83.97.79.163] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212833/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212833; rev:1;) alert tcp $HOME_NET any -> [47.101.170.17] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212832; rev:1;) alert tcp $HOME_NET any -> [168.100.8.223] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212831/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_14; classtype:trojan-activity; sid:91212831; rev:1;) alert tcp $HOME_NET any -> [151.236.30.123] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212830/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_14; classtype:trojan-activity; sid:91212830; rev:1;) alert tcp $HOME_NET any -> [91.235.234.236] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212829/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_14; classtype:trojan-activity; sid:91212829; rev:1;) alert tcp $HOME_NET any -> [192.124.176.11] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212828/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212828; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"39.100.78.58"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212827; rev:1;) alert tcp $HOME_NET any -> [31.210.51.93] 443 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212826/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212826; rev:1;) alert tcp $HOME_NET any -> [185.187.170.127] 9000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212825/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212825; rev:1;) alert tcp $HOME_NET any -> [38.59.124.61] 5555 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212824/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212824; rev:1;) alert tcp $HOME_NET any -> [154.247.95.30] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212823/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212823; rev:1;) alert tcp $HOME_NET any -> [141.255.153.13] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212822/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212822; rev:1;) alert tcp $HOME_NET any -> [187.154.211.171] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212821/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212821; rev:1;) alert tcp $HOME_NET any -> [187.211.100.11] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212820/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212820; rev:1;) alert tcp $HOME_NET any -> [2.80.93.192] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212819/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212819; rev:1;) alert tcp $HOME_NET any -> [78.100.247.56] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212818/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212818; rev:1;) alert tcp $HOME_NET any -> [41.227.213.116] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212817/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212817; rev:1;) alert tcp $HOME_NET any -> [72.27.166.131] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212816/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212816; rev:1;) alert tcp $HOME_NET any -> [189.140.23.136] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212815/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212815; rev:1;) alert tcp $HOME_NET any -> [77.126.82.177] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212814/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212814; rev:1;) alert tcp $HOME_NET any -> [187.211.118.86] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212813/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212813; rev:1;) alert tcp $HOME_NET any -> [157.125.39.240] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212812/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212812; rev:1;) alert tcp $HOME_NET any -> [176.44.74.147] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212811/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212811; rev:1;) alert tcp $HOME_NET any -> [45.138.74.191] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212810/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212810; rev:1;) alert tcp $HOME_NET any -> [72.27.63.60] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212809/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212809; rev:1;) alert tcp $HOME_NET any -> [31.190.78.110] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212808/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212808; rev:1;) alert tcp $HOME_NET any -> [186.136.144.22] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212807/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212807; rev:1;) alert tcp $HOME_NET any -> [202.187.231.188] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212806/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212806; rev:1;) alert tcp $HOME_NET any -> [197.3.194.74] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212805/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212805; rev:1;) alert tcp $HOME_NET any -> [65.108.218.24] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212804/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212804; rev:1;) alert tcp $HOME_NET any -> [83.110.89.159] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212803/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212803; rev:1;) alert tcp $HOME_NET any -> [74.12.145.230] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212802/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212802; rev:1;) alert tcp $HOME_NET any -> [74.12.145.230] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212801/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212801; rev:1;) alert tcp $HOME_NET any -> [186.13.27.31] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212800/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212800; rev:1;) alert tcp $HOME_NET any -> [72.27.36.30] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212799/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212799; rev:1;) alert tcp $HOME_NET any -> [151.30.199.208] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212798/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212798; rev:1;) alert tcp $HOME_NET any -> [99.235.213.237] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212797/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212797; rev:1;) alert tcp $HOME_NET any -> [204.112.31.191] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212796/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212796; rev:1;) alert tcp $HOME_NET any -> [34.92.143.66] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212795/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212795; rev:1;) alert tcp $HOME_NET any -> [34.217.48.163] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212794/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212794; rev:1;) alert tcp $HOME_NET any -> [185.72.86.20] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212793/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"23.251.32.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212792; rev:1;) alert tcp $HOME_NET any -> [52.87.214.173] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212791/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212791; rev:1;) alert tcp $HOME_NET any -> [18.218.80.191] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212790/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212790; rev:1;) alert tcp $HOME_NET any -> [52.50.242.98] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212789/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212789; rev:1;) alert tcp $HOME_NET any -> [193.42.36.3] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212788/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212788; rev:1;) alert tcp $HOME_NET any -> [185.142.184.146] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212787/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212787; rev:1;) alert tcp $HOME_NET any -> [194.126.178.8] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212786/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212786; rev:1;) alert tcp $HOME_NET any -> [172.232.146.109] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212785/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212785; rev:1;) alert tcp $HOME_NET any -> [172.86.75.98] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212784/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212784; rev:1;) alert tcp $HOME_NET any -> [178.18.242.114] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212783/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212783; rev:1;) alert tcp $HOME_NET any -> [194.33.191.214] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212782/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212782; rev:1;) alert tcp $HOME_NET any -> [172.232.123.21] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212781/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212781; rev:1;) alert tcp $HOME_NET any -> [174.138.7.112] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212780/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212780; rev:1;) alert tcp $HOME_NET any -> [185.216.68.70] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212779/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212779; rev:1;) alert tcp $HOME_NET any -> [16.170.155.141] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212778/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212778; rev:1;) alert tcp $HOME_NET any -> [142.93.185.248] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212777/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212777; rev:1;) alert tcp $HOME_NET any -> [92.220.154.91] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212776/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212776; rev:1;) alert tcp $HOME_NET any -> [138.68.123.125] 40065 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212775/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212775; rev:1;) alert tcp $HOME_NET any -> [185.216.68.69] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212773/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212773; rev:1;) alert tcp $HOME_NET any -> [62.234.202.129] 48892 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212772/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212772; rev:1;) alert tcp $HOME_NET any -> [66.228.60.47] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212771/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212771; rev:1;) alert tcp $HOME_NET any -> [195.35.25.136] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212770/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212770; rev:1;) alert tcp $HOME_NET any -> [51.20.113.6] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212769/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212769; rev:1;) alert tcp $HOME_NET any -> [85.217.222.42] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212768/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/polllowgeocpudbgeneratortestuniversal.php"; depth:42; nocase; http.host; content:"92.63.97.182"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212767; rev:1;) alert tcp $HOME_NET any -> [91.92.252.239] 5201 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212766/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212766; rev:1;) alert tcp $HOME_NET any -> [151.101.215.221] 9031 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212765/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"crackdcptme.000webhostapp.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212764; rev:1;) alert tcp $HOME_NET any -> [20.200.107.245] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212763/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212763; rev:1;) alert tcp $HOME_NET any -> [146.75.23.221] 9031 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212762/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212762; rev:1;) alert tcp $HOME_NET any -> [146.75.15.221] 9031 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212761/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212761; rev:1;) alert tcp $HOME_NET any -> [64.176.67.54] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212760/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212760; rev:1;) alert tcp $HOME_NET any -> [97.151.135.208] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212759/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212759; rev:1;) alert tcp $HOME_NET any -> [91.92.250.237] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212758/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212758; rev:1;) alert tcp $HOME_NET any -> [54.198.145.43] 8080 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212757/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212757; rev:1;) alert tcp $HOME_NET any -> [91.92.247.69] 8443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212756/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212756; rev:1;) alert tcp $HOME_NET any -> [35.189.222.198] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212755/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212755; rev:1;) alert tcp $HOME_NET any -> [153.127.8.161] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212754/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212754; rev:1;) alert tcp $HOME_NET any -> [153.127.8.161] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212753/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_14; classtype:trojan-activity; sid:91212753; rev:1;) alert tcp $HOME_NET any -> [5.75.215.196] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212752; rev:1;) alert tcp $HOME_NET any -> [57.128.164.11] 5242 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212751; rev:1;) alert tcp $HOME_NET any -> [51.83.253.102] 9785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212750; rev:1;) alert tcp $HOME_NET any -> [57.128.83.129] 2078 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212749; rev:1;) alert tcp $HOME_NET any -> [172.232.186.251] 5632 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212748; rev:1;) alert tcp $HOME_NET any -> [172.232.162.198] 13721 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212747; rev:1;) alert tcp $HOME_NET any -> [57.128.108.132] 13785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212746; rev:1;) alert tcp $HOME_NET any -> [172.232.173.219] 5938 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212745; rev:1;) alert tcp $HOME_NET any -> [128.140.100.50] 24516 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212744; rev:1;) alert tcp $HOME_NET any -> [80.66.89.64] 33090 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"onewayskateboard.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"onewayskateboard.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212727; rev:1;) alert tcp $HOME_NET any -> [178.208.87.185] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212726/; target:src_ip; metadata: confidence_level 60, first_seen 2023_12_14; classtype:trojan-activity; sid:91212726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"116.204.91.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"104.128.229.73"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"111.229.75.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"111.230.53.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"95.169.27.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"221.150.72.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212718/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-b3iwjlaj-1322248009.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/lib/jquery-1-edb203c114.10.2.js"; depth:35; nocase; http.host; content:"service-b3iwjlaj-1322248009.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212716/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"123.207.45.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212715/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212715; rev:1;) alert tcp $HOME_NET any -> [103.143.248.179] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"121.41.74.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"103.143.248.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212712/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.222.162.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212711/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cnn/cnnx/follow/hds/stream_hdd/1/cnnxlive1_6.bootstrap"; depth:55; nocase; http.host; content:"20.42.56.4"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212710/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"k597s.cn110bet.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maps/overlaybfpr"; depth:17; nocase; http.host; content:"k597s.cn110bet.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212708/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212708; rev:1;) alert tcp $HOME_NET any -> [109.248.151.76] 1974 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212707/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_14; classtype:trojan-activity; sid:91212707; rev:1;) alert tcp $HOME_NET any -> [66.204.14.88] 3268 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212706/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"8.130.133.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"39.100.78.58"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212704/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212704; rev:1;) alert tcp $HOME_NET any -> [43.139.182.57] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212703/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212703; rev:1;) alert tcp $HOME_NET any -> [43.139.147.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212702/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temp/chromiumengine.zip"; depth:24; nocase; http.host; content:"ilogicinstitute.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212672/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"67.207.91.165"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"onewayskateboard.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212697; rev:1;) alert tcp $HOME_NET any -> [38.207.179.24] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212701/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.microsoft-update.one"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.microsoft-update.one"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212699; rev:1;) alert tcp $HOME_NET any -> [20.214.161.162] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212698/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"crudeleavelegendew.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212696; rev:1;) alert tcp $HOME_NET any -> [2.59.222.98] 80 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212695/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212695; rev:1;) alert tcp $HOME_NET any -> [43.249.9.208] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212694/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212694; rev:1;) alert tcp $HOME_NET any -> [163.5.64.65] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212693/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212693; rev:1;) alert tcp $HOME_NET any -> [47.120.37.45] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212692/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212692; rev:1;) alert tcp $HOME_NET any -> [43.153.222.28] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212691/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212691; rev:1;) alert tcp $HOME_NET any -> [111.229.75.150] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212690/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212690; rev:1;) alert tcp $HOME_NET any -> [175.178.174.131] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212689/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212689; rev:1;) alert tcp $HOME_NET any -> [213.226.123.124] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212688/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212688; rev:1;) alert tcp $HOME_NET any -> [43.143.171.134] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212687/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212687; rev:1;) alert tcp $HOME_NET any -> [179.60.150.57] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212686/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212686; rev:1;) alert tcp $HOME_NET any -> [59.110.6.123] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212685/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212685; rev:1;) alert tcp $HOME_NET any -> [8.130.24.142] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212684/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8papp/0.6922216472156167.dat"; depth:29; nocase; http.host; content:"egnersi.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212683/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvs49/0.1038985448688931.dat"; depth:29; nocase; http.host; content:"brouweres.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212682/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wun/0.34937124772636113.dat"; depth:28; nocase; http.host; content:"hukerpinta.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212681/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hukerpinta.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212678/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brouweres.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212679/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"egnersi.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212680/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.mylcyz.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212677/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.mylcyz.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212676/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"52.192.163.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212675/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.134.57.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212674; rev:1;) alert tcp $HOME_NET any -> [185.254.97.17] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dy.vvvvvbeng.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providersecureprocessorauthprotectlinuxtestuploads.php"; depth:55; nocase; http.host; content:"044574cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212669/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212669; rev:1;) alert tcp $HOME_NET any -> [78.47.104.201] 25565 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.104.201"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212667; rev:1;) alert tcp $HOME_NET any -> [98.187.12.182] 61613 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212666/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"climbavantgardefe.fun"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212664; rev:1;) alert tcp $HOME_NET any -> [77.105.147.130] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212662/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212662; rev:1;) alert tcp $HOME_NET any -> [195.20.16.46] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212663; rev:1;) alert tcp $HOME_NET any -> [5.75.175.90] 13018 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212661; rev:1;) alert tcp $HOME_NET any -> [149.210.12.169] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212660/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212660; rev:1;) alert tcp $HOME_NET any -> [42.192.145.232] 8787 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212659/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212659; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maufusjiop.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212653; rev:1;) alert tcp $HOME_NET any -> [187.135.128.206] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212658/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212658; rev:1;) alert tcp $HOME_NET any -> [187.135.128.206] 2121 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212657/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212657; rev:1;) alert tcp $HOME_NET any -> [193.233.255.121] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212656/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212656; rev:1;) alert tcp $HOME_NET any -> [51.91.23.125] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212655/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212655; rev:1;) alert tcp $HOME_NET any -> [104.128.229.73] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212654/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212654; rev:1;) alert tcp $HOME_NET any -> [218.29.158.91] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212652/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212652; rev:1;) alert tcp $HOME_NET any -> [85.195.105.66] 54980 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212651; rev:1;) alert tcp $HOME_NET any -> [95.164.84.84] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212650/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0891158.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0894367.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212648; rev:1;) alert tcp $HOME_NET any -> [57.129.0.118] 8080 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212647/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212647; rev:1;) alert tcp $HOME_NET any -> [119.91.225.24] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212646/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212646; rev:1;) alert tcp $HOME_NET any -> [185.81.157.103] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212645/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212645; rev:1;) alert tcp $HOME_NET any -> [116.204.91.166] 4321 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212644/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_14; classtype:trojan-activity; sid:91212644; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 9847 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212643; rev:1;) alert tcp $HOME_NET any -> [51.89.208.8] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_14; classtype:trojan-activity; sid:91212642; rev:1;) alert tcp $HOME_NET any -> [39.100.78.58] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212641/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212641; rev:1;) alert tcp $HOME_NET any -> [198.46.175.240] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212640/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212640; rev:1;) alert tcp $HOME_NET any -> [57.129.0.118] 8086 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212639/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212639; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 18490 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212638; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 18490 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212637; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 18490 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212636/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212636; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 18490 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212635; rev:1;) alert tcp $HOME_NET any -> [101.42.149.141] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212633/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"spontaneouslightss.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cinemaretailermkw.fun"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"piggepawneillusio.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212632; rev:1;) alert tcp $HOME_NET any -> [80.89.229.168] 33588 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"123.56.194.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"45.134.225.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"45.134.225.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212626/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212625/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.131.118.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212624/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"101.43.109.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212623/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"188.121.110.191"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212622/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.134.57.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212621/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212620/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"120.53.104.31"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212619/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212618/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212617; rev:1;) alert tcp $HOME_NET any -> [111.229.75.150] 84 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212616/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"179.43.142.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212604/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"179.43.142.192"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212605/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"acizac1322343.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212606/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"aciktim223432516.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212607/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"azisswravaas.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212608/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"azisswravaas1.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212609/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"azisswravaas2.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212610/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzg1ytc1n2rlnwq4/"; depth:18; nocase; http.host; content:"91.92.242.222"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212611/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzg1ytc1n2rlnwq4/"; depth:18; nocase; http.host; content:"azadkasilasaucunbra.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212612/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzg1ytc1n2rlnwq4/"; depth:18; nocase; http.host; content:"azadkasilasaucunbra.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212613/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzg1ytc1n2rlnwq4/"; depth:18; nocase; http.host; content:"azadkasilasaucunbra.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212614/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzg1ytc1n2rlnwq4/"; depth:18; nocase; http.host; content:"azadkasilasaucunbra.site"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212615/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212615; rev:1;) alert tcp $HOME_NET any -> [104.243.25.78] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212603/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"volltrendyfashion.de"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212601/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"voxpublica.no"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212602/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"monitor-websystem.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212600/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiut/077uwdcpcbopyqaqlrtnldgrirqbzutfikqbgwklxlyxmmhxixvqtklbrqrppazrdxwpopwgvfnznjpmqasto"; depth:91; nocase; http.host; content:"nonegar2.ir"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212594/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lli/"; depth:5; nocase; http.host; content:"abeseguros.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212595/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sandelias.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212596/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212596; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"getfnewssolutions.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212597/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"allcompanycenter.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212598/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212598; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taskthebox.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212599/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"suburbmeetabuseowp.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212593/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"volleytip.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212592/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"volleyball-muenchen.de"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212569/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212569; rev:1;) alert tcp $HOME_NET any -> [64.227.124.50] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212591/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_13; classtype:trojan-activity; sid:91212591; rev:1;) alert tcp $HOME_NET any -> [14.225.203.113] 2404 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212590/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212590; rev:1;) alert tcp $HOME_NET any -> [91.204.226.98] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212589/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212589; rev:1;) alert tcp $HOME_NET any -> [91.204.226.94] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212588; rev:1;) alert tcp $HOME_NET any -> [124.70.10.142] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212587/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212587; rev:1;) alert tcp $HOME_NET any -> [91.204.226.105] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212586/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212586; rev:1;) alert tcp $HOME_NET any -> [1.12.226.211] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212585/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212585; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glassenclosed.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212584/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"besttrademarklawyers.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212582/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liannanielsen.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212583/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cannabisneed.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212581/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.iqoptionlive.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212579/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212579; rev:1;) alert tcp $HOME_NET any -> [168.100.8.83] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212580/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212580; rev:1;) alert tcp $HOME_NET any -> [45.129.199.169] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212578/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212578; rev:1;) alert tcp $HOME_NET any -> [65.108.133.252] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212577/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212577; rev:1;) alert tcp $HOME_NET any -> [85.209.176.83] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212575/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212575; rev:1;) alert tcp $HOME_NET any -> [185.175.56.193] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212576/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212576; rev:1;) alert tcp $HOME_NET any -> [5.188.159.44] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212574/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212574; rev:1;) alert tcp $HOME_NET any -> [4.228.56.58] 1024 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.test.nolog.no"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212572/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212572; rev:1;) alert tcp $HOME_NET any -> [35.158.7.214] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212571/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.test.nolog.no"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212570/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212570; rev:1;) alert tcp $HOME_NET any -> [192.71.172.159] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212568/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.precisionrenovationri.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212566/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stupefied-banach.91-215-85-177.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212567/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.11.254.76.144.clients.your-server.de"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212565/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212565; rev:1;) alert tcp $HOME_NET any -> [112.213.97.151] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212563; rev:1;) alert tcp $HOME_NET any -> [163.5.64.88] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212564; rev:1;) alert tcp $HOME_NET any -> [163.5.64.106] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212562/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212562; rev:1;) alert tcp $HOME_NET any -> [142.171.66.98] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212561/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212561; rev:1;) alert tcp $HOME_NET any -> [163.5.64.45] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212560/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212560; rev:1;) alert tcp $HOME_NET any -> [194.33.191.105] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212559/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212559; rev:1;) alert tcp $HOME_NET any -> [20.197.242.109] 6060 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212558; rev:1;) alert tcp $HOME_NET any -> [213.195.115.111] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212557/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212557; rev:1;) alert tcp $HOME_NET any -> [213.195.115.111] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212556/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212556; rev:1;) alert tcp $HOME_NET any -> [213.195.115.111] 5003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212555; rev:1;) alert tcp $HOME_NET any -> [194.33.127.198] 2086 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212554/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212554; rev:1;) alert tcp $HOME_NET any -> [104.233.140.136] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212553; rev:1;) alert tcp $HOME_NET any -> [107.174.93.253] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212552; rev:1;) alert tcp $HOME_NET any -> [89.38.131.70] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212551/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_13; classtype:trojan-activity; sid:91212551; rev:1;) alert tcp $HOME_NET any -> [49.235.105.129] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212550; rev:1;) alert tcp $HOME_NET any -> [62.234.27.204] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212548; rev:1;) alert tcp $HOME_NET any -> [49.235.105.129] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212549; rev:1;) alert tcp $HOME_NET any -> [111.230.205.218] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212547; rev:1;) alert tcp $HOME_NET any -> [106.55.179.114] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212546; rev:1;) alert tcp $HOME_NET any -> [43.139.221.182] 12345 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212545; rev:1;) alert tcp $HOME_NET any -> [103.234.72.88] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212544; rev:1;) alert tcp $HOME_NET any -> [103.143.248.179] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212543; rev:1;) alert tcp $HOME_NET any -> [111.229.208.249] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hongtong502.cn"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212541; rev:1;) alert tcp $HOME_NET any -> [135.181.121.228] 20344 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212540; rev:1;) alert tcp $HOME_NET any -> [171.252.110.10] 5736 (msg:"ThreatFox Loda botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"urbedu.live"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"uumu.fi"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"vancleefinc.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"vaqutauxfamily-fanclub.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"vente-outillages.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"vicantres.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"vietsportscience.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"viewcast.tv"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"villadsen4x4.dk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"vogelhaus-gestaltung.de"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"vilmas.digital-brands.de"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212537; rev:1;) alert tcp $HOME_NET any -> [91.92.245.80] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"www.goodljlagfhss.live"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"emperorplan.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/investor/five/fre.php"; depth:34; nocase; http.host; content:"investor.entracollc.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212524/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_13; classtype:trojan-activity; sid:91212524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"second.amadgood.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212523/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212523; rev:1;) alert tcp $HOME_NET any -> [185.215.113.17] 8488 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212522; rev:1;) alert tcp $HOME_NET any -> [5.42.66.32] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212520/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212520; rev:1;) alert tcp $HOME_NET any -> [5.42.65.114] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212521/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212521; rev:1;) alert tcp $HOME_NET any -> [185.254.97.17] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212519/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212519; rev:1;) alert tcp $HOME_NET any -> [192.248.183.93] 5632 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212518; rev:1;) alert tcp $HOME_NET any -> [149.28.17.176] 1194 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212511; rev:1;) alert tcp $HOME_NET any -> [64.176.66.137] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212512; rev:1;) alert tcp $HOME_NET any -> [45.32.253.21] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212513; rev:1;) alert tcp $HOME_NET any -> [172.232.164.77] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212514; rev:1;) alert tcp $HOME_NET any -> [199.247.8.136] 13786 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212515; rev:1;) alert tcp $HOME_NET any -> [172.232.163.111] 5938 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212516; rev:1;) alert tcp $HOME_NET any -> [107.191.47.85] 5243 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212517; rev:1;) alert tcp $HOME_NET any -> [77.91.76.37] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212510/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212510; rev:1;) alert tcp $HOME_NET any -> [172.245.208.30] 52707 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212509/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_13; classtype:trojan-activity; sid:91212509; rev:1;) alert tcp $HOME_NET any -> [172.245.208.30] 45070 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212508/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_13; classtype:trojan-activity; sid:91212508; rev:1;) alert tcp $HOME_NET any -> [193.142.59.211] 7257 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212507/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_13; classtype:trojan-activity; sid:91212507; rev:1;) alert tcp $HOME_NET any -> [64.176.68.223] 13785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212502; rev:1;) alert tcp $HOME_NET any -> [172.232.175.59] 5938 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212503; rev:1;) alert tcp $HOME_NET any -> [172.232.164.159] 5632 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212504; rev:1;) alert tcp $HOME_NET any -> [95.179.212.178] 13782 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212505; rev:1;) alert tcp $HOME_NET any -> [172.232.163.208] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212506; rev:1;) alert tcp $HOME_NET any -> [103.143.248.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212501/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212501; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fertelion.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212498/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"orionparti.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"limperus.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212500/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2conf"; depth:7; nocase; http.host; content:"droppicches.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"skipflowposses.pw"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212496; rev:1;) alert tcp $HOME_NET any -> [47.111.182.150] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"120.240.66.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"220.181.164.252"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"124.227.184.117"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"112.48.167.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"220.181.164.249"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"61.241.151.66"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212489/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"182.242.63.224"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.109.56.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212487; rev:1;) alert tcp $HOME_NET any -> [124.223.62.233] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2017/12/29132a9e7a0e9a9e2"; depth:53; nocase; http.host; content:"api.speech-microsoft.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212484/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.speech-microsoft.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.138.249.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.120.37.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"182.92.102.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"104.131.3.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"159.75.104.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"8.134.36.228"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212478; rev:1;) alert tcp $HOME_NET any -> [101.35.173.226] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"1.14.205.73"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"107.174.186.194"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"34.92.85.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"39.96.85.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"68.183.68.212"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.220.28.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0894994.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212470; rev:1;) alert tcp $HOME_NET any -> [18.229.146.63] 15776 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212469; rev:1;) alert tcp $HOME_NET any -> [18.229.248.167] 15776 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212468; rev:1;) alert tcp $HOME_NET any -> [54.94.248.37] 15776 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212467; rev:1;) alert tcp $HOME_NET any -> [18.228.115.60] 15776 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalimagecpugeneratorwordpress.php"; depth:38; nocase; http.host; content:"199618cl.nyashtop.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/direct/7b020763-5a45-40e0-986e-1b9f7a3b2126/browserengine.zip"; depth:71; nocase; http.host; content:"store1.gofile.io"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"softgate.softrobotics.com.tr"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"merchant-api.softrobotics.com.tr"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/direct/7b020763-5a45-40e0-986e-1b9f7a3b2126/browserengine.zip"; depth:71; nocase; http.host; content:"store1.gofile.io"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"do.amepos.in"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temp/enginewebviewmodule.zip"; depth:29; nocase; http.host; content:"calzadosiris.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sivero.pekalongankab.go.id"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temp/chromiummodule.zip"; depth:24; nocase; http.host; content:"chapasanpedro.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mhwapwww.dev2-genera.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"calculatrice.dev2-genera.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k92lsa3dpb/login.php"; depth:21; nocase; http.host; content:"jazoopsloo.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212436; rev:1;) alert tcp $HOME_NET any -> [124.71.38.170] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212454/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212454; rev:1;) alert tcp $HOME_NET any -> [124.223.63.236] 40716 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212453/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212453; rev:1;) alert tcp $HOME_NET any -> [154.246.109.167] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212452/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212452; rev:1;) alert tcp $HOME_NET any -> [37.107.51.74] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212451/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212451; rev:1;) alert tcp $HOME_NET any -> [201.192.179.128] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212450/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212450; rev:1;) alert tcp $HOME_NET any -> [31.117.89.179] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212449/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212449; rev:1;) alert tcp $HOME_NET any -> [72.27.105.211] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212448/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212448; rev:1;) alert tcp $HOME_NET any -> [47.251.70.97] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212447/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212447; rev:1;) alert tcp $HOME_NET any -> [113.52.134.114] 4433 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212445/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212445; rev:1;) alert tcp $HOME_NET any -> [113.52.134.114] 6379 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212446/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212446; rev:1;) alert tcp $HOME_NET any -> [113.52.134.114] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212444/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212444; rev:1;) alert tcp $HOME_NET any -> [167.172.45.219] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212443/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212443; rev:1;) alert tcp $HOME_NET any -> [62.234.202.129] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212442/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212442; rev:1;) alert tcp $HOME_NET any -> [192.121.113.129] 5062 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212441/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212441; rev:1;) alert tcp $HOME_NET any -> [188.241.58.179] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212440/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212440; rev:1;) alert tcp $HOME_NET any -> [185.7.219.106] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212439/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212439; rev:1;) alert tcp $HOME_NET any -> [147.78.47.184] 8092 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212438/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212438; rev:1;) alert tcp $HOME_NET any -> [213.152.186.35] 46260 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212437; rev:1;) alert tcp $HOME_NET any -> [45.15.156.41] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8a5ea326.php"; depth:13; nocase; http.host; content:"co57358.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"soupinterestoe.fun"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212433; rev:1;) alert tcp $HOME_NET any -> [107.174.186.194] 9443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212432/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bt341/index.php"; depth:16; nocase; http.host; content:"btl1.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_13; classtype:trojan-activity; sid:91212431; rev:1;) alert tcp $HOME_NET any -> [185.172.128.5] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212430/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_13; classtype:trojan-activity; sid:91212430; rev:1;) alert tcp $HOME_NET any -> [45.81.226.62] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212429/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_13; classtype:trojan-activity; sid:91212429; rev:1;) alert tcp $HOME_NET any -> [207.246.82.230] 5290 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212428; rev:1;) alert tcp $HOME_NET any -> [20.84.117.57] 2347 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212427/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_12; classtype:trojan-activity; sid:91212427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"martenesid.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lorented.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"frasana.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"filersed.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kelsoret.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"8572975289cm.whiteproducts.ru"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/engine/index.php"; depth:17; nocase; http.host; content:"subirat.net"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temp/browsermodule.zip"; depth:23; nocase; http.host; content:"elevenexpress.com.co"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/direct/7b020763-5a45-40e0-986e-1b9f7a3b2126/browserengine.zip"; depth:71; nocase; http.host; content:"store1.gofile.io"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/direct/bb9acddc-c845-4197-81b3-197ed349d419/enginebrowser.zip"; depth:71; nocase; http.host; content:"store5.gofile.io"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212417; rev:1;) alert tcp $HOME_NET any -> [1.12.36.65] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212416; rev:1;) alert tcp $HOME_NET any -> [185.254.97.17] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212415/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/requestsecurepacketgamedbwordpresstempcentral.php"; depth:50; nocase; http.host; content:"866280lm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212414; rev:1;) alert tcp $HOME_NET any -> [198.245.77.54] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212413; rev:1;) alert tcp $HOME_NET any -> [47.115.201.46] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212412/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212412; rev:1;) alert tcp $HOME_NET any -> [111.230.53.73] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212411/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212411; rev:1;) alert tcp $HOME_NET any -> [141.95.108.72] 443 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212410/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_12; classtype:trojan-activity; sid:91212410; rev:1;) alert tcp $HOME_NET any -> [2.99.39.197] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212409/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_12; classtype:trojan-activity; sid:91212409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ama.exe"; depth:8; nocase; http.host; content:"185.172.128.8"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212376/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_12; classtype:trojan-activity; sid:91212376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cp.exe"; depth:7; nocase; http.host; content:"185.172.128.8"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ma.exe"; depth:7; nocase; http.host; content:"185.172.128.8"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loganwcshost.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212407; rev:1;) alert tcp $HOME_NET any -> [46.249.38.18] 41426 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212408/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_12; classtype:trojan-activity; sid:91212408; rev:1;) alert tcp $HOME_NET any -> [1.15.154.133] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212406/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212406; rev:1;) alert tcp $HOME_NET any -> [175.178.215.222] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212405/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212405; rev:1;) alert tcp $HOME_NET any -> [82.157.65.5] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212404/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212404; rev:1;) alert tcp $HOME_NET any -> [101.43.85.101] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212403/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212403; rev:1;) alert tcp $HOME_NET any -> [47.96.170.102] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212402/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212402; rev:1;) alert tcp $HOME_NET any -> [1.94.97.137] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212401/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212401; rev:1;) alert tcp $HOME_NET any -> [42.193.14.173] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212400/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212400; rev:1;) alert tcp $HOME_NET any -> [154.211.15.205] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212399/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212399; rev:1;) alert tcp $HOME_NET any -> [47.236.123.61] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212398/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212398; rev:1;) alert tcp $HOME_NET any -> [82.157.69.161] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212397/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212397; rev:1;) alert tcp $HOME_NET any -> [124.71.158.221] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212396/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212396; rev:1;) alert tcp $HOME_NET any -> [124.221.178.17] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212395/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212395; rev:1;) alert tcp $HOME_NET any -> [107.174.186.194] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212394/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212394; rev:1;) alert tcp $HOME_NET any -> [80.66.75.66] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212393/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212393; rev:1;) alert tcp $HOME_NET any -> [101.43.165.220] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212392/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212392; rev:1;) alert tcp $HOME_NET any -> [175.178.14.59] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212391/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212391; rev:1;) alert tcp $HOME_NET any -> [47.93.96.180] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212390/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212390; rev:1;) alert tcp $HOME_NET any -> [47.108.175.149] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212389/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212389; rev:1;) alert tcp $HOME_NET any -> [47.74.33.150] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212388/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212388; rev:1;) alert tcp $HOME_NET any -> [38.147.189.9] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212387/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212387; rev:1;) alert tcp $HOME_NET any -> [45.14.66.194] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212386/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212386; rev:1;) alert tcp $HOME_NET any -> [150.158.176.236] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212385/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212385; rev:1;) alert tcp $HOME_NET any -> [190.232.148.122] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212384/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212384; rev:1;) alert tcp $HOME_NET any -> [107.151.244.80] 6000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212383; rev:1;) alert tcp $HOME_NET any -> [103.24.219.42] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212382; rev:1;) alert tcp $HOME_NET any -> [168.100.8.142] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212381/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212381; rev:1;) alert tcp $HOME_NET any -> [46.105.147.140] 56243 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7oer"; depth:5; nocase; http.host; content:"34.28.72.212"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212377/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_12; classtype:trojan-activity; sid:91212377; rev:1;) alert tcp $HOME_NET any -> [46.105.147.140] 1602 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212375/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_12; classtype:trojan-activity; sid:91212375; rev:1;) alert tcp $HOME_NET any -> [102.158.204.198] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212374; rev:1;) alert tcp $HOME_NET any -> [139.224.1.144] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212373; rev:1;) alert tcp $HOME_NET any -> [91.204.226.93] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212372; rev:1;) alert tcp $HOME_NET any -> [91.204.226.92] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212371; rev:1;) alert tcp $HOME_NET any -> [91.204.226.104] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212370; rev:1;) alert tcp $HOME_NET any -> [156.242.64.182] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212369; rev:1;) alert tcp $HOME_NET any -> [107.174.69.108] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212368; rev:1;) alert tcp $HOME_NET any -> [119.45.180.142] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212366; rev:1;) alert tcp $HOME_NET any -> [91.204.226.39] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212367; rev:1;) alert tcp $HOME_NET any -> [193.239.151.160] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212365; rev:1;) alert tcp $HOME_NET any -> [193.239.151.167] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212364; rev:1;) alert tcp $HOME_NET any -> [180.140.153.253] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212363; rev:1;) alert tcp $HOME_NET any -> [91.204.226.99] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212362; rev:1;) alert tcp $HOME_NET any -> [154.92.23.185] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212361; rev:1;) alert tcp $HOME_NET any -> [43.133.109.107] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212359; rev:1;) alert tcp $HOME_NET any -> [193.239.151.190] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212360; rev:1;) alert tcp $HOME_NET any -> [193.239.151.183] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212358; rev:1;) alert tcp $HOME_NET any -> [43.143.133.172] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212357; rev:1;) alert tcp $HOME_NET any -> [91.204.226.107] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"texascathlab.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tokeshare.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.peterdanford.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"idontgiveatruck.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cannabisvotes.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alchemystofficial.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cannabisandpets.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kachinaweb.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hy-link.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"menstrachagex.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212347; rev:1;) alert tcp $HOME_NET any -> [109.107.174.154] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cannabisfans.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212345; rev:1;) alert tcp $HOME_NET any -> [83.243.122.245] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212343; rev:1;) alert tcp $HOME_NET any -> [124.221.145.245] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212342; rev:1;) alert tcp $HOME_NET any -> [20.199.26.211] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212341; rev:1;) alert tcp $HOME_NET any -> [91.92.241.23] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212340; rev:1;) alert tcp $HOME_NET any -> [154.19.84.98] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212339; rev:1;) alert tcp $HOME_NET any -> [8.212.49.198] 9827 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212338; rev:1;) alert tcp $HOME_NET any -> [85.209.176.247] 2096 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212337; rev:1;) alert tcp $HOME_NET any -> [195.189.98.5] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212336; rev:1;) alert tcp $HOME_NET any -> [18.141.3.52] 81 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peaceful-lewin.195-85-207-218.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212335/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212335; rev:1;) alert tcp $HOME_NET any -> [85.209.176.150] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212333; rev:1;) alert tcp $HOME_NET any -> [163.5.210.89] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212331/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"178.236.246.181.sslip.io"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212332; rev:1;) alert tcp $HOME_NET any -> [178.236.246.181] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212330; rev:1;) alert tcp $HOME_NET any -> [82.137.209.200] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212329; rev:1;) alert tcp $HOME_NET any -> [24.199.125.32] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-135-210-230.eu-west-2.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212327; rev:1;) alert tcp $HOME_NET any -> [20.11.178.186] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212326; rev:1;) alert tcp $HOME_NET any -> [185.81.157.154] 2727 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212325; rev:1;) alert tcp $HOME_NET any -> [213.195.115.111] 4003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212324; rev:1;) alert tcp $HOME_NET any -> [213.195.115.111] 4002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212323; rev:1;) alert tcp $HOME_NET any -> [95.15.65.177] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212321; rev:1;) alert tcp $HOME_NET any -> [84.38.129.116] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212322; rev:1;) alert tcp $HOME_NET any -> [95.15.65.177] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212320; rev:1;) alert tcp $HOME_NET any -> [95.214.177.110] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212319; rev:1;) alert tcp $HOME_NET any -> [91.92.243.58] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212318; rev:1;) alert tcp $HOME_NET any -> [101.133.135.114] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212317; rev:1;) alert tcp $HOME_NET any -> [123.60.71.211] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212316; rev:1;) alert tcp $HOME_NET any -> [120.27.129.26] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212315; rev:1;) alert tcp $HOME_NET any -> [114.55.92.223] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212314; rev:1;) alert tcp $HOME_NET any -> [43.138.249.231] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kfc.mom"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212312; rev:1;) alert tcp $HOME_NET any -> [64.176.218.248] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212311; rev:1;) alert tcp $HOME_NET any -> [116.204.74.176] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212310; rev:1;) alert tcp $HOME_NET any -> [43.139.119.197] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212309; rev:1;) alert tcp $HOME_NET any -> [47.113.220.192] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogfiyta3mzu4ngew/"; depth:18; nocase; http.host; content:"91.92.251.176"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212295/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogfiyta3mzu4ngew/"; depth:18; nocase; http.host; content:"yargelecekamanzmn.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212296/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogfiyta3mzu4ngew/"; depth:18; nocase; http.host; content:"dnyadargelecek.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212297/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"wjajdawieqrqewq.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212298/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"wjajdawieqrqewq.cyou"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212299/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"wjajdawieqrqewqonline.icu"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212300/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"wjajdawieqrqewqgroup.monster"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212301/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"thewjajdawieqrqewq.bond"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212302/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"g560st6hv980v6vyrcji.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212303/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"c8qg4aojk3n5s6yg4tsu.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212304/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"wm995a146pmd2iedsx84.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212305/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"0nty208c2wmzcf6f63lx.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212307/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mti5ognmywjkytu1/"; depth:18; nocase; http.host; content:"wbvmfu5rncgobzz9v4nf.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212306/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212306; rev:1;) alert tcp $HOME_NET any -> [154.38.184.3] 2223 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212292; rev:1;) alert tcp $HOME_NET any -> [154.38.184.18] 2225 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212293; rev:1;) alert tcp $HOME_NET any -> [139.180.185.171] 2222 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"59.110.172.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212291; rev:1;) alert tcp $HOME_NET any -> [185.156.174.155] 9992 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212290/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_12; classtype:trojan-activity; sid:91212290; rev:1;) alert tcp $HOME_NET any -> [91.92.248.208] 8967 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212289/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_12; classtype:trojan-activity; sid:91212289; rev:1;) alert tcp $HOME_NET any -> [93.65.194.23] 88 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212288/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212288; rev:1;) alert tcp $HOME_NET any -> [5.230.67.144] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212287/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212287; rev:1;) alert tcp $HOME_NET any -> [94.103.94.153] 7414 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212285/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0d8af8f06ba4b880.php"; depth:21; nocase; http.host; content:"77.91.123.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212280/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpflower3dump/defaultauth/6defaultproton5/5public/0central9request/5request/0base/async/367_/poll346/publicpublic/wplocalprocessor/windows03to/4central/phpauthtemporary.php"; depth:174; nocase; http.host; content:"195.85.250.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"baseballleadrwio.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b2341/index.php"; depth:16; nocase; http.host; content:"b2i1.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212286/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212286; rev:1;) alert tcp $HOME_NET any -> [91.92.250.47] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212284/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212284; rev:1;) alert tcp $HOME_NET any -> [8.222.162.81] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212283/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smartpoliceax.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"godlawyerfeelkw.fun"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212279/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"188.121.110.191"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212278/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"101.43.183.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"45.134.225.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212275; rev:1;) alert tcp $HOME_NET any -> [182.61.25.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"182.61.25.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212273; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"180.76.99.119"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"120.53.104.31"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"101.43.109.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"8.142.117.220"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"186.64.113.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.142.117.162"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"124.221.17.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"81.71.140.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"112.124.6.100"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"123.60.90.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.138.106.54"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"123.60.90.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212259/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"43.136.218.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.136.218.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"121.40.69.150"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.96.170.102"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212255/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.93.96.180"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212254/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"81.71.140.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212253/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212253; rev:1;) alert tcp $HOME_NET any -> [47.96.255.208] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212252/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212252; rev:1;) alert tcp $HOME_NET any -> [104.131.3.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212251/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212251; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 19768 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212250; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 19768 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212249; rev:1;) alert tcp $HOME_NET any -> [3.127.253.86] 19768 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212248/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212248; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 19768 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212247; rev:1;) alert tcp $HOME_NET any -> [114.115.180.116] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212246/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212246; rev:1;) alert tcp $HOME_NET any -> [8.134.36.228] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212245/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"39.100.77.97"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212244; rev:1;) alert tcp $HOME_NET any -> [89.247.50.206] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212243/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212243; rev:1;) alert tcp $HOME_NET any -> [182.92.102.71] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212242/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"168.119.58.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212241; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.124.209"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.178.5"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.10.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.190"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212237; rev:1;) alert tcp $HOME_NET any -> [88.198.124.209] 993 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212235; rev:1;) alert tcp $HOME_NET any -> [168.119.58.175] 993 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212236; rev:1;) alert tcp $HOME_NET any -> [5.75.208.190] 993 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212232; rev:1;) alert tcp $HOME_NET any -> [116.203.10.143] 993 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212233; rev:1;) alert tcp $HOME_NET any -> [5.75.178.5] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212234/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212234; rev:1;) alert tcp $HOME_NET any -> [88.198.124.209] 1993 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212230; rev:1;) alert tcp $HOME_NET any -> [5.75.211.54] 1993 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p0poc0rn"; depth:9; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199580458908"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.211.54"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.124.209"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212226; rev:1;) alert tcp $HOME_NET any -> [137.184.185.41] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212225/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212225; rev:1;) alert tcp $HOME_NET any -> [1.161.100.1] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212224/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_12; classtype:trojan-activity; sid:91212224; rev:1;) alert tcp $HOME_NET any -> [104.200.67.5] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212223/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_12; classtype:trojan-activity; sid:91212223; rev:1;) alert tcp $HOME_NET any -> [91.242.229.199] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212205; rev:1;) alert tcp $HOME_NET any -> [95.214.177.35] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212206; rev:1;) alert tcp $HOME_NET any -> [104.233.210.167] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212207; rev:1;) alert tcp $HOME_NET any -> [154.91.82.107] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212208; rev:1;) alert tcp $HOME_NET any -> [194.33.191.18] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212209; rev:1;) alert tcp $HOME_NET any -> [217.197.107.103] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212210; rev:1;) alert tcp $HOME_NET any -> [5.8.41.35] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212211; rev:1;) alert tcp $HOME_NET any -> [38.242.145.226] 8081 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212213; rev:1;) alert tcp $HOME_NET any -> [20.55.110.193] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212212; rev:1;) alert tcp $HOME_NET any -> [104.247.166.167] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212214; rev:1;) alert tcp $HOME_NET any -> [212.224.88.253] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k92lsa3dpb/login.php"; depth:21; nocase; http.host; content:"5.42.65.125"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212219; rev:1;) alert tcp $HOME_NET any -> [64.227.149.69] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212203; rev:1;) alert tcp $HOME_NET any -> [91.92.250.212] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.42.64.45"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212195; rev:1;) alert tcp $HOME_NET any -> [47.245.115.42] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"diagramfiremonkeyowwa.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.233.132.30"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"googlecloudad.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"reganter.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212174/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_12; classtype:trojan-activity; sid:91212174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ft341/index.php"; depth:16; nocase; http.host; content:"m1ftp.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212222; rev:1;) alert tcp $HOME_NET any -> [107.174.186.194] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212221/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212221; rev:1;) alert tcp $HOME_NET any -> [112.124.6.100] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212220/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ensurerecommendedd.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f0b7e3704c0051f9.php"; depth:21; nocase; http.host; content:"bubbloityu.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212217; rev:1;) alert tcp $HOME_NET any -> [194.33.191.102] 21751 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212216/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212216; rev:1;) alert tcp $HOME_NET any -> [121.37.215.155] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212201/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212201; rev:1;) alert tcp $HOME_NET any -> [172.81.62.183] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212200; rev:1;) alert tcp $HOME_NET any -> [103.67.162.119] 4040 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212199; rev:1;) alert tcp $HOME_NET any -> [91.92.251.65] 5202 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_12; classtype:trojan-activity; sid:91212198; rev:1;) alert tcp $HOME_NET any -> [35.240.220.96] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212197/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212197; rev:1;) alert tcp $HOME_NET any -> [223.231.32.221] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212196/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_12; classtype:trojan-activity; sid:91212196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rositan.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"feritins.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"liokinch.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rosceman.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"graytoner.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kulasid.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212188; rev:1;) alert tcp $HOME_NET any -> [85.208.109.15] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212187/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_11; classtype:trojan-activity; sid:91212187; rev:1;) alert tcp $HOME_NET any -> [185.196.9.241] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/acquire/research/6xc6cuwv"; depth:26; nocase; http.host; content:"schumacherbar.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212185; rev:1;) alert tcp $HOME_NET any -> [45.145.228.224] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackbeltportal.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"petiakremen.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.inthekitchenwithjen.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212181; rev:1;) alert tcp $HOME_NET any -> [195.3.223.172] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212180; rev:1;) alert tcp $HOME_NET any -> [213.195.115.111] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212179; rev:1;) alert tcp $HOME_NET any -> [64.176.54.110] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212178; rev:1;) alert tcp $HOME_NET any -> [91.92.247.155] 2000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bd148da.php"; depth:13; nocase; http.host; content:"a0894385.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212176; rev:1;) alert tcp $HOME_NET any -> [109.123.227.54] 13785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212172; rev:1;) alert tcp $HOME_NET any -> [65.20.98.24] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212173; rev:1;) alert tcp $HOME_NET any -> [154.38.184.5] 9785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212167; rev:1;) alert tcp $HOME_NET any -> [65.20.82.254] 5243 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212168; rev:1;) alert tcp $HOME_NET any -> [155.138.203.158] 1194 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212169; rev:1;) alert tcp $HOME_NET any -> [66.42.80.169] 5631 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212170; rev:1;) alert tcp $HOME_NET any -> [109.123.227.50] 13782 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212171; rev:1;) alert tcp $HOME_NET any -> [154.3.2.172] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212166/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_11; classtype:trojan-activity; sid:91212166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"110.40.177.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"182.92.177.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"163.5.64.65"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212162; rev:1;) alert tcp $HOME_NET any -> [34.92.85.53] 6633 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212161/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_11; classtype:trojan-activity; sid:91212161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"factorxharasswe.pw"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ribbonfolkcrownyy.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212159; rev:1;) alert tcp $HOME_NET any -> [77.105.132.87] 17066 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212160; rev:1;) alert tcp $HOME_NET any -> [206.237.29.41] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212158/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_11; classtype:trojan-activity; sid:91212158; rev:1;) alert tcp $HOME_NET any -> [2.50.16.126] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212157/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_11; classtype:trojan-activity; sid:91212157; rev:1;) alert tcp $HOME_NET any -> [41.96.204.166] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212156/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_11; classtype:trojan-activity; sid:91212156; rev:1;) alert tcp $HOME_NET any -> [67.202.213.3] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212155/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_11; classtype:trojan-activity; sid:91212155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"scanintegrutybatowss.pw"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212154; rev:1;) alert tcp $HOME_NET any -> [46.151.24.249] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212153; rev:1;) alert tcp $HOME_NET any -> [206.188.196.213] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212152/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_11; classtype:trojan-activity; sid:91212152; rev:1;) alert tcp $HOME_NET any -> [91.204.226.97] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212150; rev:1;) alert tcp $HOME_NET any -> [119.6.239.80] 888 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pedantic-easley.193-149-129-202.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212148; rev:1;) alert tcp $HOME_NET any -> [45.32.92.30] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212147; rev:1;) alert tcp $HOME_NET any -> [8.140.207.221] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212146; rev:1;) alert tcp $HOME_NET any -> [106.55.9.90] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmtolowgeoupdateauthwindowsflowertemporary.php"; depth:47; nocase; http.host; content:"039030cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot6613050989:aafzqau0jrknv_wqhvggwj2x2m8dkjc8rem/"; depth:51; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212143; rev:1;) alert tcp $HOME_NET any -> [178.80.10.215] 49111 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212142; rev:1;) alert tcp $HOME_NET any -> [185.161.211.17] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.az-gateway.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212140; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.az-gateway.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212139; rev:1;) alert tcp $HOME_NET any -> [195.25.243.89] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns1.engie.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212137; rev:1;) alert tcp $HOME_NET any -> [64.176.40.46] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212136; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"runanywhere.myvnc.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.check.support"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212133/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212133; rev:1;) alert tcp $HOME_NET any -> [18.182.225.116] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212134/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212134; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"blessedjay.dolphinair.top"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212132/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_11; classtype:trojan-activity; sid:91212132; rev:1;) alert tcp $HOME_NET any -> [209.250.224.132] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212131; rev:1;) alert tcp $HOME_NET any -> [103.161.112.130] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212130/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_11; classtype:trojan-activity; sid:91212130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b1341/index.php"; depth:16; nocase; http.host; content:"b1lea.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212129/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212129; rev:1;) alert tcp $HOME_NET any -> [64.237.177.189] 1800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212128/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_11; classtype:trojan-activity; sid:91212128; rev:1;) alert tcp $HOME_NET any -> [20.255.35.3] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212127/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_11; classtype:trojan-activity; sid:91212127; rev:1;) alert tcp $HOME_NET any -> [121.37.46.130] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212126/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_11; classtype:trojan-activity; sid:91212126; rev:1;) alert tcp $HOME_NET any -> [195.20.16.45] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212121; rev:1;) alert tcp $HOME_NET any -> [185.202.173.178] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212125/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_11; classtype:trojan-activity; sid:91212125; rev:1;) alert tcp $HOME_NET any -> [91.92.243.110] 3734 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212124/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_11; classtype:trojan-activity; sid:91212124; rev:1;) alert tcp $HOME_NET any -> [18.184.167.123] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212123/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_11; classtype:trojan-activity; sid:91212123; rev:1;) alert tcp $HOME_NET any -> [199.195.252.200] 9443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212122/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_11; classtype:trojan-activity; sid:91212122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"softradar.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212120; rev:1;) alert tcp $HOME_NET any -> [121.37.215.155] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212119/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_11; classtype:trojan-activity; sid:91212119; rev:1;) alert tcp $HOME_NET any -> [145.82.136.155] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212118; rev:1;) alert tcp $HOME_NET any -> [34.173.57.207] 80 (msg:"ThreatFox Octopus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212117; rev:1;) alert tcp $HOME_NET any -> [101.34.6.209] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212116; rev:1;) alert tcp $HOME_NET any -> [91.204.226.40] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212114; rev:1;) alert tcp $HOME_NET any -> [35.226.67.74] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212115; rev:1;) alert tcp $HOME_NET any -> [193.239.151.192] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212113; rev:1;) alert tcp $HOME_NET any -> [91.204.226.96] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212112; rev:1;) alert tcp $HOME_NET any -> [91.204.226.108] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212110/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212110; rev:1;) alert tcp $HOME_NET any -> [193.239.151.170] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212111; rev:1;) alert tcp $HOME_NET any -> [193.239.151.162] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212109/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212109; rev:1;) alert tcp $HOME_NET any -> [193.239.151.172] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212107; rev:1;) alert tcp $HOME_NET any -> [193.239.151.173] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"96r1yh643o.de"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212106; rev:1;) alert tcp $HOME_NET any -> [134.255.231.233] 8443 (msg:"ThreatFox Bahamut botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212105; rev:1;) alert tcp $HOME_NET any -> [137.175.17.80] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212104; rev:1;) alert tcp $HOME_NET any -> [91.92.252.23] 80 (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212103/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212103; rev:1;) alert tcp $HOME_NET any -> [149.115.234.54] 9999 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212101; rev:1;) alert tcp $HOME_NET any -> [117.158.206.150] 9876 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212102/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212102; rev:1;) alert tcp $HOME_NET any -> [149.115.234.35] 9999 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212100; rev:1;) alert tcp $HOME_NET any -> [149.115.234.80] 9999 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212098; rev:1;) alert tcp $HOME_NET any -> [158.101.74.227] 8080 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212099; rev:1;) alert tcp $HOME_NET any -> [219.128.25.2] 8088 (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"landystancreations.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"johnyuprol.loan"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"partygirlptsd.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"airbnboy.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212092/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"futboleu.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212093/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cannabistalks.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212090/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.selfxmedia.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212091/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.l5rkotei.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.wolfchristmas.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212089/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.geniuspointofsale.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tvlaliga.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212087/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tvoakland.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.amlbot.co.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.getcoffeeperks.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cannabisjoblistings.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212082/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.margesommers.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wingbuffet.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bhnwithpercy.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212078/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.oxfordlightworks.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212079/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212079; rev:1;) alert tcp $HOME_NET any -> [62.84.100.129] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212076/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.saishasharma.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cansoftsem.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212074/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yaqqity.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212075/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"silverpointcondos.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212072/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tustle.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cbdhealthlink.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212071; rev:1;) alert tcp $HOME_NET any -> [5.180.114.52] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cannabistalks.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212070; rev:1;) alert tcp $HOME_NET any -> [46.151.31.220] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212068; rev:1;) alert tcp $HOME_NET any -> [168.100.11.156] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212067; rev:1;) alert tcp $HOME_NET any -> [168.100.11.109] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212065; rev:1;) alert tcp $HOME_NET any -> [5.180.114.171] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212066; rev:1;) alert tcp $HOME_NET any -> [213.139.205.167] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212064; rev:1;) alert tcp $HOME_NET any -> [213.139.205.149] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212063; rev:1;) alert tcp $HOME_NET any -> [45.155.121.137] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212061; rev:1;) alert tcp $HOME_NET any -> [109.107.176.83] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212062; rev:1;) alert tcp $HOME_NET any -> [77.105.142.135] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212060/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212060; rev:1;) alert tcp $HOME_NET any -> [206.188.197.52] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212059/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212059; rev:1;) alert tcp $HOME_NET any -> [168.100.11.107] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212057/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212057; rev:1;) alert tcp $HOME_NET any -> [193.149.129.202] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212058/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212058; rev:1;) alert tcp $HOME_NET any -> [172.86.75.163] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212056/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212056; rev:1;) alert tcp $HOME_NET any -> [95.217.74.243] 80 (msg:"ThreatFox Lumma Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212055/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212055; rev:1;) alert tcp $HOME_NET any -> [122.51.97.82] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212054/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212054; rev:1;) alert tcp $HOME_NET any -> [52.59.45.98] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212053/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212053; rev:1;) alert tcp $HOME_NET any -> [18.169.215.64] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212052/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212052; rev:1;) alert tcp $HOME_NET any -> [159.203.86.11] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212051; rev:1;) alert tcp $HOME_NET any -> [91.92.253.13] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212050/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212050; rev:1;) alert tcp $HOME_NET any -> [91.92.253.14] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-35-92-41-20.us-west-2.compute.amazonaws.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212048/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212048; rev:1;) alert tcp $HOME_NET any -> [159.223.52.78] 9783 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212047; rev:1;) alert tcp $HOME_NET any -> [14.225.210.209] 23456 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212046/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212046; rev:1;) alert tcp $HOME_NET any -> [82.27.71.69] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.195-85-207-218.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212044; rev:1;) alert tcp $HOME_NET any -> [195.85.207.218] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212043/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212043; rev:1;) alert tcp $HOME_NET any -> [88.251.226.111] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212041/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212041; rev:1;) alert tcp $HOME_NET any -> [185.81.157.24] 6126 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212042/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212042; rev:1;) alert tcp $HOME_NET any -> [20.168.112.95] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212040; rev:1;) alert tcp $HOME_NET any -> [20.168.112.95] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212039/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212039; rev:1;) alert tcp $HOME_NET any -> [118.249.189.96] 13702 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212038/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_11; classtype:trojan-activity; sid:91212038; rev:1;) alert tcp $HOME_NET any -> [122.114.18.42] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212037/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_11; classtype:trojan-activity; sid:91212037; rev:1;) alert tcp $HOME_NET any -> [45.145.4.165] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212036; rev:1;) alert tcp $HOME_NET any -> [124.220.28.253] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212035; rev:1;) alert tcp $HOME_NET any -> [147.161.32.144] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212033; rev:1;) alert tcp $HOME_NET any -> [43.154.190.128] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212034; rev:1;) alert tcp $HOME_NET any -> [147.78.47.15] 45286 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212032; rev:1;) alert tcp $HOME_NET any -> [193.222.96.34] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212031; rev:1;) alert tcp $HOME_NET any -> [107.151.245.165] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212029; rev:1;) alert tcp $HOME_NET any -> [8.141.83.229] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212030; rev:1;) alert tcp $HOME_NET any -> [221.150.72.75] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212028; rev:1;) alert tcp $HOME_NET any -> [185.248.163.239] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212027; rev:1;) alert tcp $HOME_NET any -> [47.122.41.139] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212026; rev:1;) alert tcp $HOME_NET any -> [111.229.225.13] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212024; rev:1;) alert tcp $HOME_NET any -> [139.159.233.226] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212025; rev:1;) alert tcp $HOME_NET any -> [116.63.178.79] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212023; rev:1;) alert tcp $HOME_NET any -> [121.36.245.79] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212022; rev:1;) alert tcp $HOME_NET any -> [121.41.48.222] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212020; rev:1;) alert tcp $HOME_NET any -> [101.200.124.215] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212021; rev:1;) alert tcp $HOME_NET any -> [114.55.54.162] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212019; rev:1;) alert tcp $HOME_NET any -> [47.107.103.100] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212018/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212018; rev:1;) alert tcp $HOME_NET any -> [47.99.44.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212017/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212017; rev:1;) alert tcp $HOME_NET any -> [8.130.133.123] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212016/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212016; rev:1;) alert tcp $HOME_NET any -> [124.220.66.44] 61000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212014/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212014; rev:1;) alert tcp $HOME_NET any -> [119.91.214.152] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212015/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-184-2-38.eu-central-1.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212013/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-110-41-11-72.compute.hwclouds-dns.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212011/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doc.belstar.com.cn"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1212012/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"104.131.3.3"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212008/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212008; rev:1;) alert tcp $HOME_NET any -> [177.125.40.217] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212007/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_11; classtype:trojan-activity; sid:91212007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/blessedjay/five/fre.php"; depth:36; nocase; http.host; content:"blessedjay.dolphinair.top"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212006/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temp/chromiumviewer.zip"; depth:24; nocase; http.host; content:"www.steadyrun.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212001/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"157.245.111.60"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212002/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"app.alwasl.tn"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212003/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temp/webmodulebrowser.zip"; depth:26; nocase; http.host; content:"my.hoqer.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212004/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sonaeducationfoundation.com.np"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1212005/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91212005; rev:1;) alert tcp $HOME_NET any -> [93.65.194.23] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1212000/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_11; classtype:trojan-activity; sid:91212000; rev:1;) alert tcp $HOME_NET any -> [211.75.116.27] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211997/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211997; rev:1;) alert tcp $HOME_NET any -> [141.164.54.104] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v8sjh3hs8/login.php"; depth:20; nocase; http.host; content:"185.172.128.5"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211999; rev:1;) alert tcp $HOME_NET any -> [47.109.57.38] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211996/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_11; classtype:trojan-activity; sid:91211996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v8sjh3hs8/index.php"; depth:20; nocase; http.host; content:"185.172.128.5"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211995/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211995; rev:1;) alert tcp $HOME_NET any -> [91.92.244.196] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cdn-uk.widgetsfordeploy.com"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1211991/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-uk.widgetsfordeploy.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cdn-uk.widgetsfordeploy.com"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1211992/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211992; rev:1;) alert tcp $HOME_NET any -> [89.23.97.118] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211990/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_11; classtype:trojan-activity; sid:91211990; rev:1;) alert tcp $HOME_NET any -> [206.237.30.15] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211989/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_11; classtype:trojan-activity; sid:91211989; rev:1;) alert tcp $HOME_NET any -> [34.29.20.95] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211988/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_11; classtype:trojan-activity; sid:91211988; rev:1;) alert tcp $HOME_NET any -> [104.200.67.5] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211986/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_11; classtype:trojan-activity; sid:91211986; rev:1;) alert tcp $HOME_NET any -> [104.200.67.5] 2086 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211987/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_11; classtype:trojan-activity; sid:91211987; rev:1;) alert tcp $HOME_NET any -> [104.225.129.142] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211985/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_11; classtype:trojan-activity; sid:91211985; rev:1;) alert tcp $HOME_NET any -> [104.225.129.142] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211984/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_11; classtype:trojan-activity; sid:91211984; rev:1;) alert tcp $HOME_NET any -> [104.225.129.142] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211982/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_11; classtype:trojan-activity; sid:91211982; rev:1;) alert tcp $HOME_NET any -> [104.225.129.142] 5971 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211983/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_11; classtype:trojan-activity; sid:91211983; rev:1;) alert tcp $HOME_NET any -> [104.225.129.142] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211981/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_11; classtype:trojan-activity; sid:91211981; rev:1;) alert tcp $HOME_NET any -> [104.238.60.76] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211980/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_11; classtype:trojan-activity; sid:91211980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"albumpga.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.albumcallgirl.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211972/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"caklub.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211973/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8videoabc.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211969/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"albumphotoshow.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211970/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myafarisha.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"best-pc-games.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"globalsalestore.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kudaqq.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211965/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chaesik.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211963/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"photoandfilms.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211964/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"image-albums.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211961/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xpictures-albums.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211962/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xphotos-album.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pictures-album.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x-picture.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"movies-box.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"movies-cine.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211958/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x-album.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211954/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myprivatephotoalbum.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"videovip.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211953/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www-x-videos.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211951/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chatgpt-premium.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211952/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sportydesktops.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"office-2023.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xphotos.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x-photobucket.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lydownload.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211947/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xpictures.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211944/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"photography-hq.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211945/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x-albums.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211941/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nctitds.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211942/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x-photos.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211943/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leakonlyfan.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211939/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"albumimages.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211940/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211940; rev:1;) alert tcp $HOME_NET any -> [5.42.64.45] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211933/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211933; rev:1;) alert tcp $HOME_NET any -> [77.105.132.87] 6731 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211934/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211934; rev:1;) alert tcp $HOME_NET any -> [185.196.9.102] 961 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211918/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_11; classtype:trojan-activity; sid:91211918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratefacilityframw.fun"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211932/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211932; rev:1;) alert tcp $HOME_NET any -> [81.71.140.170] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211979/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_11; classtype:trojan-activity; sid:91211979; rev:1;) alert tcp $HOME_NET any -> [104.128.89.139] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211978/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_11; classtype:trojan-activity; sid:91211978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"neighborhoodfeelsa.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211977; rev:1;) alert tcp $HOME_NET any -> [66.204.14.119] 37 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211976/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_11; classtype:trojan-activity; sid:91211976; rev:1;) alert tcp $HOME_NET any -> [181.41.200.232] 4000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211975; rev:1;) alert tcp $HOME_NET any -> [89.247.50.50] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211974/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_11; classtype:trojan-activity; sid:91211974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pl341/index.php"; depth:16; nocase; http.host; content:"dbxq1.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211938/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bll341/index.php"; depth:17; nocase; http.host; content:"taliz-group.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211937/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_11; classtype:trojan-activity; sid:91211937; rev:1;) alert tcp $HOME_NET any -> [178.33.57.150] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211936/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_10; classtype:trojan-activity; sid:91211936; rev:1;) alert tcp $HOME_NET any -> [178.33.57.150] 1334 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211935/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"dayfarrichjwclik.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211931/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211931; rev:1;) alert tcp $HOME_NET any -> [147.50.253.45] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211930/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_10; classtype:trojan-activity; sid:91211930; rev:1;) alert tcp $HOME_NET any -> [192.124.176.64] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211929/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_10; classtype:trojan-activity; sid:91211929; rev:1;) alert tcp $HOME_NET any -> [117.215.20.211] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211928/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_10; classtype:trojan-activity; sid:91211928; rev:1;) alert tcp $HOME_NET any -> [62.1.61.208] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211927/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_10; classtype:trojan-activity; sid:91211927; rev:1;) alert tcp $HOME_NET any -> [154.247.143.65] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211926/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_10; classtype:trojan-activity; sid:91211926; rev:1;) alert tcp $HOME_NET any -> [86.135.53.12] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211925/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_10; classtype:trojan-activity; sid:91211925; rev:1;) alert tcp $HOME_NET any -> [50.60.129.187] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211924/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_10; classtype:trojan-activity; sid:91211924; rev:1;) alert tcp $HOME_NET any -> [104.238.60.76] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211923/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_10; classtype:trojan-activity; sid:91211923; rev:1;) alert tcp $HOME_NET any -> [104.238.60.76] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211922/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_10; classtype:trojan-activity; sid:91211922; rev:1;) alert tcp $HOME_NET any -> [13.248.202.168] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211921/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_10; classtype:trojan-activity; sid:91211921; rev:1;) alert tcp $HOME_NET any -> [3.86.97.154] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211920/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_10; classtype:trojan-activity; sid:91211920; rev:1;) alert tcp $HOME_NET any -> [85.208.214.91] 38657 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211919/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_10; classtype:trojan-activity; sid:91211919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"never.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211911/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"never.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211912/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"never.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211913/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"never.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211914/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"never.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211915/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"never.hitsturbo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211916/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerpythonphp_cpuprocessuniversaldle.php"; depth:45; nocase; http.host; content:"185.221.198.229"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211917/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"never.hitsturbo.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211909/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"phonetictgapk.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211910/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"medicinefixlowop.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211907/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"albumerrorregisetep.pw"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211906; rev:1;) alert tcp $HOME_NET any -> [94.96.132.230] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211908/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_10; classtype:trojan-activity; sid:91211908; rev:1;) alert tcp $HOME_NET any -> [164.52.201.153] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211905/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_10; classtype:trojan-activity; sid:91211905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ratefacilityframw.fun"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211904/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211904; rev:1;) alert tcp $HOME_NET any -> [185.46.46.174] 29254 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"castlesideopwas.pw"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211902/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"businesforhome.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magementfair.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211900/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"settingfir.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211901/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"193.222.96.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"51.68.169.103"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.mlcrosoft.fyi"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211895; rev:1;) alert tcp $HOME_NET any -> [43.136.40.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9.35/oteizvy9gdn"; depth:25; nocase; http.host; content:"cdn.mlcrosoft.fyi"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"44.211.191.212"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"57.128.141.12"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"85.208.109.15"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211891/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211891; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"84.32.44.180"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211890/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211890; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211889; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"cdn.ctfmall.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211887/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.ctfmall.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211888/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211888; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"193.222.96.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211886/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.236.123.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211885/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gartenlofti.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211884/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211884; rev:1;) alert tcp $HOME_NET any -> [109.107.181.24] 29316 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211883/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211883; rev:1;) alert tcp $HOME_NET any -> [110.40.177.201] 7788 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211882/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_10; classtype:trojan-activity; sid:91211882; rev:1;) alert tcp $HOME_NET any -> [82.147.85.189] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211881/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211881; rev:1;) alert tcp $HOME_NET any -> [185.222.58.99] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211880/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"magementfair.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211878/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:bad-unknown; sid:91211878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"settingfir.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211879/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:bad-unknown; sid:91211879; rev:1;) alert tcp $HOME_NET any -> [173.211.106.109] 50720 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211877/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211877; rev:1;) alert tcp $HOME_NET any -> [193.233.132.55] 25530 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211876/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"188.121.110.191"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211874/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211874; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"54.166.231.254"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211873/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"epsonupdate.uk"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211872/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dashboard.help.drb_da.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211871/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.help.drb_da.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211870/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swf.help.drb_da.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211869/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211869; rev:1;) alert tcp $HOME_NET any -> [106.52.219.135] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211868/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211868; rev:1;) alert tcp $HOME_NET any -> [43.138.10.232] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns_update2.wps.bj.cn"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns_update1.wps.bj.cn"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211865/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211865; rev:1;) alert tcp $HOME_NET any -> [5.188.87.54] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/accelerate/faq/vo9d46j8"; depth:24; nocase; http.host; content:"igo0gle.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211863/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211863; rev:1;) alert tcp $HOME_NET any -> [5.188.87.54] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211862/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/accelerate/faq/vo9d46j8"; depth:24; nocase; http.host; content:"igo0gle.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211861/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211860/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211860; rev:1;) alert tcp $HOME_NET any -> [31.42.189.18] 28750 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211859/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211859; rev:1;) alert tcp $HOME_NET any -> [220.69.33.53] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211858/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_10; classtype:trojan-activity; sid:91211858; rev:1;) alert tcp $HOME_NET any -> [155.94.178.215] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211857/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_10; classtype:trojan-activity; sid:91211857; rev:1;) alert tcp $HOME_NET any -> [143.92.40.173] 6108 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211736/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_10; classtype:trojan-activity; sid:91211736; rev:1;) alert tcp $HOME_NET any -> [163.181.92.82] 1688 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211737/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_10; classtype:trojan-activity; sid:91211737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"book.cookielive.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211738/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_10; classtype:trojan-activity; sid:91211738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"new.gettimi.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211739/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_10; classtype:trojan-activity; sid:91211739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dlink.host"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211740/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_10; classtype:trojan-activity; sid:91211740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/home.gif"; depth:9; nocase; http.host; content:"kukutrustnet777.info"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/home.gif"; depth:9; nocase; http.host; content:"kukutrustnet888.info"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/home.gif"; depth:9; nocase; http.host; content:"kukutrustnet987.info"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"download-ai.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videocallgirl.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"albumphotoshow.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"8videoabc.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dl.download-ai.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1bilionupdated.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"10minions.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sluter.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pa688.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211756/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"albumphotography.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211757/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211757; rev:1;) alert tcp $HOME_NET any -> [162.19.175.96] 3306 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211856/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211856; rev:1;) alert tcp $HOME_NET any -> [158.220.124.165] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211855/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_10; classtype:trojan-activity; sid:91211855; rev:1;) alert tcp $HOME_NET any -> [5.226.51.88] 3389 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211854/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_10; classtype:trojan-activity; sid:91211854; rev:1;) alert tcp $HOME_NET any -> [5.193.51.26] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211853/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_10; classtype:trojan-activity; sid:91211853; rev:1;) alert tcp $HOME_NET any -> [109.152.118.242] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211852/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_10; classtype:trojan-activity; sid:91211852; rev:1;) alert tcp $HOME_NET any -> [80.78.26.69] 2096 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211851/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_10; classtype:trojan-activity; sid:91211851; rev:1;) alert tcp $HOME_NET any -> [120.132.83.136] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211850/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_10; classtype:trojan-activity; sid:91211850; rev:1;) alert tcp $HOME_NET any -> [80.66.79.129] 9090 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211849/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_10; classtype:trojan-activity; sid:91211849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ch/p/gate.php"; depth:14; nocase; http.host; content:"hivamusic.ir"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211848; rev:1;) alert tcp $HOME_NET any -> [135.125.189.116] 1200 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3temporaryhttp2/servergeo3geo/protectdefaultapipublic/apilocalbigloaddb/js31/providerpacket/5/eternal/testdownloads/8datalifeprotectgeo/bigloadpipeexternaldatalife/longpolldefaulttemporaryflower/wordpress08js/longpollpipebase/8videoprovider/pythonbigloaddatalife8/5/7flowerprivate/pipecpulongpollbigloadserversqlgeneratordlepublictemporary.php"; depth:344; nocase; http.host; content:"188.120.233.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211846; rev:1;) alert tcp $HOME_NET any -> [5.2.68.80] 600 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211845; rev:1;) alert tcp $HOME_NET any -> [23.95.197.109] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211844/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_10; classtype:trojan-activity; sid:91211844; rev:1;) alert tcp $HOME_NET any -> [197.3.130.190] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211843; rev:1;) alert tcp $HOME_NET any -> [151.236.22.48] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211842; rev:1;) alert tcp $HOME_NET any -> [45.90.12.75] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211841/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_10; classtype:trojan-activity; sid:91211841; rev:1;) alert tcp $HOME_NET any -> [159.75.93.152] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211840; rev:1;) alert tcp $HOME_NET any -> [157.7.114.81] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211839; rev:1;) alert tcp $HOME_NET any -> [120.48.70.155] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211838; rev:1;) alert tcp $HOME_NET any -> [27.9.45.67] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211837; rev:1;) alert tcp $HOME_NET any -> [167.88.170.64] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211836; rev:1;) alert tcp $HOME_NET any -> [106.54.215.181] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211835; rev:1;) alert tcp $HOME_NET any -> [45.145.229.14] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-220-158-139.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211833; rev:1;) alert tcp $HOME_NET any -> [5.42.92.179] 80 (msg:"ThreatFox Lumma Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211832; rev:1;) alert tcp $HOME_NET any -> [106.54.209.187] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211831; rev:1;) alert tcp $HOME_NET any -> [18.157.174.191] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211830; rev:1;) alert tcp $HOME_NET any -> [18.157.174.191] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211829; rev:1;) alert tcp $HOME_NET any -> [3.70.109.238] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211828; rev:1;) alert tcp $HOME_NET any -> [3.70.109.238] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211827; rev:1;) alert tcp $HOME_NET any -> [91.92.252.193] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211826/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211826; rev:1;) alert tcp $HOME_NET any -> [205.234.181.9] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211825/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211825; rev:1;) alert tcp $HOME_NET any -> [70.77.124.96] 8443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211824/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211824; rev:1;) alert tcp $HOME_NET any -> [157.245.128.27] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211823/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211823; rev:1;) alert tcp $HOME_NET any -> [4.194.12.203] 443 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211822; rev:1;) alert tcp $HOME_NET any -> [27.124.6.248] 6606 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211821/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211821; rev:1;) alert tcp $HOME_NET any -> [172.233.82.22] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211820; rev:1;) alert tcp $HOME_NET any -> [185.36.81.57] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blissful-kapitsa.139-28-36-237.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211818/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211818; rev:1;) alert tcp $HOME_NET any -> [66.135.26.66] 10010 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211817/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211817; rev:1;) alert tcp $HOME_NET any -> [5.189.175.70] 587 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211816; rev:1;) alert tcp $HOME_NET any -> [172.174.214.137] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211815; rev:1;) alert tcp $HOME_NET any -> [43.243.73.167] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211814/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211814; rev:1;) alert tcp $HOME_NET any -> [62.197.49.1] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211813/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211813; rev:1;) alert tcp $HOME_NET any -> [95.214.177.39] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211812/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211812; rev:1;) alert tcp $HOME_NET any -> [173.254.235.53] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211811/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211811; rev:1;) alert tcp $HOME_NET any -> [64.227.149.69] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211810; rev:1;) alert tcp $HOME_NET any -> [163.5.64.73] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211809; rev:1;) alert tcp $HOME_NET any -> [66.29.133.55] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211808; rev:1;) alert tcp $HOME_NET any -> [107.173.140.104] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211807; rev:1;) alert tcp $HOME_NET any -> [103.146.202.34] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211806; rev:1;) alert tcp $HOME_NET any -> [209.145.56.0] 2017 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211805; rev:1;) alert tcp $HOME_NET any -> [27.64.157.66] 257 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211804/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211804; rev:1;) alert tcp $HOME_NET any -> [149.0.232.42] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211803; rev:1;) alert tcp $HOME_NET any -> [142.202.240.140] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211802; rev:1;) alert tcp $HOME_NET any -> [52.185.48.220] 8585 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211801; rev:1;) alert tcp $HOME_NET any -> [118.89.52.171] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211800/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_10; classtype:trojan-activity; sid:91211800; rev:1;) alert tcp $HOME_NET any -> [118.89.52.171] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211799/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_10; classtype:trojan-activity; sid:91211799; rev:1;) alert tcp $HOME_NET any -> [118.89.52.171] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211798/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_10; classtype:trojan-activity; sid:91211798; rev:1;) alert tcp $HOME_NET any -> [118.89.52.171] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211797/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_10; classtype:trojan-activity; sid:91211797; rev:1;) alert tcp $HOME_NET any -> [149.88.73.191] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211796/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_10; classtype:trojan-activity; sid:91211796; rev:1;) alert tcp $HOME_NET any -> [47.112.137.119] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211795; rev:1;) alert tcp $HOME_NET any -> [47.112.137.119] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211794; rev:1;) alert tcp $HOME_NET any -> [163.5.64.65] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211793; rev:1;) alert tcp $HOME_NET any -> [175.178.14.59] 9002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211792; rev:1;) alert tcp $HOME_NET any -> [43.143.168.10] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211791; rev:1;) alert tcp $HOME_NET any -> [163.197.240.130] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211790; rev:1;) alert tcp $HOME_NET any -> [103.195.7.149] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211789; rev:1;) alert tcp $HOME_NET any -> [123.56.185.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211788; rev:1;) alert tcp $HOME_NET any -> [18.163.73.9] 9191 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211787; rev:1;) alert tcp $HOME_NET any -> [36.111.166.231] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211786; rev:1;) alert tcp $HOME_NET any -> [141.255.147.181] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211785; rev:1;) alert tcp $HOME_NET any -> [20.98.44.99] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211784; rev:1;) alert tcp $HOME_NET any -> [20.98.44.99] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211783; rev:1;) alert tcp $HOME_NET any -> [47.94.252.148] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211782; rev:1;) alert tcp $HOME_NET any -> [8.142.117.162] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211781; rev:1;) alert tcp $HOME_NET any -> [8.142.117.162] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211780; rev:1;) alert tcp $HOME_NET any -> [172.232.106.81] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211779; rev:1;) alert tcp $HOME_NET any -> [124.220.28.253] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211778; rev:1;) alert tcp $HOME_NET any -> [121.37.41.85] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211777; rev:1;) alert tcp $HOME_NET any -> [38.6.179.14] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211776; rev:1;) alert tcp $HOME_NET any -> [8.130.88.253] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211775/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211775; rev:1;) alert tcp $HOME_NET any -> [1.14.205.73] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211774; rev:1;) alert tcp $HOME_NET any -> [81.71.140.170] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211773; rev:1;) alert tcp $HOME_NET any -> [121.41.76.253] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211772; rev:1;) alert tcp $HOME_NET any -> [43.140.202.50] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211771; rev:1;) alert tcp $HOME_NET any -> [74.234.27.49] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211770/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211770; rev:1;) alert tcp $HOME_NET any -> [38.6.179.52] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211769/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211769; rev:1;) alert tcp $HOME_NET any -> [34.30.78.243] 50001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211768; rev:1;) alert tcp $HOME_NET any -> [101.43.49.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211767; rev:1;) alert tcp $HOME_NET any -> [45.32.125.172] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211766/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211766; rev:1;) alert tcp $HOME_NET any -> [43.142.183.159] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211765; rev:1;) alert tcp $HOME_NET any -> [156.224.24.186] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211764; rev:1;) alert tcp $HOME_NET any -> [129.226.148.34] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211763; rev:1;) alert tcp $HOME_NET any -> [20.25.23.124] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211762/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211762; rev:1;) alert tcp $HOME_NET any -> [148.135.121.196] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211761/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211761; rev:1;) alert tcp $HOME_NET any -> [120.46.132.197] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211760; rev:1;) alert tcp $HOME_NET any -> [111.229.227.201] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211759; rev:1;) alert tcp $HOME_NET any -> [18.184.2.38] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_10; classtype:trojan-activity; sid:91211758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.137.5.20"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/recite/v9.52/6fcq3uvd9"; depth:23; nocase; http.host; content:"115.159.102.112"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211746; rev:1;) alert tcp $HOME_NET any -> [195.246.230.231] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211745; rev:1;) alert tcp $HOME_NET any -> [39.100.77.97] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211744/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211744; rev:1;) alert tcp $HOME_NET any -> [163.5.64.65] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211735/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211735; rev:1;) alert tcp $HOME_NET any -> [85.208.109.15] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211734/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211734; rev:1;) alert tcp $HOME_NET any -> [45.155.121.137] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211733/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_09; classtype:trojan-activity; sid:91211733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"societylaboratoryuw.pw"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211732; rev:1;) alert tcp $HOME_NET any -> [45.15.156.187] 23929 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211731; rev:1;) alert tcp $HOME_NET any -> [158.220.90.199] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211730/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211730; rev:1;) alert tcp $HOME_NET any -> [78.18.235.102] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211729/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211729; rev:1;) alert tcp $HOME_NET any -> [186.105.102.94] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211728/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211728; rev:1;) alert tcp $HOME_NET any -> [109.248.6.225] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211727/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211727; rev:1;) alert tcp $HOME_NET any -> [13.52.214.225] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211726/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211726; rev:1;) alert tcp $HOME_NET any -> [45.79.6.132] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211725/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211725; rev:1;) alert tcp $HOME_NET any -> [91.92.250.47] 2025 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211724; rev:1;) alert tcp $HOME_NET any -> [5.161.74.235] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211723; rev:1;) alert tcp $HOME_NET any -> [217.76.59.48] 24251 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211722; rev:1;) alert tcp $HOME_NET any -> [82.115.223.152] 3838 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211721; rev:1;) alert tcp $HOME_NET any -> [78.47.48.76] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211720/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211720; rev:1;) alert tcp $HOME_NET any -> [91.92.251.22] 5122 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211719; rev:1;) alert tcp $HOME_NET any -> [135.181.13.128] 29053 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211718/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211718; rev:1;) alert tcp $HOME_NET any -> [91.92.243.245] 3245 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211717; rev:1;) alert tcp $HOME_NET any -> [93.123.85.35] 1889 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211716/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_09; classtype:trojan-activity; sid:91211716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server6public/5vm/pipe/wplow/wordpressupdate/protect3/temptestphp/7longpoll/mariadbupdatepublictemporary/generator/lineserver/lowtrackdb/dlecdnsecure/processor/pythontestcentral.php"; depth:182; nocase; http.host; content:"62.109.10.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211715/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"43.143.168.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211714; rev:1;) alert tcp $HOME_NET any -> [82.147.84.248] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211703/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lestencrypt.dnset.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211705; rev:1;) alert tcp $HOME_NET any -> [8.142.5.148] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211713/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211713; rev:1;) alert tcp $HOME_NET any -> [51.68.58.153] 9080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211712/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211712; rev:1;) alert tcp $HOME_NET any -> [47.96.229.84] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211711/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211711; rev:1;) alert tcp $HOME_NET any -> [62.234.54.38] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211710/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211710; rev:1;) alert tcp $HOME_NET any -> [39.105.191.1] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211709/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211709; rev:1;) alert tcp $HOME_NET any -> [182.92.216.47] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211708/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211708; rev:1;) alert tcp $HOME_NET any -> [123.56.194.52] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211707/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211707; rev:1;) alert tcp $HOME_NET any -> [120.78.206.231] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211706/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211706; rev:1;) alert tcp $HOME_NET any -> [8.130.79.38] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211704/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211704; rev:1;) alert tcp $HOME_NET any -> [91.92.243.83] 7888 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211702/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211702; rev:1;) alert tcp $HOME_NET any -> [104.131.3.3] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211694; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"greatkingtravel8200.duckdns.org"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"greatkingtravel8200.duckdns.org"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211701/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fam_newspaper"; depth:14; nocase; http.host; content:"74.119.192.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9.35/oteizvy9gdn"; depth:25; nocase; http.host; content:"43.136.40.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211698/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211698; rev:1;) alert tcp $HOME_NET any -> [1.15.154.133] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"1.15.154.133"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211696; rev:1;) alert tcp $HOME_NET any -> [88.251.137.26] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211695/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"gorgodlm.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211693/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211693; rev:1;) alert tcp $HOME_NET any -> [46.246.4.20] 9988 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211692/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lucifer14341.000webhostapp.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211691/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m9341/index.php"; depth:16; nocase; http.host; content:"m9re1.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211690/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"eukpukpup0.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211689/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211689; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 15713 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211688/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211688; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 15713 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211687/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211687; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 15713 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211686/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211686; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 15713 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211685/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bigload1python/requestpacket8flower/4touniversalauth/httpflower/tobigload5/authprotect6php/apipublic0sql/public/lineprivate.php"; depth:128; nocase; http.host; content:"79.174.94.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211684/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211684; rev:1;) alert tcp $HOME_NET any -> [86.38.203.94] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211683/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211683; rev:1;) alert tcp $HOME_NET any -> [72.11.156.74] 5199 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211682/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211682; rev:1;) alert tcp $HOME_NET any -> [54.202.249.105] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211681/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211681; rev:1;) alert tcp $HOME_NET any -> [104.238.60.76] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211680/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211680; rev:1;) alert tcp $HOME_NET any -> [104.238.60.76] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211679/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211679; rev:1;) alert tcp $HOME_NET any -> [151.236.22.48] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211677/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211677; rev:1;) alert tcp $HOME_NET any -> [151.236.22.48] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211678/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211678; rev:1;) alert tcp $HOME_NET any -> [151.236.22.48] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211676/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211676; rev:1;) alert tcp $HOME_NET any -> [151.236.22.48] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211675/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211675; rev:1;) alert tcp $HOME_NET any -> [168.138.174.216] 9443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211674/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211674; rev:1;) alert tcp $HOME_NET any -> [38.180.44.56] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211673/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211673; rev:1;) alert tcp $HOME_NET any -> [178.68.16.136] 65357 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211672/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211672; rev:1;) alert tcp $HOME_NET any -> [91.215.85.23] 39923 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211671; rev:1;) alert tcp $HOME_NET any -> [193.233.132.16] 31129 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"vippivok.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211630/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywfim2vkmmfmnwfh/"; depth:18; nocase; http.host; content:"juzacaver.store"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211631/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywfim2vkmmfmnwfh/"; depth:18; nocase; http.host; content:"frekelobasder.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211632/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywfim2vkmmfmnwfh/"; depth:18; nocase; http.host; content:"abehimenoyar.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211633/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"conventionleaflew.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"acidevenstrisj.pw"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211640/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"communicationpalaoow.pw"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"belongblowrelatefw.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211641/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"reviveincapablewew.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cakecoldsplurgrewe.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"opposesicknessopw.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"politefrightenpowoa.pw"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211646; rev:1;) alert tcp $HOME_NET any -> [45.40.96.241] 8800 (msg:"ThreatFox Mekotio botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/processflowerasync.php"; depth:23; nocase; http.host; content:"krutnotupg.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211669/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211669; rev:1;) alert tcp $HOME_NET any -> [85.208.109.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211668/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/datalife/pollprovider/default/protonprotoncentral/trafficvideotemptrack/universalto5/6generatorhttprequest/privateproviderphp/authimage/1/temp/0auth/game2_/1dleexternal/betterprovider1/providervideoserverserver/cpubigload/pipepythonrequestsecuregamelongpollbigloadgeneratortrafficpublic.php"; depth:301; nocase; http.host; content:"5.42.92.212"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linepollserver.php"; depth:19; nocase; http.host; content:"882394cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211666/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211666; rev:1;) alert tcp $HOME_NET any -> [74.119.192.110] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211665/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0892975.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211664; rev:1;) alert tcp $HOME_NET any -> [69.164.192.46] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211663/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211663; rev:1;) alert tcp $HOME_NET any -> [44.211.191.212] 8087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211662/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211662; rev:1;) alert tcp $HOME_NET any -> [91.92.248.48] 5552 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211661; rev:1;) alert tcp $HOME_NET any -> [43.136.40.179] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211660/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_09; classtype:trojan-activity; sid:91211660; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kelenoproc.cc.ua"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211659/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_09; classtype:trojan-activity; sid:91211659; rev:1;) alert tcp $HOME_NET any -> [77.105.132.87] 20104 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_09; classtype:trojan-activity; sid:91211658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"time234wa234rper346465432.ug"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211657/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211657; rev:1;) alert tcp $HOME_NET any -> [54.166.231.254] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.232.145.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211655; rev:1;) alert tcp $HOME_NET any -> [80.77.23.210] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211654/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compose/v2.85/cieu4a5v4t5"; depth:26; nocase; http.host; content:"gertefin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thuushohkeengeidohteemai.spenserfitolife.com"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211651; rev:1;) alert tcp $HOME_NET any -> [89.147.109.213] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/start/pic/5t0igvjxmr3"; depth:22; nocase; http.host; content:"thuushohkeengeidohteemai.spenserfitolife.com"; depth:44; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211650; rev:1;) alert tcp $HOME_NET any -> [185.77.226.142] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211649/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211649; rev:1;) alert tcp $HOME_NET any -> [5.180.114.171] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211647/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_08; classtype:trojan-activity; sid:91211647; rev:1;) alert tcp $HOME_NET any -> [27.124.53.83] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211638/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternallinelowgamedefaultsqlbaseasyncuniversal.php"; depth:51; nocase; http.host; content:"019214cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211637; rev:1;) alert tcp $HOME_NET any -> [158.220.103.150] 5632 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211636/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211636; rev:1;) alert tcp $HOME_NET any -> [31.220.96.162] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211634/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211634; rev:1;) alert tcp $HOME_NET any -> [45.137.192.63] 23399 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211635; rev:1;) alert tcp $HOME_NET any -> [77.105.132.87] 14418 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211629; rev:1;) alert tcp $HOME_NET any -> [213.109.202.144] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211628/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211628; rev:1;) alert tcp $HOME_NET any -> [107.172.196.204] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211627/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211627; rev:1;) alert tcp $HOME_NET any -> [121.166.111.37] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211626/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 90%)"; dns_query; content:"hourmoneearti.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211622/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_08; classtype:trojan-activity; sid:91211622; rev:1;) alert tcp $HOME_NET any -> [185.224.128.191] 21425 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211623/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_08; classtype:trojan-activity; sid:91211623; rev:1;) alert tcp $HOME_NET any -> [57.128.155.22] 20154 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211625/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211625; rev:1;) alert tcp $HOME_NET any -> [161.97.144.241] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211624/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211624; rev:1;) alert tcp $HOME_NET any -> [5.161.190.139] 13757 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211621/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211621; rev:1;) alert tcp $HOME_NET any -> [94.49.178.155] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211620/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211620; rev:1;) alert tcp $HOME_NET any -> [91.92.240.141] 5577 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211619/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"59.110.6.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211618/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.130.18.12"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"121.41.15.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211616/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.120.32.46"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"43.129.230.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211615/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"52.192.163.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211613/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"118.24.128.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211612/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"128.199.70.91"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"45.134.225.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211610/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"45.152.67.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211609/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"45.134.225.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211608/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"119.3.90.227"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211607/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211607; rev:1;) alert tcp $HOME_NET any -> [103.24.219.44] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmr2.vvvvvbeng.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211605/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmr1.vvvvvbeng.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211604/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"101.43.165.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211603/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/es.html"; depth:8; nocase; http.host; content:"powellfamilydentist.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211602/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"81.70.190.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211601/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"54.166.231.254"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211600/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.132.250.80"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211599/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211599; rev:1;) alert tcp $HOME_NET any -> [46.250.242.53] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211598/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_08; classtype:trojan-activity; sid:91211598; rev:1;) alert tcp $HOME_NET any -> [3.7.236.116] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211597/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211597; rev:1;) alert tcp $HOME_NET any -> [123.60.47.118] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211596/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211596; rev:1;) alert tcp $HOME_NET any -> [187.135.244.4] 2258 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211595/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211595; rev:1;) alert tcp $HOME_NET any -> [187.135.244.4] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211594/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211594; rev:1;) alert tcp $HOME_NET any -> [187.135.244.4] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211593/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211593; rev:1;) alert tcp $HOME_NET any -> [43.143.199.45] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211592/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211592; rev:1;) alert tcp $HOME_NET any -> [43.136.182.4] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211591/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211591; rev:1;) alert tcp $HOME_NET any -> [47.245.94.124] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211590/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211590; rev:1;) alert tcp $HOME_NET any -> [52.202.179.126] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211589/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211589; rev:1;) alert tcp $HOME_NET any -> [183.80.187.20] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211588; rev:1;) alert tcp $HOME_NET any -> [45.77.2.11] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211587/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211587; rev:1;) alert tcp $HOME_NET any -> [108.160.140.12] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211586/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211586; rev:1;) alert tcp $HOME_NET any -> [103.12.148.35] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211585/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211585; rev:1;) alert tcp $HOME_NET any -> [4.236.181.235] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211583/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211583; rev:1;) alert tcp $HOME_NET any -> [45.77.170.174] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211584/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211584; rev:1;) alert tcp $HOME_NET any -> [212.224.88.253] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211582/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211582; rev:1;) alert tcp $HOME_NET any -> [104.233.210.167] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211581/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211581; rev:1;) alert tcp $HOME_NET any -> [193.149.189.240] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211580/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211580; rev:1;) alert tcp $HOME_NET any -> [82.165.74.190] 2003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211579/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211579; rev:1;) alert tcp $HOME_NET any -> [142.171.2.168] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211578/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211578; rev:1;) alert tcp $HOME_NET any -> [101.132.147.163] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211577/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_08; classtype:trojan-activity; sid:91211577; rev:1;) alert tcp $HOME_NET any -> [142.171.172.249] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211576/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211576; rev:1;) alert tcp $HOME_NET any -> [47.117.174.198] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211575/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211575; rev:1;) alert tcp $HOME_NET any -> [43.154.190.128] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211573; rev:1;) alert tcp $HOME_NET any -> [103.234.72.172] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211574/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211574; rev:1;) alert tcp $HOME_NET any -> [47.112.137.119] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211572/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211572; rev:1;) alert tcp $HOME_NET any -> [47.112.137.119] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211571/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211571; rev:1;) alert tcp $HOME_NET any -> [207.174.28.43] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211570/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211570; rev:1;) alert tcp $HOME_NET any -> [38.165.7.225] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211568/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211568; rev:1;) alert tcp $HOME_NET any -> [38.165.7.225] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211569/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211569; rev:1;) alert tcp $HOME_NET any -> [120.78.135.67] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211566/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211566; rev:1;) alert tcp $HOME_NET any -> [18.182.225.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211567/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211567; rev:1;) alert tcp $HOME_NET any -> [120.78.135.67] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211565/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211565; rev:1;) alert tcp $HOME_NET any -> [103.24.219.44] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211564; rev:1;) alert tcp $HOME_NET any -> [43.139.128.212] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211563; rev:1;) alert tcp $HOME_NET any -> [180.76.99.119] 18888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211562/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211562; rev:1;) alert tcp $HOME_NET any -> [101.99.91.199] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211561/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211561; rev:1;) alert tcp $HOME_NET any -> [93.127.26.74] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211560/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211560; rev:1;) alert tcp $HOME_NET any -> [194.169.55.252] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211559/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jessvisser.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kolinileas.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"caspercan.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wardeli.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masterunix.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maluisepaul.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"schumacherbar.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"animalsfast.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"garbagemoval.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gertefin.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"constrtionfirst.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unitedfrom.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brendonline.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"septcntr.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auuditoe.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"investsystemus.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blocknowtech.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mytrailinvest.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"realeinvestment.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloudwebstart.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"monitor-websystem.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karmafisker.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"airbusco.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trailgroupl.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"monitorsystem.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloudworldst.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neobeelab.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stockinvestlab.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prettyanimals.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gift4animals.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ionoslaba.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211554/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buyadvisershop.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blockcentersys.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211556/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"startuptechnologyw.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211557/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"investmentrealtyhp.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/traffic/pa"; depth:11; nocase; http.host; content:"bloodrootsbowieful.sbs"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lander/final_whitepage/channelsuper.exe"; depth:40; nocase; http.host; content:"cevwpmw6dz9qes9nzbaoidfcse9c.terefahunsortdetent.sbs"; depth:52; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"terefahunsortdetent.sbs"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-af2738sh-1259711277.sh.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/split/d/7473220op"; depth:18; nocase; http.host; content:"service-af2738sh-1259711277.sh.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211522; rev:1;) alert tcp $HOME_NET any -> [43.143.168.10] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"43.143.168.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211520; rev:1;) alert tcp $HOME_NET any -> [38.181.25.204] 5858 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211516/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_08; classtype:trojan-activity; sid:91211516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-dlsvfir0-1319620322.gz.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"service-dlsvfir0-1319620322.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211514; rev:1;) alert tcp $HOME_NET any -> [168.235.82.192] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211513/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211513; rev:1;) alert tcp $HOME_NET any -> [107.175.221.154] 80 (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211512/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3823899/en/inc/e59783f5c53b6e.php"; depth:34; nocase; http.host; content:"107.175.221.154"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211511; rev:1;) alert tcp $HOME_NET any -> [209.25.141.180] 49131 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211510; rev:1;) alert tcp $HOME_NET any -> [81.0.219.234] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211509/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211509; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 15872 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211508; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 15872 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211507; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 15872 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211506; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 15872 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211505; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 19513 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211504; rev:1;) alert tcp $HOME_NET any -> [3.127.181.115] 19513 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211503; rev:1;) alert tcp $HOME_NET any -> [3.67.62.142] 19513 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211502; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 19513 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211501; rev:1;) alert tcp $HOME_NET any -> [3.67.112.102] 19513 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211500/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211500; rev:1;) alert tcp $HOME_NET any -> [139.144.212.88] 7957 (msg:"ThreatFox Mekotio botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211460; rev:1;) alert tcp $HOME_NET any -> [140.99.223.103] 9999 (msg:"ThreatFox Mekotio botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211461; rev:1;) alert tcp $HOME_NET any -> [34.74.162.235] 9988 (msg:"ThreatFox Mekotio botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211462; rev:1;) alert tcp $HOME_NET any -> [72.167.141.220] 9988 (msg:"ThreatFox Mekotio botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211463; rev:1;) alert tcp $HOME_NET any -> [173.209.59.170] 6099 (msg:"ThreatFox Mekotio botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googledocs1.txt"; depth:16; nocase; http.host; content:"lupgameso.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googledocs1.txt"; depth:16; nocase; http.host; content:"31.192.107.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"comptech8a.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.74.222.7"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1211468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googledocs.txt"; depth:15; nocase; http.host; content:"5.181.156.86"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googledocs.txt"; depth:15; nocase; http.host; content:"aboutnetworkcorporation.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/css/style/10239/elkko00.txt"; depth:28; nocase; http.host; content:"www.jorgeweb.com.br"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/css/style/10239/elkko00.txt"; depth:28; nocase; http.host; content:"191.6.210.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googledocs.txt"; depth:15; nocase; http.host; content:"80.190.75.44"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googledocs.txt"; depth:15; nocase; http.host; content:"indianajhones.servebeer.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211473; rev:1;) alert tcp $HOME_NET any -> [172.86.123.127] 8443 (msg:"ThreatFox BlackCat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211480/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_08; classtype:trojan-activity; sid:91211480; rev:1;) alert tcp $HOME_NET any -> [172.86.123.226] 8443 (msg:"ThreatFox BlackCat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211481/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_08; classtype:trojan-activity; sid:91211481; rev:1;) alert tcp $HOME_NET any -> [193.42.32.58] 8443 (msg:"ThreatFox BlackCat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211482/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_08; classtype:trojan-activity; sid:91211482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 90%)"; dns_query; content:"manorpolora.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211350/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_08; classtype:trojan-activity; sid:91211350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 90%)"; dns_query; content:"poseicocoff.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211351/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_08; classtype:trojan-activity; sid:91211351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 90%)"; dns_query; content:"qtargumanikar.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211352/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_08; classtype:trojan-activity; sid:91211352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 90%)"; dns_query; content:"tinjamipesto.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211353/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_08; classtype:trojan-activity; sid:91211353; rev:1;) alert tcp $HOME_NET any -> [167.99.180.17] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211354/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_08; classtype:trojan-activity; sid:91211354; rev:1;) alert tcp $HOME_NET any -> [64.227.134.130] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211355/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_08; classtype:trojan-activity; sid:91211355; rev:1;) alert tcp $HOME_NET any -> [193.149.187.189] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211356/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_08; classtype:trojan-activity; sid:91211356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mwuwmtfhnzkwmzg3/ndkwntq0mza1owywadm/"; depth:38; nocase; http.host; content:"163.5.64.38"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211378/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mwuwmtfhnzkwmzg3/"; depth:18; nocase; http.host; content:"ahhhuu22cxxx.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211379/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mwuwmtfhnzkwmzg3/"; depth:18; nocase; http.host; content:"waaabbuuwwsx.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211380/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mwuwmtfhnzkwmzg3/"; depth:18; nocase; http.host; content:"baowiiicoonee.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211381/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mwuwmtfhnzkwmzg3/"; depth:18; nocase; http.host; content:"kuulaammbeew1.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211382/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211382; rev:1;) alert tcp $HOME_NET any -> [193.106.174.174] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_08; classtype:trojan-activity; sid:91211398; rev:1;) alert tcp $HOME_NET any -> [93.177.167.240] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211499/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211499; rev:1;) alert tcp $HOME_NET any -> [161.97.98.95] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211498/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211498; rev:1;) alert tcp $HOME_NET any -> [107.5.109.170] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211497/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211497; rev:1;) alert tcp $HOME_NET any -> [168.149.18.183] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211496/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211496; rev:1;) alert tcp $HOME_NET any -> [77.91.78.192] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211495/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211495; rev:1;) alert tcp $HOME_NET any -> [78.46.200.68] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211494/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211494; rev:1;) alert tcp $HOME_NET any -> [74.12.145.135] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211493/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211493; rev:1;) alert tcp $HOME_NET any -> [84.155.4.20] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211492/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211492; rev:1;) alert tcp $HOME_NET any -> [88.218.62.79] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211491/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211491; rev:1;) alert tcp $HOME_NET any -> [45.79.11.176] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211490/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211490; rev:1;) alert tcp $HOME_NET any -> [74.119.195.176] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211489/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211489; rev:1;) alert tcp $HOME_NET any -> [104.248.15.194] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211488/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211488; rev:1;) alert tcp $HOME_NET any -> [172.177.95.197] 8883 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211487/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211487; rev:1;) alert tcp $HOME_NET any -> [172.177.95.197] 5671 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211486/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211486; rev:1;) alert tcp $HOME_NET any -> [121.43.166.96] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211485/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211485; rev:1;) alert tcp $HOME_NET any -> [103.13.210.139] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211484/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_08; classtype:trojan-activity; sid:91211484; rev:1;) alert tcp $HOME_NET any -> [43.138.137.51] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211483/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211483; rev:1;) alert tcp $HOME_NET any -> [206.189.44.113] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211479/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211479; rev:1;) alert tcp $HOME_NET any -> [95.217.213.154] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211478/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211478; rev:1;) alert tcp $HOME_NET any -> [129.211.210.61] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211477/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211477; rev:1;) alert tcp $HOME_NET any -> [46.1.103.124] 2341 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211475/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_08; classtype:trojan-activity; sid:91211475; rev:1;) alert tcp $HOME_NET any -> [46.1.103.124] 9371 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211476/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_08; classtype:trojan-activity; sid:91211476; rev:1;) alert tcp $HOME_NET any -> [195.201.23.196] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211459/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211459; rev:1;) alert tcp $HOME_NET any -> [187.135.244.4] 2002 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211458/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211458; rev:1;) alert tcp $HOME_NET any -> [94.156.64.103] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211457/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_08; classtype:trojan-activity; sid:91211457; rev:1;) alert tcp $HOME_NET any -> [18.193.81.144] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211456/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_07; classtype:trojan-activity; sid:91211456; rev:1;) alert tcp $HOME_NET any -> [118.24.128.204] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211455/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_07; classtype:trojan-activity; sid:91211455; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 14849 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211454; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 14849 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211453; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 14849 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211452; rev:1;) alert tcp $HOME_NET any -> [66.204.14.110] 44818 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211451/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_07; classtype:trojan-activity; sid:91211451; rev:1;) alert tcp $HOME_NET any -> [62.77.159.136] 8443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211450/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_07; classtype:trojan-activity; sid:91211450; rev:1;) alert tcp $HOME_NET any -> [85.209.11.131] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211449/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_07; classtype:trojan-activity; sid:91211449; rev:1;) alert tcp $HOME_NET any -> [42.157.165.178] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211448; rev:1;) alert tcp $HOME_NET any -> [125.137.189.93] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211447; rev:1;) alert tcp $HOME_NET any -> [180.180.108.203] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211446/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211446; rev:1;) alert tcp $HOME_NET any -> [166.203.176.3] 1177 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211445/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211445; rev:1;) alert tcp $HOME_NET any -> [180.180.108.30] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211444/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211444; rev:1;) alert tcp $HOME_NET any -> [180.180.108.10] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211443/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211443; rev:1;) alert tcp $HOME_NET any -> [124.71.106.234] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211442; rev:1;) alert tcp $HOME_NET any -> [47.94.168.41] 8082 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ifisoundyou.gq"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"212.224.88.253.sslip.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shadow.schatten.ir"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ifisoundyou.gq"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211407; rev:1;) alert tcp $HOME_NET any -> [23.145.120.49] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211405; rev:1;) alert tcp $HOME_NET any -> [117.72.10.229] 52005 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211404; rev:1;) alert tcp $HOME_NET any -> [1.14.28.172] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211403; rev:1;) alert tcp $HOME_NET any -> [8.130.132.92] 30360 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211402; rev:1;) alert tcp $HOME_NET any -> [123.57.77.11] 8991 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211401; rev:1;) alert tcp $HOME_NET any -> [60.204.133.177] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211400; rev:1;) alert tcp $HOME_NET any -> [172.183.48.156] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.43.194.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"8.219.229.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.90.247.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.taipowers.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"api.taipowers.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"121.37.210.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211391; rev:1;) alert tcp $HOME_NET any -> [159.89.160.41] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211390/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211390; rev:1;) alert tcp $HOME_NET any -> [5.180.114.190] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211389/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211389; rev:1;) alert tcp $HOME_NET any -> [64.176.218.254] 9785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211386; rev:1;) alert tcp $HOME_NET any -> [64.176.225.21] 2225 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211387; rev:1;) alert tcp $HOME_NET any -> [65.20.74.26] 2221 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211388; rev:1;) alert tcp $HOME_NET any -> [46.250.241.191] 13721 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211384; rev:1;) alert tcp $HOME_NET any -> [45.137.192.84] 2223 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/php/flowerasyncvideotemporary/generatorlow5/lowtemporarypython/protectwp/multi/request/cdnexternal/updateserverapi/pollhttp.php"; depth:128; nocase; http.host; content:"62.122.213.56"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211383; rev:1;) alert tcp $HOME_NET any -> [45.32.188.56] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211377; rev:1;) alert tcp $HOME_NET any -> [192.248.151.140] 23399 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211372; rev:1;) alert tcp $HOME_NET any -> [108.61.224.209] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211373; rev:1;) alert tcp $HOME_NET any -> [216.128.136.231] 13786 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211374; rev:1;) alert tcp $HOME_NET any -> [139.84.235.8] 2225 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211375; rev:1;) alert tcp $HOME_NET any -> [45.32.235.46] 5242 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211376; rev:1;) alert tcp $HOME_NET any -> [149.13.5.179] 5050 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211371/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211371; rev:1;) alert tcp $HOME_NET any -> [158.220.90.198] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211370/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_07; classtype:trojan-activity; sid:91211370; rev:1;) alert tcp $HOME_NET any -> [46.250.241.197] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211369/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_07; classtype:trojan-activity; sid:91211369; rev:1;) alert tcp $HOME_NET any -> [70.34.207.219] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211368/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_07; classtype:trojan-activity; sid:91211368; rev:1;) alert tcp $HOME_NET any -> [5.226.51.88] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211367/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_07; classtype:trojan-activity; sid:91211367; rev:1;) alert tcp $HOME_NET any -> [38.60.221.150] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211365/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211365; rev:1;) alert tcp $HOME_NET any -> [45.195.76.26] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211366/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211366; rev:1;) alert tcp $HOME_NET any -> [89.211.179.184] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211364/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_07; classtype:trojan-activity; sid:91211364; rev:1;) alert tcp $HOME_NET any -> [86.151.194.13] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211363/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_07; classtype:trojan-activity; sid:91211363; rev:1;) alert tcp $HOME_NET any -> [197.87.135.201] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211362/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_07; classtype:trojan-activity; sid:91211362; rev:1;) alert tcp $HOME_NET any -> [103.201.130.11] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211361/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_07; classtype:trojan-activity; sid:91211361; rev:1;) alert tcp $HOME_NET any -> [52.39.229.65] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211360/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_07; classtype:trojan-activity; sid:91211360; rev:1;) alert tcp $HOME_NET any -> [20.215.181.38] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211359/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_07; classtype:trojan-activity; sid:91211359; rev:1;) alert tcp $HOME_NET any -> [80.78.26.69] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211358/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_07; classtype:trojan-activity; sid:91211358; rev:1;) alert tcp $HOME_NET any -> [188.166.157.170] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211357/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_07; classtype:trojan-activity; sid:91211357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"103.136.42.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"roomsodiumdependew.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1fa9cf51b66b1f7e.php"; depth:21; nocase; http.host; content:"5.42.66.36"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"angerprofeessoa.pw"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/get.php"; depth:15; nocase; http.host; content:"perfilcovid.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/qzwewmrqqgqnaww.php"; depth:26; nocase; http.host; content:"perfilcovid.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getimagedata.php"; depth:17; nocase; http.host; content:"jokergame1.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211316; rev:1;) alert tcp $HOME_NET any -> [91.92.249.96] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211334/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211334; rev:1;) alert tcp $HOME_NET any -> [45.142.182.95] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211335/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211335; rev:1;) alert tcp $HOME_NET any -> [104.248.150.52] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211336/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211336; rev:1;) alert tcp $HOME_NET any -> [45.156.24.179] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211337/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211337; rev:1;) alert tcp $HOME_NET any -> [91.92.243.156] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211338/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211338; rev:1;) alert tcp $HOME_NET any -> [93.123.85.86] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211339/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211339; rev:1;) alert tcp $HOME_NET any -> [64.227.96.75] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211340/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211340; rev:1;) alert tcp $HOME_NET any -> [46.29.162.49] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211341/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211341; rev:1;) alert tcp $HOME_NET any -> [205.185.122.208] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211342/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211342; rev:1;) alert tcp $HOME_NET any -> [45.63.6.19] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211343/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211343; rev:1;) alert tcp $HOME_NET any -> [154.12.88.17] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211344/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211344; rev:1;) alert tcp $HOME_NET any -> [194.26.192.53] 80 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211345/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211345; rev:1;) alert tcp $HOME_NET any -> [41.112.47.51] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211321/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211321; rev:1;) alert tcp $HOME_NET any -> [5.42.65.55] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211320; rev:1;) alert tcp $HOME_NET any -> [185.172.128.163] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211319; rev:1;) alert tcp $HOME_NET any -> [175.178.66.236] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211317; rev:1;) alert tcp $HOME_NET any -> [18.163.73.9] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"38.147.189.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"121.40.254.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.130.72.206"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"146.185.243.4"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"66.119.15.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"88.214.27.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"service-fddzhrcc-1320999622.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"175.178.242.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"116.62.24.245"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure.html"; depth:12; nocase; http.host; content:"20.49.255.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211301/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"101.43.165.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"186.64.113.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211299/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"180.76.99.119"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211298/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"14.225.19.116"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211297/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211297; rev:1;) alert tcp $HOME_NET any -> [161.97.97.181] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211296/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211296; rev:1;) alert tcp $HOME_NET any -> [102.158.119.159] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211295; rev:1;) alert tcp $HOME_NET any -> [13.236.169.14] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211294; rev:1;) alert tcp $HOME_NET any -> [108.181.23.245] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211292; rev:1;) alert tcp $HOME_NET any -> [59.5.212.209] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211293; rev:1;) alert tcp $HOME_NET any -> [213.125.210.235] 3000 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211290; rev:1;) alert tcp $HOME_NET any -> [107.155.51.78] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211289; rev:1;) alert tcp $HOME_NET any -> [149.210.50.244] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211288/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_07; classtype:trojan-activity; sid:91211288; rev:1;) alert tcp $HOME_NET any -> [107.189.13.124] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211286/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211286; rev:1;) alert tcp $HOME_NET any -> [120.24.254.69] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211287/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211287; rev:1;) alert tcp $HOME_NET any -> [47.115.206.3] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211285/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211285; rev:1;) alert tcp $HOME_NET any -> [8.139.7.66] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-224-9-208.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211283/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"handbrakeconv.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211282; rev:1;) alert tcp $HOME_NET any -> [5.182.86.32] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211281; rev:1;) alert tcp $HOME_NET any -> [5.42.94.65] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211280/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ideastradeai.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211279/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.morisniff.cloudns.ph"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"easyvideoconverters.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211278/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"highqualityconverter.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"convhandvideo.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"basta-tourmoscow.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d1.morisniff.ir"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"appblendemulator.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ideastradeai.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fhipp-dbms.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"85-192-63-35.cprapid.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"appblendstacks.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.78.100.216.95.clients.your-server.de"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hp22.weket.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ii.nggg.fun"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"89.185.85.34.sslip.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"85.192.63.65.sslip.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sc.nimmajic.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marz6.adsmahsa.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.morisniff.ir"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xampp.info"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211259/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"concert-uz.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trustpilots.cam"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211258; rev:1;) alert tcp $HOME_NET any -> [176.96.136.233] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211256; rev:1;) alert tcp $HOME_NET any -> [207.180.215.36] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211255/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211255; rev:1;) alert tcp $HOME_NET any -> [3.110.107.80] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211253/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worker-jolly-unit-e3af.jacobnero11.workers.dev"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211254/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211254; rev:1;) alert tcp $HOME_NET any -> [191.82.212.175] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211252/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211252; rev:1;) alert tcp $HOME_NET any -> [106.119.249.59] 14782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211251/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211251; rev:1;) alert tcp $HOME_NET any -> [138.201.128.124] 81 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tehavi.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211248/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gallery.tableaupubsecday.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211249; rev:1;) alert tcp $HOME_NET any -> [91.206.178.182] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211247; rev:1;) alert tcp $HOME_NET any -> [194.33.191.18] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211245; rev:1;) alert tcp $HOME_NET any -> [45.81.224.129] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211246; rev:1;) alert tcp $HOME_NET any -> [91.242.229.199] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211244; rev:1;) alert tcp $HOME_NET any -> [207.244.246.192] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211243/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211243; rev:1;) alert tcp $HOME_NET any -> [54.238.196.57] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211241; rev:1;) alert tcp $HOME_NET any -> [78.153.130.36] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211242/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211242; rev:1;) alert tcp $HOME_NET any -> [206.123.132.162] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211239; rev:1;) alert tcp $HOME_NET any -> [213.195.114.146] 4003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211240; rev:1;) alert tcp $HOME_NET any -> [104.168.62.121] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 90%)"; dns_query; content:"securityhealthservice.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211237/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_07; classtype:trojan-activity; sid:91211237; rev:1;) alert tcp $HOME_NET any -> [45.77.183.245] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211236/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_07; classtype:trojan-activity; sid:91211236; rev:1;) alert tcp $HOME_NET any -> [81.70.153.38] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211235; rev:1;) alert tcp $HOME_NET any -> [118.31.36.3] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211234/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211234; rev:1;) alert tcp $HOME_NET any -> [51.68.169.103] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211233; rev:1;) alert tcp $HOME_NET any -> [43.143.168.10] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211232; rev:1;) alert tcp $HOME_NET any -> [65.20.80.197] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211231; rev:1;) alert tcp $HOME_NET any -> [8.134.36.228] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211229; rev:1;) alert tcp $HOME_NET any -> [147.161.32.144] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211230; rev:1;) alert tcp $HOME_NET any -> [81.70.78.156] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211228; rev:1;) alert tcp $HOME_NET any -> [13.124.84.199] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211227; rev:1;) alert tcp $HOME_NET any -> [119.3.188.75] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211225; rev:1;) alert tcp $HOME_NET any -> [172.111.251.167] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211226; rev:1;) alert tcp $HOME_NET any -> [139.196.73.80] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211223/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211223; rev:1;) alert tcp $HOME_NET any -> [120.79.154.38] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211224; rev:1;) alert tcp $HOME_NET any -> [103.149.200.212] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211221; rev:1;) alert tcp $HOME_NET any -> [5.181.80.82] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211222; rev:1;) alert tcp $HOME_NET any -> [91.202.206.150] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211220; rev:1;) alert tcp $HOME_NET any -> [172.183.48.156] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211219; rev:1;) alert tcp $HOME_NET any -> [206.119.178.208] 5544 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211218; rev:1;) alert tcp $HOME_NET any -> [154.40.43.235] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211217; rev:1;) alert tcp $HOME_NET any -> [182.92.62.55] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211216/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211216; rev:1;) alert tcp $HOME_NET any -> [91.202.204.112] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211215; rev:1;) alert tcp $HOME_NET any -> [1.14.205.73] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211214; rev:1;) alert tcp $HOME_NET any -> [119.6.244.15] 59991 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211212; rev:1;) alert tcp $HOME_NET any -> [52.5.183.242] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211213; rev:1;) alert tcp $HOME_NET any -> [103.234.72.88] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211211; rev:1;) alert tcp $HOME_NET any -> [85.209.176.216] 21751 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"49.232.246.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.232.145.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"103.176.178.88"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"49.65.96.139"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"4.194.41.34"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211205; rev:1;) alert tcp $HOME_NET any -> [45.95.232.234] 29069 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"arenterprese2023.is-a-caterer.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"petitbrun1.websiteseguro.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nglarg/nglob.php"; depth:17; nocase; http.host; content:"petitbrun1.websiteseguro.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211201; rev:1;) alert tcp $HOME_NET any -> [95.169.27.92] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs2.francy.world"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs1.francy.world"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211198; rev:1;) alert tcp $HOME_NET any -> [193.222.96.34] 8084 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211197/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_07; classtype:trojan-activity; sid:91211197; rev:1;) alert tcp $HOME_NET any -> [54.241.198.186] 13832 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211194; rev:1;) alert tcp $HOME_NET any -> [52.9.207.250] 13832 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211195; rev:1;) alert tcp $HOME_NET any -> [66.204.14.245] 3306 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211196/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_07; classtype:trojan-activity; sid:91211196; rev:1;) alert tcp $HOME_NET any -> [47.236.123.61] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211193/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_07; classtype:trojan-activity; sid:91211193; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 13150 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"opsqhv54xl33qcahhakpdl7gf40bkhoj.lambda-url.us-east-1.on.aws"; depth:60; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211190; rev:1;) alert tcp $HOME_NET any -> [54.205.115.4] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"opsqhv54xl33qcahhakpdl7gf40bkhoj.lambda-url.us-east-1.on.aws"; depth:60; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211189; rev:1;) alert tcp $HOME_NET any -> [147.78.47.226] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"147.78.47.231"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211187; rev:1;) alert tcp $HOME_NET any -> [101.43.194.127] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211186/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_07; classtype:trojan-activity; sid:91211186; rev:1;) alert tcp $HOME_NET any -> [52.81.23.254] 8899 (msg:"ThreatFox Cobalt Strike payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mediaskollsoft.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"digitalskillset1.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211185; rev:1;) alert tcp $HOME_NET any -> [147.50.253.33] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211182/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_07; classtype:trojan-activity; sid:91211182; rev:1;) alert tcp $HOME_NET any -> [3.120.147.39] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211181/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_07; classtype:trojan-activity; sid:91211181; rev:1;) alert tcp $HOME_NET any -> [173.44.141.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211180/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_07; classtype:trojan-activity; sid:91211180; rev:1;) alert tcp $HOME_NET any -> [5.42.82.250] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211179/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_07; classtype:trojan-activity; sid:91211179; rev:1;) alert tcp $HOME_NET any -> [47.57.244.61] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211178/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_07; classtype:trojan-activity; sid:91211178; rev:1;) alert tcp $HOME_NET any -> [109.107.182.10] 64876 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211177/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_07; classtype:trojan-activity; sid:91211177; rev:1;) alert tcp $HOME_NET any -> [5.182.87.154] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211146; rev:1;) alert tcp $HOME_NET any -> [185.215.113.109] 20475 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211156; rev:1;) alert tcp $HOME_NET any -> [13.52.173.49] 12152 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211161; rev:1;) alert tcp $HOME_NET any -> [79.107.143.68] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211176/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_07; classtype:trojan-activity; sid:91211176; rev:1;) alert tcp $HOME_NET any -> [85.49.243.234] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211175/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_07; classtype:trojan-activity; sid:91211175; rev:1;) alert tcp $HOME_NET any -> [174.138.7.112] 40065 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211174/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_07; classtype:trojan-activity; sid:91211174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lo341/index.php"; depth:16; nocase; http.host; content:"logt0.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211173; rev:1;) alert tcp $HOME_NET any -> [159.89.4.80] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211172/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_07; classtype:trojan-activity; sid:91211172; rev:1;) alert tcp $HOME_NET any -> [45.152.85.15] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211171/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_07; classtype:trojan-activity; sid:91211171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0892247.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linevideocentral/providertoprocessmultiflowerasynctempcdncentral.php"; depth:69; nocase; http.host; content:"62.109.14.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211169; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asyncwprequesttrack/3externalgeneratorsql/3async/http7voiddb/packetbasedatalifecdn.php"; depth:87; nocase; http.host; content:"178.250.156.210"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211168; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 16929 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pipehttpgame.php"; depth:17; nocase; http.host; content:"sinastallh.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211166; rev:1;) alert tcp $HOME_NET any -> [47.241.186.204] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211165/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_07; classtype:trojan-activity; sid:91211165; rev:1;) alert tcp $HOME_NET any -> [47.99.124.12] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211164/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_07; classtype:trojan-activity; sid:91211164; rev:1;) alert tcp $HOME_NET any -> [77.91.68.71] 33880 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6ea41d52.php"; depth:13; nocase; http.host; content:"tool5245636476.000webhostapp.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_07; classtype:trojan-activity; sid:91211162; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 16921 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211159; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 16921 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211160; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 16921 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211158; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 16921 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211157; rev:1;) alert tcp $HOME_NET any -> [52.73.109.241] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211155/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_06; classtype:trojan-activity; sid:91211155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toapiflowerlocal.php"; depth:21; nocase; http.host; content:"098452cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211154; rev:1;) alert tcp $HOME_NET any -> [91.92.247.161] 11861 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211153; rev:1;) alert tcp $HOME_NET any -> [89.23.96.47] 22010 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211152; rev:1;) alert tcp $HOME_NET any -> [20.49.255.240] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"20.49.255.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211150; rev:1;) alert tcp $HOME_NET any -> [20.49.255.240] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"20.49.255.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.132.250.80"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211147; rev:1;) alert tcp $HOME_NET any -> [41.216.183.22] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211145; rev:1;) alert tcp $HOME_NET any -> [207.148.103.233] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211141; rev:1;) alert tcp $HOME_NET any -> [78.141.222.198] 13786 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211142; rev:1;) alert tcp $HOME_NET any -> [45.63.26.148] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211143; rev:1;) alert tcp $HOME_NET any -> [65.20.77.81] 5242 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211144; rev:1;) alert tcp $HOME_NET any -> [8.138.102.3] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211140/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_06; classtype:trojan-activity; sid:91211140; rev:1;) alert tcp $HOME_NET any -> [52.15.228.196] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211139/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_06; classtype:trojan-activity; sid:91211139; rev:1;) alert tcp $HOME_NET any -> [187.194.165.199] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211138/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_06; classtype:trojan-activity; sid:91211138; rev:1;) alert tcp $HOME_NET any -> [186.30.165.194] 701 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211137/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_06; classtype:trojan-activity; sid:91211137; rev:1;) alert tcp $HOME_NET any -> [47.236.123.102] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211136; rev:1;) alert tcp $HOME_NET any -> [181.173.21.240] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211135; rev:1;) alert tcp $HOME_NET any -> [191.233.245.58] 60000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211134/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211134; rev:1;) alert tcp $HOME_NET any -> [45.76.50.94] 52000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211133/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211133; rev:1;) alert tcp $HOME_NET any -> [149.88.75.219] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211132; rev:1;) alert tcp $HOME_NET any -> [124.220.164.254] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211131; rev:1;) alert tcp $HOME_NET any -> [15.205.134.84] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211130; rev:1;) alert tcp $HOME_NET any -> [91.235.234.74] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211129/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_06; classtype:trojan-activity; sid:91211129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"198.98.62.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211128; rev:1;) alert tcp $HOME_NET any -> [195.20.16.53] 48998 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211127; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 11952 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211126/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211126; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 11952 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211125; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 11952 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.20.16.154"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211123; rev:1;) alert tcp $HOME_NET any -> [81.109.131.3] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211122/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_06; classtype:trojan-activity; sid:91211122; rev:1;) alert tcp $HOME_NET any -> [124.220.55.160] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211121/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_06; classtype:trojan-activity; sid:91211121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externallinuxcentral.php"; depth:25; nocase; http.host; content:"233584cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211120; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 15505 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211119; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 15505 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211118; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 15505 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211117; rev:1;) alert tcp $HOME_NET any -> [109.145.253.114] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211116/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91211116; rev:1;) alert tcp $HOME_NET any -> [176.44.74.186] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211115/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91211115; rev:1;) alert tcp $HOME_NET any -> [37.210.154.95] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211114/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91211114; rev:1;) alert tcp $HOME_NET any -> [87.223.87.27] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211113/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91211113; rev:1;) alert tcp $HOME_NET any -> [18.118.50.210] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211112/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91211112; rev:1;) alert tcp $HOME_NET any -> [185.142.184.83] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211111/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91211111; rev:1;) alert tcp $HOME_NET any -> [18.211.5.15] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211110/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91211110; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"flowseasonallissoo.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211109/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"vladferoiu.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"vipaco.vn"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"veken.de"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"vicsthemovingman.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"udef.fr"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211099; rev:1;) alert tcp $HOME_NET any -> [103.114.106.29] 4510 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"stabsicknessord.pw"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211107; rev:1;) alert tcp $HOME_NET any -> [100.20.96.2] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211108/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_06; classtype:trojan-activity; sid:91211108; rev:1;) alert tcp $HOME_NET any -> [178.128.42.219] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211094/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_06; classtype:trojan-activity; sid:91211094; rev:1;) alert tcp $HOME_NET any -> [66.94.125.70] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211093/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_06; classtype:trojan-activity; sid:91211093; rev:1;) alert tcp $HOME_NET any -> [52.54.111.235] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211092/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_06; classtype:trojan-activity; sid:91211092; rev:1;) alert tcp $HOME_NET any -> [91.109.188.4] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211091/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211091; rev:1;) alert tcp $HOME_NET any -> [80.253.246.12] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211090/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.102.145.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211089/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_06; classtype:trojan-activity; sid:91211089; rev:1;) alert tcp $HOME_NET any -> [47.106.39.1] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211088; rev:1;) alert tcp $HOME_NET any -> [162.251.166.164] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211087/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211087; rev:1;) alert tcp $HOME_NET any -> [188.116.36.73] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211086; rev:1;) alert tcp $HOME_NET any -> [101.132.65.172] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211085; rev:1;) alert tcp $HOME_NET any -> [121.37.210.39] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211084; rev:1;) alert tcp $HOME_NET any -> [159.203.17.210] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211083; rev:1;) alert tcp $HOME_NET any -> [62.233.50.91] 13479 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211082/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211082; rev:1;) alert tcp $HOME_NET any -> [39.100.105.247] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211081; rev:1;) alert tcp $HOME_NET any -> [93.190.8.214] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211080/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_06; classtype:trojan-activity; sid:91211080; rev:1;) alert tcp $HOME_NET any -> [143.198.102.80] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211079/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_06; classtype:trojan-activity; sid:91211079; rev:1;) alert tcp $HOME_NET any -> [46.246.14.14] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211078/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"111.229.226.140"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"147.78.47.231"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211076/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.213.159.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211075/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"194.36.209.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211074/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"101.37.14.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"194.32.149.239"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211072/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"154.8.146.128"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"45.134.225.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"49.235.98.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.42.8.97"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"111.230.242.229"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1211066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dashboard.help.googli.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.help.googli.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swf.help.googli.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1211063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211063; rev:1;) alert tcp $HOME_NET any -> [197.1.192.214] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211062; rev:1;) alert tcp $HOME_NET any -> [104.238.35.85] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211061; rev:1;) alert tcp $HOME_NET any -> [42.157.163.143] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211059/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211059; rev:1;) alert tcp $HOME_NET any -> [128.140.228.227] 7200 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211060/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211060; rev:1;) alert tcp $HOME_NET any -> [41.222.98.130] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211058/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_06; classtype:trojan-activity; sid:91211058; rev:1;) alert tcp $HOME_NET any -> [149.210.44.225] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211057/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_06; classtype:trojan-activity; sid:91211057; rev:1;) alert tcp $HOME_NET any -> [154.62.176.1] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211056/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_06; classtype:trojan-activity; sid:91211056; rev:1;) alert tcp $HOME_NET any -> [180.180.108.108] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211055/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_06; classtype:trojan-activity; sid:91211055; rev:1;) alert tcp $HOME_NET any -> [72.234.167.45] 1300 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211054/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_06; classtype:trojan-activity; sid:91211054; rev:1;) alert tcp $HOME_NET any -> [180.180.108.206] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211053/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_06; classtype:trojan-activity; sid:91211053; rev:1;) alert tcp $HOME_NET any -> [154.5.78.149] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211052/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_06; classtype:trojan-activity; sid:91211052; rev:1;) alert tcp $HOME_NET any -> [180.112.128.143] 8008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211051; rev:1;) alert tcp $HOME_NET any -> [154.12.87.219] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211049; rev:1;) alert tcp $HOME_NET any -> [101.43.31.16] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211050/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211050; rev:1;) alert tcp $HOME_NET any -> [43.136.236.18] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211048/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211048; rev:1;) alert tcp $HOME_NET any -> [47.120.0.191] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211046/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211046; rev:1;) alert tcp $HOME_NET any -> [47.95.39.212] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211047; rev:1;) alert tcp $HOME_NET any -> [107.151.248.244] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211045; rev:1;) alert tcp $HOME_NET any -> [51.81.131.161] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211044; rev:1;) alert tcp $HOME_NET any -> [141.255.145.130] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211043/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211043; rev:1;) alert tcp $HOME_NET any -> [141.255.159.128] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211041/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211041; rev:1;) alert tcp $HOME_NET any -> [141.255.159.128] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211042/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211042; rev:1;) alert tcp $HOME_NET any -> [141.255.150.200] 888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211040; rev:1;) alert tcp $HOME_NET any -> [212.51.144.128] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211039/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211039; rev:1;) alert tcp $HOME_NET any -> [154.9.255.235] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211038/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211038; rev:1;) alert tcp $HOME_NET any -> [216.164.253.125] 3334 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211036; rev:1;) alert tcp $HOME_NET any -> [181.173.9.167] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211037/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211037; rev:1;) alert tcp $HOME_NET any -> [223.155.16.121] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211035; rev:1;) alert tcp $HOME_NET any -> [181.173.5.64] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211034; rev:1;) alert tcp $HOME_NET any -> [18.141.3.52] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211033; rev:1;) alert tcp $HOME_NET any -> [80.66.87.245] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211032; rev:1;) alert tcp $HOME_NET any -> [164.92.103.220] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211031; rev:1;) alert tcp $HOME_NET any -> [18.132.68.205] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211030; rev:1;) alert tcp $HOME_NET any -> [213.195.114.146] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211029; rev:1;) alert tcp $HOME_NET any -> [213.195.114.146] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211028; rev:1;) alert tcp $HOME_NET any -> [213.195.114.146] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211027; rev:1;) alert tcp $HOME_NET any -> [213.195.114.146] 4002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211025; rev:1;) alert tcp $HOME_NET any -> [213.195.114.146] 5003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211026; rev:1;) alert tcp $HOME_NET any -> [107.175.113.198] 7710 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211024; rev:1;) alert tcp $HOME_NET any -> [85.209.176.108] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211023; rev:1;) alert tcp $HOME_NET any -> [41.251.193.151] 66 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211021; rev:1;) alert tcp $HOME_NET any -> [141.255.150.149] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211022; rev:1;) alert tcp $HOME_NET any -> [144.126.149.221] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211020; rev:1;) alert tcp $HOME_NET any -> [8.134.207.212] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211019; rev:1;) alert tcp $HOME_NET any -> [101.132.147.163] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211018/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_06; classtype:trojan-activity; sid:91211018; rev:1;) alert tcp $HOME_NET any -> [101.132.147.163] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211017/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_06; classtype:trojan-activity; sid:91211017; rev:1;) alert tcp $HOME_NET any -> [101.132.147.163] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211016/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_06; classtype:trojan-activity; sid:91211016; rev:1;) alert tcp $HOME_NET any -> [84.32.44.180] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211015/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211015; rev:1;) alert tcp $HOME_NET any -> [154.22.168.141] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211013/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211013; rev:1;) alert tcp $HOME_NET any -> [121.37.66.33] 12266 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211014/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211014; rev:1;) alert tcp $HOME_NET any -> [43.138.106.54] 789 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211012/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211012; rev:1;) alert tcp $HOME_NET any -> [154.22.168.145] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211011/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211011; rev:1;) alert tcp $HOME_NET any -> [154.22.168.103] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211009/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211009; rev:1;) alert tcp $HOME_NET any -> [154.22.168.210] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211010/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211010; rev:1;) alert tcp $HOME_NET any -> [154.22.168.16] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211007/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211007; rev:1;) alert tcp $HOME_NET any -> [154.22.168.105] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211008/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211008; rev:1;) alert tcp $HOME_NET any -> [154.22.168.192] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211006/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211006; rev:1;) alert tcp $HOME_NET any -> [154.22.168.113] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211005/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211005; rev:1;) alert tcp $HOME_NET any -> [154.22.168.200] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211003/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211003; rev:1;) alert tcp $HOME_NET any -> [154.22.168.153] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211004/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211004; rev:1;) alert tcp $HOME_NET any -> [154.22.168.208] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211002/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211002; rev:1;) alert tcp $HOME_NET any -> [154.22.168.229] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211001/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211001; rev:1;) alert tcp $HOME_NET any -> [154.22.168.240] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1211000/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91211000; rev:1;) alert tcp $HOME_NET any -> [154.22.168.228] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210998; rev:1;) alert tcp $HOME_NET any -> [140.143.147.251] 60001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210999; rev:1;) alert tcp $HOME_NET any -> [154.22.168.36] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210997/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210997; rev:1;) alert tcp $HOME_NET any -> [154.22.168.174] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210996/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210996; rev:1;) alert tcp $HOME_NET any -> [154.22.168.50] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210994; rev:1;) alert tcp $HOME_NET any -> [154.22.168.235] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210995/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210995; rev:1;) alert tcp $HOME_NET any -> [154.22.168.88] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210993; rev:1;) alert tcp $HOME_NET any -> [154.22.168.159] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210992/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210992; rev:1;) alert tcp $HOME_NET any -> [39.104.20.145] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210990/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210990; rev:1;) alert tcp $HOME_NET any -> [154.22.168.24] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210991/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210991; rev:1;) alert tcp $HOME_NET any -> [154.22.168.66] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210989/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210989; rev:1;) alert tcp $HOME_NET any -> [154.22.168.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210988/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210988; rev:1;) alert tcp $HOME_NET any -> [154.22.168.128] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210986/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210986; rev:1;) alert tcp $HOME_NET any -> [154.22.168.224] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210987/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210987; rev:1;) alert tcp $HOME_NET any -> [110.41.16.127] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210985/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210985; rev:1;) alert tcp $HOME_NET any -> [154.22.168.96] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210983/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210983; rev:1;) alert tcp $HOME_NET any -> [154.22.168.156] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210984/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210984; rev:1;) alert tcp $HOME_NET any -> [154.22.168.74] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210982/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210982; rev:1;) alert tcp $HOME_NET any -> [154.22.168.180] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210980; rev:1;) alert tcp $HOME_NET any -> [154.22.168.248] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210981/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210981; rev:1;) alert tcp $HOME_NET any -> [154.22.168.114] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210979/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210979; rev:1;) alert tcp $HOME_NET any -> [49.65.96.139] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210977; rev:1;) alert tcp $HOME_NET any -> [139.155.153.109] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210978; rev:1;) alert tcp $HOME_NET any -> [154.22.168.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210976/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210976; rev:1;) alert tcp $HOME_NET any -> [154.22.168.115] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210975; rev:1;) alert tcp $HOME_NET any -> [154.22.168.242] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210973/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210973; rev:1;) alert tcp $HOME_NET any -> [154.22.168.51] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210974/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210974; rev:1;) alert tcp $HOME_NET any -> [154.22.168.117] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210972/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210972; rev:1;) alert tcp $HOME_NET any -> [154.22.168.37] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210970/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210970; rev:1;) alert tcp $HOME_NET any -> [154.22.168.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210971; rev:1;) alert tcp $HOME_NET any -> [8.140.207.221] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210969/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210969; rev:1;) alert tcp $HOME_NET any -> [154.22.168.112] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210968; rev:1;) alert tcp $HOME_NET any -> [74.48.56.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210966; rev:1;) alert tcp $HOME_NET any -> [124.221.37.117] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210967; rev:1;) alert tcp $HOME_NET any -> [58.65.196.1] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210965/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210965; rev:1;) alert tcp $HOME_NET any -> [154.22.168.233] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210964/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210964; rev:1;) alert tcp $HOME_NET any -> [154.22.168.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210963/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210963; rev:1;) alert tcp $HOME_NET any -> [154.22.168.167] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210962/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210962; rev:1;) alert tcp $HOME_NET any -> [154.22.168.23] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210960; rev:1;) alert tcp $HOME_NET any -> [154.22.168.225] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210961/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210961; rev:1;) alert tcp $HOME_NET any -> [154.22.168.109] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210959; rev:1;) alert tcp $HOME_NET any -> [154.22.168.250] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210958/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210958; rev:1;) alert tcp $HOME_NET any -> [154.22.168.41] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210957; rev:1;) alert tcp $HOME_NET any -> [154.22.168.40] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210956; rev:1;) alert tcp $HOME_NET any -> [154.91.65.167] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210955; rev:1;) alert tcp $HOME_NET any -> [154.22.168.116] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210954/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210954; rev:1;) alert tcp $HOME_NET any -> [154.22.168.89] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210953/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210953; rev:1;) alert tcp $HOME_NET any -> [154.22.168.241] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210952/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210952; rev:1;) alert tcp $HOME_NET any -> [43.139.172.170] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210951/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210951; rev:1;) alert tcp $HOME_NET any -> [154.22.168.150] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210950; rev:1;) alert tcp $HOME_NET any -> [154.22.168.121] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210949; rev:1;) alert tcp $HOME_NET any -> [154.22.168.101] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210948; rev:1;) alert tcp $HOME_NET any -> [154.22.168.56] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210947/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210947; rev:1;) alert tcp $HOME_NET any -> [154.22.168.239] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210946; rev:1;) alert tcp $HOME_NET any -> [182.92.177.195] 5000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210945/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210945; rev:1;) alert tcp $HOME_NET any -> [154.22.168.118] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210944/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210944; rev:1;) alert tcp $HOME_NET any -> [43.139.128.212] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210943/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210943; rev:1;) alert tcp $HOME_NET any -> [154.22.168.61] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210942/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210942; rev:1;) alert tcp $HOME_NET any -> [154.22.168.134] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210941/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210941; rev:1;) alert tcp $HOME_NET any -> [154.22.168.212] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210940/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"178.128.108.212"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210939/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210939; rev:1;) alert tcp $HOME_NET any -> [178.128.108.212] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210938/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"178.128.108.212"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210937/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210937; rev:1;) alert tcp $HOME_NET any -> [8.130.72.206] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210936/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_06; classtype:trojan-activity; sid:91210936; rev:1;) alert tcp $HOME_NET any -> [3.68.157.117] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210935/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_06; classtype:trojan-activity; sid:91210935; rev:1;) alert tcp $HOME_NET any -> [3.76.102.156] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210934/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_06; classtype:trojan-activity; sid:91210934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210933/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210933; rev:1;) alert tcp $HOME_NET any -> [52.205.82.255] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210932/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_06; classtype:trojan-activity; sid:91210932; rev:1;) alert tcp $HOME_NET any -> [106.160.59.123] 5468 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210931/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.183.33"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210930/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210930; rev:1;) alert tcp $HOME_NET any -> [116.202.183.33] 25565 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210929/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/line/windows_/windowssecure/dbimagetemporary/requestapidle/4cpubetterprivate/securedatalife/secure/todle.php"; depth:109; nocase; http.host; content:"213.159.214.92"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210928; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 19177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210927/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210927; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 19177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210926; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 19177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210925; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 19177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210924/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.104.201"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210923/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.183.33"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210922/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210922; rev:1;) alert tcp $HOME_NET any -> [116.202.183.33] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210920/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210920; rev:1;) alert tcp $HOME_NET any -> [78.47.104.201] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"remccoss2023.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chatnoir.life"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210919; rev:1;) alert tcp $HOME_NET any -> [199.247.15.68] 5938 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210918/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91210918; rev:1;) alert tcp $HOME_NET any -> [31.117.215.3] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210917/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91210917; rev:1;) alert tcp $HOME_NET any -> [201.137.205.177] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210916/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91210916; rev:1;) alert tcp $HOME_NET any -> [70.55.15.128] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210915/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91210915; rev:1;) alert tcp $HOME_NET any -> [47.157.214.229] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210914/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91210914; rev:1;) alert tcp $HOME_NET any -> [37.107.56.207] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210913/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91210913; rev:1;) alert tcp $HOME_NET any -> [86.133.70.47] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210912/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91210912; rev:1;) alert tcp $HOME_NET any -> [170.64.200.28] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210911/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91210911; rev:1;) alert tcp $HOME_NET any -> [51.83.99.132] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210910/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91210910; rev:1;) alert tcp $HOME_NET any -> [16.63.153.117] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210909/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91210909; rev:1;) alert tcp $HOME_NET any -> [79.124.58.134] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210908/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91210908; rev:1;) alert tcp $HOME_NET any -> [45.9.62.223] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210907/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91210907; rev:1;) alert tcp $HOME_NET any -> [104.238.35.85] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210906/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91210906; rev:1;) alert tcp $HOME_NET any -> [15.197.184.110] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210905/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91210905; rev:1;) alert tcp $HOME_NET any -> [161.35.170.123] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210904/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91210904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dcqapz.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210903/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_06; classtype:trojan-activity; sid:91210903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"dcqapz.shop"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210902/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210902; rev:1;) alert tcp $HOME_NET any -> [61.183.42.155] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210901/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_06; classtype:trojan-activity; sid:91210901; rev:1;) alert tcp $HOME_NET any -> [103.149.200.212] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210900/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_06; classtype:trojan-activity; sid:91210900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"diaymako.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210899/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_06; classtype:trojan-activity; sid:91210899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"diaymako.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210898; rev:1;) alert tcp $HOME_NET any -> [91.92.251.191] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_06; classtype:trojan-activity; sid:91210897; rev:1;) alert tcp $HOME_NET any -> [20.195.170.6] 1533 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210896; rev:1;) alert tcp $HOME_NET any -> [91.92.243.247] 1334 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"111.229.187.212"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210894; rev:1;) alert tcp $HOME_NET any -> [193.92.83.69] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210893; rev:1;) alert tcp $HOME_NET any -> [142.154.34.8] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210892; rev:1;) alert tcp $HOME_NET any -> [60.204.168.6] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210891/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210891; rev:1;) alert tcp $HOME_NET any -> [8.209.78.200] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210890/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210890; rev:1;) alert tcp $HOME_NET any -> [42.157.162.70] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210889; rev:1;) alert tcp $HOME_NET any -> [76.70.194.221] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210888/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210888; rev:1;) alert tcp $HOME_NET any -> [24.222.224.146] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210887/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210887; rev:1;) alert tcp $HOME_NET any -> [166.151.58.64] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210885/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210885; rev:1;) alert tcp $HOME_NET any -> [166.151.58.56] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210886/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210886; rev:1;) alert tcp $HOME_NET any -> [115.29.204.38] 60000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210884/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210884; rev:1;) alert tcp $HOME_NET any -> [3.220.158.139] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210883/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210883; rev:1;) alert tcp $HOME_NET any -> [171.232.3.175] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210881/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210881; rev:1;) alert tcp $HOME_NET any -> [216.219.83.227] 4443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210880/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210880; rev:1;) alert tcp $HOME_NET any -> [64.52.80.98] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210879/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210879; rev:1;) alert tcp $HOME_NET any -> [194.150.167.136] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210878/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210878; rev:1;) alert tcp $HOME_NET any -> [190.28.157.161] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210877/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210877; rev:1;) alert tcp $HOME_NET any -> [154.22.168.196] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210875; rev:1;) alert tcp $HOME_NET any -> [154.22.168.227] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210876/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210876; rev:1;) alert tcp $HOME_NET any -> [154.22.168.21] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210874/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210874; rev:1;) alert tcp $HOME_NET any -> [154.22.191.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210873/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210873; rev:1;) alert tcp $HOME_NET any -> [154.22.168.157] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210871/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210871; rev:1;) alert tcp $HOME_NET any -> [34.92.85.53] 1234 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210872/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210872; rev:1;) alert tcp $HOME_NET any -> [154.22.168.226] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210870/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210870; rev:1;) alert tcp $HOME_NET any -> [154.22.168.73] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210868/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210868; rev:1;) alert tcp $HOME_NET any -> [154.22.168.94] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210869/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210869; rev:1;) alert tcp $HOME_NET any -> [154.22.168.243] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210867; rev:1;) alert tcp $HOME_NET any -> [154.22.168.108] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210866; rev:1;) alert tcp $HOME_NET any -> [154.22.168.7] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210865/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210865; rev:1;) alert tcp $HOME_NET any -> [154.22.168.34] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210863/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210863; rev:1;) alert tcp $HOME_NET any -> [154.22.168.131] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210864; rev:1;) alert tcp $HOME_NET any -> [154.22.168.13] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210862/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210862; rev:1;) alert tcp $HOME_NET any -> [154.22.168.19] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210861/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210861; rev:1;) alert tcp $HOME_NET any -> [154.22.168.104] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210859/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210859; rev:1;) alert tcp $HOME_NET any -> [154.22.168.122] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210860/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210860; rev:1;) alert tcp $HOME_NET any -> [154.22.168.35] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210858/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210858; rev:1;) alert tcp $HOME_NET any -> [154.22.168.93] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210857/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210857; rev:1;) alert tcp $HOME_NET any -> [154.22.168.184] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210856/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210856; rev:1;) alert tcp $HOME_NET any -> [154.22.168.223] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210854/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210854; rev:1;) alert tcp $HOME_NET any -> [154.22.168.28] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210855/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210855; rev:1;) alert tcp $HOME_NET any -> [154.22.168.49] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210853/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210853; rev:1;) alert tcp $HOME_NET any -> [154.22.168.178] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210852/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210852; rev:1;) alert tcp $HOME_NET any -> [154.22.168.81] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210850/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210850; rev:1;) alert tcp $HOME_NET any -> [47.90.247.182] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210851/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210851; rev:1;) alert tcp $HOME_NET any -> [154.22.168.84] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210849/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210849; rev:1;) alert tcp $HOME_NET any -> [154.22.168.129] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210847; rev:1;) alert tcp $HOME_NET any -> [154.22.168.87] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210848; rev:1;) alert tcp $HOME_NET any -> [154.22.168.54] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210846; rev:1;) alert tcp $HOME_NET any -> [154.22.168.139] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210844/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210844; rev:1;) alert tcp $HOME_NET any -> [154.22.168.32] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210845; rev:1;) alert tcp $HOME_NET any -> [154.22.168.151] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210843; rev:1;) alert tcp $HOME_NET any -> [154.22.168.221] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210842; rev:1;) alert tcp $HOME_NET any -> [154.22.168.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210840; rev:1;) alert tcp $HOME_NET any -> [154.22.168.206] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210841; rev:1;) alert tcp $HOME_NET any -> [154.22.168.25] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210839; rev:1;) alert tcp $HOME_NET any -> [154.22.168.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210837; rev:1;) alert tcp $HOME_NET any -> [154.22.168.205] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210838; rev:1;) alert tcp $HOME_NET any -> [119.91.200.209] 34443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210836; rev:1;) alert tcp $HOME_NET any -> [154.22.168.165] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210835; rev:1;) alert tcp $HOME_NET any -> [154.22.168.69] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210833; rev:1;) alert tcp $HOME_NET any -> [154.22.168.143] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210834; rev:1;) alert tcp $HOME_NET any -> [154.22.168.97] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210832; rev:1;) alert tcp $HOME_NET any -> [154.22.168.58] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210831; rev:1;) alert tcp $HOME_NET any -> [154.22.168.149] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210829; rev:1;) alert tcp $HOME_NET any -> [154.22.168.186] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.guoyashuai.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210828; rev:1;) alert tcp $HOME_NET any -> [5.182.87.130] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210827/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210827; rev:1;) alert tcp $HOME_NET any -> [168.100.10.244] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210826/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210826; rev:1;) alert tcp $HOME_NET any -> [168.100.9.55] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210825/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210825; rev:1;) alert tcp $HOME_NET any -> [168.100.8.83] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210824/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210824; rev:1;) alert tcp $HOME_NET any -> [45.134.225.243] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210823/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_05; classtype:trojan-activity; sid:91210823; rev:1;) alert tcp $HOME_NET any -> [85.239.237.141] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210822; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpbigloaddefaulttrafficdlelocaltempcentral.php"; depth:48; nocase; http.host; content:"a0853356.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210821/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210821; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonpollpacketupdateprotectdefaultdbtestwptemporary.php"; depth:58; nocase; http.host; content:"hldnzeftm3.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210820; rev:1;) alert tcp $HOME_NET any -> [83.110.223.138] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210818/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210818; rev:1;) alert tcp $HOME_NET any -> [72.27.198.234] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210817/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210817; rev:1;) alert tcp $HOME_NET any -> [41.96.215.51] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210816/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210816; rev:1;) alert tcp $HOME_NET any -> [104.238.35.85] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210815/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210815; rev:1;) alert tcp $HOME_NET any -> [23.231.40.71] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210814/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210814; rev:1;) alert tcp $HOME_NET any -> [197.0.87.205] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210813/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210813; rev:1;) alert tcp $HOME_NET any -> [166.150.128.148] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210812/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210812; rev:1;) alert tcp $HOME_NET any -> [166.151.58.63] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210811/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210811; rev:1;) alert tcp $HOME_NET any -> [154.3.1.208] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210810; rev:1;) alert tcp $HOME_NET any -> [91.92.242.235] 12330 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cotinga-slaved.vpsrdns.web-hosting.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210808; rev:1;) alert tcp $HOME_NET any -> [207.148.116.136] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210807; rev:1;) alert tcp $HOME_NET any -> [154.22.168.46] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210806; rev:1;) alert tcp $HOME_NET any -> [154.22.168.78] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210804/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210804; rev:1;) alert tcp $HOME_NET any -> [154.22.168.253] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210805; rev:1;) alert tcp $HOME_NET any -> [154.22.168.10] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210803; rev:1;) alert tcp $HOME_NET any -> [154.22.168.60] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210801; rev:1;) alert tcp $HOME_NET any -> [149.88.77.121] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210802; rev:1;) alert tcp $HOME_NET any -> [154.22.168.162] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210800; rev:1;) alert tcp $HOME_NET any -> [154.22.168.217] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210799; rev:1;) alert tcp $HOME_NET any -> [154.22.168.99] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210798; rev:1;) alert tcp $HOME_NET any -> [154.22.168.20] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210797; rev:1;) alert tcp $HOME_NET any -> [101.43.13.21] 19999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210796; rev:1;) alert tcp $HOME_NET any -> [154.22.168.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210794; rev:1;) alert tcp $HOME_NET any -> [154.22.168.2] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210795; rev:1;) alert tcp $HOME_NET any -> [154.22.168.188] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210793; rev:1;) alert tcp $HOME_NET any -> [154.22.168.218] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210792; rev:1;) alert tcp $HOME_NET any -> [154.22.168.27] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210791; rev:1;) alert tcp $HOME_NET any -> [154.22.168.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210789; rev:1;) alert tcp $HOME_NET any -> [154.22.168.65] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210790; rev:1;) alert tcp $HOME_NET any -> [154.22.168.173] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210788; rev:1;) alert tcp $HOME_NET any -> [154.22.168.119] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210787; rev:1;) alert tcp $HOME_NET any -> [154.22.168.168] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210785; rev:1;) alert tcp $HOME_NET any -> [154.22.168.95] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210786; rev:1;) alert tcp $HOME_NET any -> [154.22.168.92] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210784; rev:1;) alert tcp $HOME_NET any -> [154.22.168.48] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210783; rev:1;) alert tcp $HOME_NET any -> [154.22.168.219] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210782; rev:1;) alert tcp $HOME_NET any -> [154.22.168.38] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210781; rev:1;) alert tcp $HOME_NET any -> [154.22.168.39] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enjoy/oba-jebu/gate.php"; depth:24; nocase; http.host; content:"cmp.com.sg"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210779; rev:1;) alert tcp $HOME_NET any -> [47.243.46.93] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210778/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_05; classtype:trojan-activity; sid:91210778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"v3.mytalentplatform.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210757/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210757; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"vinhos.grandcru.com.br"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"referralpublicationjk.pw"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/359/provider_/request/better3voiddbuploads/javascriptdbflower/public/trafficprovidergeneratoruploads/base5externaltest/base90/flowerdefault4datalife/flower/vmdefaultlongpoll/poll/sql/cdnrequestvmvideo/externalupdate/api/7/4pipephptrack/imagepythonpacketauthapibigloadflowertestwptemporary.php"; depth:293; nocase; http.host; content:"82.146.62.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210777; rev:1;) alert tcp $HOME_NET any -> [212.113.116.156] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210775/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_05; classtype:trojan-activity; sid:91210775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"8.130.35.148"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"2.57.149.94"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"139.59.140.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210772; rev:1;) alert tcp $HOME_NET any -> [128.199.19.163] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"146.190.8.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210769/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210769; rev:1;) alert tcp $HOME_NET any -> [128.199.19.163] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210770/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"8.219.229.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210768; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"146.190.8.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210767; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"43.152.23.105"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210766/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"43.152.25.238"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210765; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"43.152.14.32"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"115.159.50.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"18.167.169.187"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210762/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"124.222.82.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210761/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210761; rev:1;) alert tcp $HOME_NET any -> [162.19.175.96] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"territoryrequersp.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"unisono.band"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"upcyclestitches.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210756/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"undergroundnyc.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"uk.qolsys.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210753; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"support.aidemy.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210678/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"supergaywedding.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210677/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"sunnhordlandantirust.no"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"sunbattery.ir"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"studiotapas.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210672/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"studiocircle.co.uk"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"studentalpharotterdam.nl"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"stromduellen.no"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210669/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"stavangeradvokaten.no"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"starli.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"staging.ivet.edu.au"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"staging.aoibhneas.org.scms.sq1.io"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210662/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"stadnicka.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210660/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"squarechapel.co.uk"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210659/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"uczestnik3.devagroup.nq.pl"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210752; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"uczestnik.devagroup.nq.pl"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210751; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"ubezpieczeniawalczyk.pl"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210750; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"toshiaki1.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210749; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"tororomba.com.br"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210748; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"toenchen-und-herrschmidt.ee"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210747; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"toenchen-und-herrschmidt.de"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210746; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"titan-fitness.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210745; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"tisdagskaffe.se"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"tipthara.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"tintin.coffee"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"thirstymag.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"thieuhoa.com.vn"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"thenordicman.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"svoy.pro"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210687/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"suzukikougei.co.jp"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210686/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"survey.ykasandbox.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210685/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"swartauto.nl"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210688/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"t03imd.info"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210692/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"tanakakoichi.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"tarabuhagiar.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"tascareaga.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"tasmanrevival.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"taxexemptconsultants.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210698/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"technologiczni24.pl"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"sikasonhiep.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"slottje.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210701/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"sonnenkirche.de"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210703/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"spice.ehero.es"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210704/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"stefangubser.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210710/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"tattoocapilar.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"tcservices.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210715/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"teamdioxide.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210716/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"telefonteknik.se"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210717; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"tennesseescholars.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210718/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"test.calcanto.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"test.odrtechinc.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"textart.nonhoff.info"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"smarttours.ro"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"smd.agency"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"snopro.eu"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"spd-haltern-am-see.de"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"spenden.procamp.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"spielsand-kaufen.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"the-hope-foundation.kdconnect.uk"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"the-other-milk.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"thechip.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"theconniewong.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"thedovepartnership.co.uk"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"thejkinz.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog.php"; depth:9; nocase; http.host; content:"theloosechangecharity.co.uk"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210738; rev:1;) alert tcp $HOME_NET any -> [198.50.248.228] 58001 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210725; rev:1;) alert tcp $HOME_NET any -> [81.68.83.150] 17000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fks/index.php"; depth:14; nocase; http.host; content:"81.19.131.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210657/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geocpulongpoll.php"; depth:19; nocase; http.host; content:"302099cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210656; rev:1;) alert tcp $HOME_NET any -> [86.98.213.226] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210655; rev:1;) alert tcp $HOME_NET any -> [41.230.203.186] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210653; rev:1;) alert tcp $HOME_NET any -> [41.227.155.126] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210654/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210654; rev:1;) alert tcp $HOME_NET any -> [102.157.15.16] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210652; rev:1;) alert tcp $HOME_NET any -> [63.46.179.150] 4002 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210651; rev:1;) alert tcp $HOME_NET any -> [47.241.176.61] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210650; rev:1;) alert tcp $HOME_NET any -> [123.60.80.132] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210649; rev:1;) alert tcp $HOME_NET any -> [47.254.22.43] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210648; rev:1;) alert tcp $HOME_NET any -> [23.82.46.234] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210647/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210647; rev:1;) alert tcp $HOME_NET any -> [166.151.58.65] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210646/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210646; rev:1;) alert tcp $HOME_NET any -> [149.210.44.189] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210645/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210645; rev:1;) alert tcp $HOME_NET any -> [180.180.108.77] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210644/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210644; rev:1;) alert tcp $HOME_NET any -> [166.249.62.100] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210642/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210642; rev:1;) alert tcp $HOME_NET any -> [166.161.146.188] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210643/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210643; rev:1;) alert tcp $HOME_NET any -> [180.180.108.44] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210641/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210641; rev:1;) alert tcp $HOME_NET any -> [72.136.139.62] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210640/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210640; rev:1;) alert tcp $HOME_NET any -> [116.68.155.172] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210639/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210639; rev:1;) alert tcp $HOME_NET any -> [101.200.72.45] 60001 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210638; rev:1;) alert tcp $HOME_NET any -> [8.217.9.3] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210637; rev:1;) alert tcp $HOME_NET any -> [121.40.239.47] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210635; rev:1;) alert tcp $HOME_NET any -> [1.15.147.201] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210636/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210636; rev:1;) alert tcp $HOME_NET any -> [91.92.241.214] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210633/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210633; rev:1;) alert tcp $HOME_NET any -> [91.92.251.191] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210634/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v55728.php-friends.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210632; rev:1;) alert tcp $HOME_NET any -> [185.239.87.136] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-91-116-180.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210630; rev:1;) alert tcp $HOME_NET any -> [162.216.241.236] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"u1.cc0.ir"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210628; rev:1;) alert tcp $HOME_NET any -> [223.155.16.133] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210627; rev:1;) alert tcp $HOME_NET any -> [74.199.99.167] 4783 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210626/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210626; rev:1;) alert tcp $HOME_NET any -> [91.92.251.84] 587 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210625/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210625; rev:1;) alert tcp $HOME_NET any -> [24.133.200.15] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210623/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.103-61-224-87.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210624/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210624; rev:1;) alert tcp $HOME_NET any -> [91.92.250.212] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210622/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210622; rev:1;) alert tcp $HOME_NET any -> [20.67.233.144] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210621/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210621; rev:1;) alert tcp $HOME_NET any -> [52.45.163.230] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210620/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210620; rev:1;) alert tcp $HOME_NET any -> [213.195.114.146] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210619/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210619; rev:1;) alert tcp $HOME_NET any -> [47.57.239.230] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210618/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210618; rev:1;) alert tcp $HOME_NET any -> [154.22.168.14] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210617; rev:1;) alert tcp $HOME_NET any -> [154.22.168.52] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210616/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210616; rev:1;) alert tcp $HOME_NET any -> [154.22.168.163] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210615/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210615; rev:1;) alert tcp $HOME_NET any -> [154.22.168.91] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210614; rev:1;) alert tcp $HOME_NET any -> [154.22.168.26] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210613/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210613; rev:1;) alert tcp $HOME_NET any -> [195.80.148.171] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210612/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210612; rev:1;) alert tcp $HOME_NET any -> [154.22.168.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210611; rev:1;) alert tcp $HOME_NET any -> [154.22.168.249] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210610/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210610; rev:1;) alert tcp $HOME_NET any -> [154.22.168.31] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210609/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210609; rev:1;) alert tcp $HOME_NET any -> [120.46.69.230] 65220 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210608/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210608; rev:1;) alert tcp $HOME_NET any -> [154.22.168.6] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210607/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210607; rev:1;) alert tcp $HOME_NET any -> [154.22.168.85] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210606; rev:1;) alert tcp $HOME_NET any -> [81.70.0.37] 22222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210605/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210605; rev:1;) alert tcp $HOME_NET any -> [154.22.168.244] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210604/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210604; rev:1;) alert tcp $HOME_NET any -> [107.174.246.20] 2052 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210603/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210603; rev:1;) alert tcp $HOME_NET any -> [43.137.5.20] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210602/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210602; rev:1;) alert tcp $HOME_NET any -> [154.22.168.77] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210601/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210601; rev:1;) alert tcp $HOME_NET any -> [149.28.26.2] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210600/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210600; rev:1;) alert tcp $HOME_NET any -> [154.22.168.130] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210598/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210598; rev:1;) alert tcp $HOME_NET any -> [154.22.168.185] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210599/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210599; rev:1;) alert tcp $HOME_NET any -> [154.22.168.207] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210597/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210597; rev:1;) alert tcp $HOME_NET any -> [154.22.168.254] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210596/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210596; rev:1;) alert tcp $HOME_NET any -> [123.56.42.177] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210595/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210595; rev:1;) alert tcp $HOME_NET any -> [60.205.158.200] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210594/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210594; rev:1;) alert tcp $HOME_NET any -> [47.96.170.102] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210593/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210593; rev:1;) alert tcp $HOME_NET any -> [121.40.239.47] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210592/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210592; rev:1;) alert tcp $HOME_NET any -> [154.22.168.172] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210591/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210591; rev:1;) alert tcp $HOME_NET any -> [154.22.168.197] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210590/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210590; rev:1;) alert tcp $HOME_NET any -> [154.22.168.71] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210589/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210589; rev:1;) alert tcp $HOME_NET any -> [154.22.168.246] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3229713.ip-57-128-141.eu"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210587/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"silm136.softether.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210586/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.214.135.94"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210584/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210584; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.214.135.99"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210585/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"101.34.71.193"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210569/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"42.193.17.127"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210570/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"111.230.89.66"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210571/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210571; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"42.194.145.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210572/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"119.45.190.210"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210573; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"122.51.46.83"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210574/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"139.199.212.224"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210575/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"42.192.233.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210577/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"152.136.128.162"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210578/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"82.156.157.182"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210579/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"124.220.210.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210580/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"62.234.41.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210581/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"101.34.209.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210582/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"212.129.223.209"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210583/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"123.207.57.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210545; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"124.221.15.219"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"118.89.88.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"121.5.109.219"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.139.249.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"1.12.226.211"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210551; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"42.194.178.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"175.178.249.249"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"101.34.229.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"106.52.216.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210554/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"118.89.125.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"150.158.92.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210556/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"124.221.50.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210557/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210557; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"124.222.5.128"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"1.15.245.245"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210560/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.14.107.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210559/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"124.221.78.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210561/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"122.51.215.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210562/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"122.51.46.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210563; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"111.229.76.63"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.143.246.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210565/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"110.42.222.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210566/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210566; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"154.8.193.47"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210567/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"118.89.118.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210568/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210568; rev:1;) alert tcp $HOME_NET any -> [91.92.248.48] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210576/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_05; classtype:trojan-activity; sid:91210576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.139.47.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"82.157.80.216"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"139.155.134.117"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"101.42.141.237"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"101.35.252.249"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"42.192.145.232"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"111.231.28.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"49.233.249.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.138.25.144"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"124.222.40.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210531; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"81.71.68.50"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"175.178.248.243"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"49.235.104.106"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"82.157.196.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"118.24.128.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"119.91.45.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.14.107.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"124.222.80.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"140.143.147.47"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"124.223.197.230"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"110.40.196.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.143.166.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210543; rev:1;) alert tcp $HOME_NET any -> [95.216.117.33] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210544/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_05; classtype:trojan-activity; sid:91210544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.227"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210518; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.224"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.223"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.219"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210434/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.139"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210432/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210429/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210429; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.137"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210430/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210431/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210428/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210428; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210426/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210426; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210427/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210427; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.130"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210423/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.131"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210424/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210425/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210422/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210420/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.128"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210421/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210419/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210418/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210416/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210417/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.122"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210415/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210415; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210413/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210413; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210414/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210414; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210411/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210411; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210412/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210409/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210410/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210407/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210408/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210406/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210405/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210403/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210403; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210404/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210402/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210400/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210401/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.106"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210399/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210398/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.104"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210397/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210397; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.140"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210433/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.142"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210435/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210436/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210437/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.145"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210438/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210439/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210440/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210441/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210441; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210442/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210443/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.156"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.158"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.216"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.174"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.177"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.181"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.182"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.185"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.186"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.187"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.191"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210484/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.192"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.193"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.194"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210489/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.202"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.205"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210498/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210500/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.209"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.210"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.212"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.214"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.215"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210444/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"45.134.225.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.70.187.37"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"186.64.113.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.232.145.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210390; rev:1;) alert tcp $HOME_NET any -> [173.212.250.19] 6060 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210379; rev:1;) alert tcp $HOME_NET any -> [185.62.85.197] 555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/src.txt"; depth:8; nocase; http.host; content:"eldi8.github.io"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210383; rev:1;) alert tcp $HOME_NET any -> [107.173.58.91] 32870 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/civis/members/frncbf22.1062014/about/"; depth:38; nocase; http.host; content:"arstechnica.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210384; rev:1;) alert tcp $HOME_NET any -> [45.43.18.229] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210378; rev:1;) alert tcp $HOME_NET any -> [173.212.250.19] 1818 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210377; rev:1;) alert tcp $HOME_NET any -> [185.81.157.238] 5601 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210374; rev:1;) alert tcp $HOME_NET any -> [173.212.250.19] 1998 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210375; rev:1;) alert tcp $HOME_NET any -> [107.175.113.198] 8801 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210376; rev:1;) alert tcp $HOME_NET any -> [191.101.206.72] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210373; rev:1;) alert tcp $HOME_NET any -> [162.244.210.198] 6060 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210370; rev:1;) alert tcp $HOME_NET any -> [161.97.151.222] 2006 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210371; rev:1;) alert tcp $HOME_NET any -> [185.62.85.197] 666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210372; rev:1;) alert tcp $HOME_NET any -> [193.26.115.217] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210369; rev:1;) alert tcp $HOME_NET any -> [107.175.113.198] 8018 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210368; rev:1;) alert tcp $HOME_NET any -> [158.69.131.146] 777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210366; rev:1;) alert tcp $HOME_NET any -> [88.229.10.198] 3003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210367; rev:1;) alert tcp $HOME_NET any -> [209.145.56.0] 2001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210363; rev:1;) alert tcp $HOME_NET any -> [154.38.172.60] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210364; rev:1;) alert tcp $HOME_NET any -> [185.81.157.238] 6301 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210365; rev:1;) alert tcp $HOME_NET any -> [185.81.157.201] 9991 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210362; rev:1;) alert tcp $HOME_NET any -> [207.244.238.106] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210360; rev:1;) alert tcp $HOME_NET any -> [85.239.237.148] 7788 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210361; rev:1;) alert tcp $HOME_NET any -> [173.212.250.19] 1717 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210358; rev:1;) alert tcp $HOME_NET any -> [198.12.125.30] 8011 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"110.41.11.72"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210389; rev:1;) alert tcp $HOME_NET any -> [207.244.238.106] 555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210356; rev:1;) alert tcp $HOME_NET any -> [18.163.74.152] 2333 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210357; rev:1;) alert tcp $HOME_NET any -> [185.25.51.99] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210355; rev:1;) alert tcp $HOME_NET any -> [194.26.192.34] 555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210353; rev:1;) alert tcp $HOME_NET any -> [173.212.250.19] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210354; rev:1;) alert tcp $HOME_NET any -> [37.19.216.81] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210350; rev:1;) alert tcp $HOME_NET any -> [154.38.172.60] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210351; rev:1;) alert tcp $HOME_NET any -> [134.255.232.141] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210352; rev:1;) alert tcp $HOME_NET any -> [213.195.125.89] 4001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210348; rev:1;) alert tcp $HOME_NET any -> [173.212.250.19] 1999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210349; rev:1;) alert tcp $HOME_NET any -> [136.243.151.21] 67 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210332; rev:1;) alert tcp $HOME_NET any -> [185.81.157.218] 2020 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210333; rev:1;) alert tcp $HOME_NET any -> [136.243.111.71] 2200 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210334; rev:1;) alert tcp $HOME_NET any -> [51.89.190.17] 5700 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210335/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210335; rev:1;) alert tcp $HOME_NET any -> [178.33.203.39] 9191 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210336; rev:1;) alert tcp $HOME_NET any -> [45.32.173.196] 6969 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210337; rev:1;) alert tcp $HOME_NET any -> [207.244.238.106] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210338; rev:1;) alert tcp $HOME_NET any -> [209.145.56.0] 2020 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210339; rev:1;) alert tcp $HOME_NET any -> [161.97.151.222] 7788 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210340; rev:1;) alert tcp $HOME_NET any -> [185.16.38.41] 2024 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210341; rev:1;) alert tcp $HOME_NET any -> [207.32.218.138] 3333 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210342; rev:1;) alert tcp $HOME_NET any -> [2.58.56.37] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210343; rev:1;) alert tcp $HOME_NET any -> [95.214.26.58] 9909 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210344; rev:1;) alert tcp $HOME_NET any -> [136.243.179.5] 700 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210345; rev:1;) alert tcp $HOME_NET any -> [78.163.243.12] 3000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210346; rev:1;) alert tcp $HOME_NET any -> [45.92.1.59] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210347; rev:1;) alert tcp $HOME_NET any -> [154.38.172.60] 555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210329; rev:1;) alert tcp $HOME_NET any -> [185.25.51.99] 666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210330; rev:1;) alert tcp $HOME_NET any -> [185.81.157.103] 1111 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210331/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210331; rev:1;) alert tcp $HOME_NET any -> [185.62.86.134] 444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210328; rev:1;) alert tcp $HOME_NET any -> [185.81.157.119] 1111 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210327; rev:1;) alert tcp $HOME_NET any -> [104.243.47.96] 2233 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210326; rev:1;) alert tcp $HOME_NET any -> [94.130.130.51] 5505 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210325; rev:1;) alert tcp $HOME_NET any -> [51.89.190.17] 5600 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210324; rev:1;) alert tcp $HOME_NET any -> [185.62.86.134] 777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u6vhsc3ppq/index.php"; depth:21; nocase; http.host; content:"185.196.8.195"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210321; rev:1;) alert tcp $HOME_NET any -> [185.241.208.159] 880 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u6vhsc3ppq/login.php"; depth:21; nocase; http.host; content:"185.172.128.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yxnwkvfks28y/login.php"; depth:23; nocase; http.host; content:"194.26.135.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210319; rev:1;) alert tcp $HOME_NET any -> [8.213.159.137] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210387/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_05; classtype:trojan-activity; sid:91210387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sitemap"; depth:8; nocase; http.host; content:"47.243.236.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210386; rev:1;) alert tcp $HOME_NET any -> [68.67.203.28] 46364 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210385; rev:1;) alert tcp $HOME_NET any -> [194.147.140.212] 2025 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210382; rev:1;) alert tcp $HOME_NET any -> [38.147.189.9] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210381/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_05; classtype:trojan-activity; sid:91210381; rev:1;) alert tcp $HOME_NET any -> [193.233.132.34] 16479 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210318; rev:1;) alert tcp $HOME_NET any -> [38.255.42.181] 5566 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210317; rev:1;) alert tcp $HOME_NET any -> [124.220.7.195] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210316/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_05; classtype:trojan-activity; sid:91210316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b15/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"unzip2.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"205.234.233.51"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/access/"; depth:8; nocase; http.host; content:"d1lrw1z9ssp44c.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d1lrw1z9ssp44c.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210312; rev:1;) alert tcp $HOME_NET any -> [212.233.123.175] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/nvdkv6iilcrxgdsedyuf"; depth:38; nocase; http.host; content:"212.233.123.175"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"49.232.246.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210307; rev:1;) alert tcp $HOME_NET any -> [49.232.246.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210308; rev:1;) alert tcp $HOME_NET any -> [43.134.23.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin"; depth:9; nocase; http.host; content:"43.134.23.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.goodljlagfhss.live"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210303; rev:1;) alert tcp $HOME_NET any -> [47.243.236.236] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sitemap"; depth:8; nocase; http.host; content:"www.goodljlagfhss.live"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210302; rev:1;) alert tcp $HOME_NET any -> [165.227.184.119] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210301/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arbfile.azureedge.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nntp.xml"; depth:9; nocase; http.host; content:"arbfile.azureedge.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210299/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210299; rev:1;) alert tcp $HOME_NET any -> [146.59.10.44] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210298/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"146.59.10.44"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210297/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.46.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210296/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.31.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.46.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.31.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.15.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.27.20.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199577999137"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redcarsc"; depth:9; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210288; rev:1;) alert tcp $HOME_NET any -> [195.201.46.226] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210285/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210285; rev:1;) alert tcp $HOME_NET any -> [95.217.31.63] 25565 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210286/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210286; rev:1;) alert tcp $HOME_NET any -> [195.201.46.226] 25565 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210287/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210287; rev:1;) alert tcp $HOME_NET any -> [95.217.31.63] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210284; rev:1;) alert tcp $HOME_NET any -> [116.203.15.153] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210283/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210283; rev:1;) alert tcp $HOME_NET any -> [37.27.20.125] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210281; rev:1;) alert tcp $HOME_NET any -> [95.217.240.71] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210282; rev:1;) alert tcp $HOME_NET any -> [112.124.65.163] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210280/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_05; classtype:trojan-activity; sid:91210280; rev:1;) alert tcp $HOME_NET any -> [101.37.14.112] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210279/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_05; classtype:trojan-activity; sid:91210279; rev:1;) alert tcp $HOME_NET any -> [69.207.218.148] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210278/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210278; rev:1;) alert tcp $HOME_NET any -> [91.103.252.217] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210277/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210277; rev:1;) alert tcp $HOME_NET any -> [86.175.81.191] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210276/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210276; rev:1;) alert tcp $HOME_NET any -> [74.12.146.100] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210275/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210275; rev:1;) alert tcp $HOME_NET any -> [95.68.46.156] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210274/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210274; rev:1;) alert tcp $HOME_NET any -> [91.254.172.214] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210273/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210273; rev:1;) alert tcp $HOME_NET any -> [3.97.94.200] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210272/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210272; rev:1;) alert tcp $HOME_NET any -> [43.163.210.218] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210271/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210271; rev:1;) alert tcp $HOME_NET any -> [185.92.150.128] 8081 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210270/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_05; classtype:trojan-activity; sid:91210270; rev:1;) alert tcp $HOME_NET any -> [178.236.246.185] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91209551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecox.pt"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91209529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"googlecloudstream.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91209550; rev:1;) alert tcp $HOME_NET any -> [192.241.158.41] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210269/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_05; classtype:trojan-activity; sid:91210269; rev:1;) alert tcp $HOME_NET any -> [121.41.166.87] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210268/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_05; classtype:trojan-activity; sid:91210268; rev:1;) alert tcp $HOME_NET any -> [34.125.247.160] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210267/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_05; classtype:trojan-activity; sid:91210267; rev:1;) alert tcp $HOME_NET any -> [23.231.40.71] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210266/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_05; classtype:trojan-activity; sid:91210266; rev:1;) alert tcp $HOME_NET any -> [103.11.64.167] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210265; rev:1;) alert tcp $HOME_NET any -> [104.238.35.85] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210264; rev:1;) alert tcp $HOME_NET any -> [167.114.174.149] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210263; rev:1;) alert tcp $HOME_NET any -> [31.186.82.215] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210261; rev:1;) alert tcp $HOME_NET any -> [199.60.101.172] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210262; rev:1;) alert tcp $HOME_NET any -> [52.197.214.20] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210260; rev:1;) alert tcp $HOME_NET any -> [97.107.133.114] 1704 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210259/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210259; rev:1;) alert tcp $HOME_NET any -> [178.183.165.218] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210258; rev:1;) alert tcp $HOME_NET any -> [166.249.62.110] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210257/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210257; rev:1;) alert tcp $HOME_NET any -> [194.197.66.239] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210256/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210256; rev:1;) alert tcp $HOME_NET any -> [76.70.192.207] 2 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210255/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210255; rev:1;) alert tcp $HOME_NET any -> [166.151.58.61] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210254/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210254; rev:1;) alert tcp $HOME_NET any -> [96.1.60.41] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210252/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210252; rev:1;) alert tcp $HOME_NET any -> [166.150.128.148] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210253/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210253; rev:1;) alert tcp $HOME_NET any -> [186.30.114.92] 701 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210251/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210251; rev:1;) alert tcp $HOME_NET any -> [190.24.4.115] 701 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210250/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210250; rev:1;) alert tcp $HOME_NET any -> [50.52.164.186] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210248/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210248; rev:1;) alert tcp $HOME_NET any -> [142.176.134.250] 4905 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210249/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210249; rev:1;) alert tcp $HOME_NET any -> [63.40.16.49] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210247/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210247; rev:1;) alert tcp $HOME_NET any -> [96.1.61.17] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210245/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210245; rev:1;) alert tcp $HOME_NET any -> [41.112.34.204] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210246/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210246; rev:1;) alert tcp $HOME_NET any -> [137.221.14.192] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210244/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210244; rev:1;) alert tcp $HOME_NET any -> [96.1.110.207] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210243/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_05; classtype:trojan-activity; sid:91210243; rev:1;) alert tcp $HOME_NET any -> [49.113.75.112] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210242/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210242; rev:1;) alert tcp $HOME_NET any -> [154.12.81.212] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210241; rev:1;) alert tcp $HOME_NET any -> [134.255.232.164] 5080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210240; rev:1;) alert tcp $HOME_NET any -> [93.104.208.94] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210238; rev:1;) alert tcp $HOME_NET any -> [134.255.232.164] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210239; rev:1;) alert tcp $HOME_NET any -> [154.246.105.39] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210237; rev:1;) alert tcp $HOME_NET any -> [193.124.205.20] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210235; rev:1;) alert tcp $HOME_NET any -> [171.232.3.175] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pool-108-51-80-70.washdc.fios.verizon.net"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210234/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210234; rev:1;) alert tcp $HOME_NET any -> [35.92.41.20] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210232; rev:1;) alert tcp $HOME_NET any -> [158.160.84.31] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210233; rev:1;) alert tcp $HOME_NET any -> [84.17.34.8] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-129-208-252.us-east-2.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210230; rev:1;) alert tcp $HOME_NET any -> [5.189.175.70] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1527355.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.alvarezconstructionri.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"git.koenig.software"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.agdetails.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.webgouv.fr.89-163-255-130.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210225; rev:1;) alert tcp $HOME_NET any -> [104.131.71.126] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usagers.antai.webgouv.fr.89-163-255-130.plesk.page"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210223/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210223; rev:1;) alert tcp $HOME_NET any -> [85.209.176.78] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.alvarezconstructionri.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210221; rev:1;) alert tcp $HOME_NET any -> [159.100.6.226] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210219; rev:1;) alert tcp $HOME_NET any -> [163.5.210.85] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210218; rev:1;) alert tcp $HOME_NET any -> [82.147.85.82] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210216/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210216; rev:1;) alert tcp $HOME_NET any -> [5.182.86.157] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mta1.candledmush.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210214; rev:1;) alert tcp $HOME_NET any -> [88.229.10.198] 3002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210215; rev:1;) alert tcp $HOME_NET any -> [91.109.188.4] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210213; rev:1;) alert tcp $HOME_NET any -> [42.194.145.110] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210212; rev:1;) alert tcp $HOME_NET any -> [106.14.149.88] 60020 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210211; rev:1;) alert tcp $HOME_NET any -> [118.195.239.23] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210210; rev:1;) alert tcp $HOME_NET any -> [122.51.97.82] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210208; rev:1;) alert tcp $HOME_NET any -> [115.159.50.50] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210209; rev:1;) alert tcp $HOME_NET any -> [101.200.72.45] 5432 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210207; rev:1;) alert tcp $HOME_NET any -> [119.29.250.145] 11001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210206; rev:1;) alert tcp $HOME_NET any -> [66.119.15.241] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210205; rev:1;) alert tcp $HOME_NET any -> [44.211.191.212] 8085 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210204; rev:1;) alert tcp $HOME_NET any -> [91.92.251.4] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210203; rev:1;) alert tcp $HOME_NET any -> [111.229.187.190] 8442 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210202; rev:1;) alert tcp $HOME_NET any -> [198.98.62.30] 1080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210201; rev:1;) alert tcp $HOME_NET any -> [3.30.14.139] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210200/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_05; classtype:trojan-activity; sid:91210200; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 16458 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210199; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 16458 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210198; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 16458 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210197; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 16458 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210196; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 16458 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210195; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 17987 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210194; rev:1;) alert tcp $HOME_NET any -> [193.34.212.117] 8080 (msg:"ThreatFox Bandit Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210193/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_05; classtype:trojan-activity; sid:91210193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"www.zubareff.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"124.70.154.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210191; rev:1;) alert tcp $HOME_NET any -> [123.16.118.39] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210190/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_05; classtype:trojan-activity; sid:91210190; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 11520 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210189; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 11520 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210188; rev:1;) alert tcp $HOME_NET any -> [3.127.181.115] 11520 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_05; classtype:trojan-activity; sid:91210187; rev:1;) alert tcp $HOME_NET any -> [45.15.156.45] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"darklight.website"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darklight.website"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1210185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/port1/"; depth:7; nocase; http.host; content:"darklight.website"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/port1/received.php"; depth:19; nocase; http.host; content:"darklight.website"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/port1/link.txt"; depth:15; nocase; http.host; content:"darklight.website"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/-1001830809790"; depth:22; nocase; http.host; content:"drnull.pkmqazreza.workers.dev"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1001830809790"; depth:19; nocase; http.host; content:"drnull.pkmqazreza.workers.dev"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210179; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1001830809790"; depth:19; nocase; http.host; content:"drnull.pkmqazreza.workers.dev"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1210178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210178; rev:1;) alert tcp $HOME_NET any -> [3.89.127.205] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210177/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91210177; rev:1;) alert tcp $HOME_NET any -> [47.52.117.253] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210176; rev:1;) alert tcp $HOME_NET any -> [47.241.183.6] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210175; rev:1;) alert tcp $HOME_NET any -> [138.68.98.0] 8112 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210174/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210174; rev:1;) alert tcp $HOME_NET any -> [211.195.214.151] 6208 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210173; rev:1;) alert tcp $HOME_NET any -> [211.195.214.151] 6207 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210172; rev:1;) alert tcp $HOME_NET any -> [211.195.214.151] 6206 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210171; rev:1;) alert tcp $HOME_NET any -> [218.204.141.228] 2032 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210170; rev:1;) alert tcp $HOME_NET any -> [218.204.141.228] 2031 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210169; rev:1;) alert tcp $HOME_NET any -> [218.204.141.228] 2026 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210168; rev:1;) alert tcp $HOME_NET any -> [218.204.141.228] 2023 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210166; rev:1;) alert tcp $HOME_NET any -> [218.204.141.228] 2025 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210167; rev:1;) alert tcp $HOME_NET any -> [35.198.27.46] 31079 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210165; rev:1;) alert tcp $HOME_NET any -> [35.198.27.46] 31013 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210163; rev:1;) alert tcp $HOME_NET any -> [35.198.27.46] 31056 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210164; rev:1;) alert tcp $HOME_NET any -> [196.200.160.201] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210162; rev:1;) alert tcp $HOME_NET any -> [202.120.224.109] 9121 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210161; rev:1;) alert tcp $HOME_NET any -> [218.80.234.82] 9500 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210159; rev:1;) alert tcp $HOME_NET any -> [202.120.224.109] 9120 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210160; rev:1;) alert tcp $HOME_NET any -> [218.80.234.82] 9400 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210158; rev:1;) alert tcp $HOME_NET any -> [218.80.234.82] 9120 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210156; rev:1;) alert tcp $HOME_NET any -> [218.80.234.82] 9140 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210157; rev:1;) alert tcp $HOME_NET any -> [120.78.157.70] 23456 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210154; rev:1;) alert tcp $HOME_NET any -> [147.135.177.25] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210155; rev:1;) alert tcp $HOME_NET any -> [46.228.222.234] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210153; rev:1;) alert tcp $HOME_NET any -> [213.100.180.158] 9999 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210151; rev:1;) alert tcp $HOME_NET any -> [38.73.238.193] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210152; rev:1;) alert tcp $HOME_NET any -> [149.28.117.156] 6999 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210149; rev:1;) alert tcp $HOME_NET any -> [173.12.35.172] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210150; rev:1;) alert tcp $HOME_NET any -> [120.204.247.150] 9320 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210148; rev:1;) alert tcp $HOME_NET any -> [212.46.104.104] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210146; rev:1;) alert tcp $HOME_NET any -> [173.12.35.170] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210147; rev:1;) alert tcp $HOME_NET any -> [196.200.131.1] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210145; rev:1;) alert tcp $HOME_NET any -> [67.23.0.194] 8901 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210144; rev:1;) alert tcp $HOME_NET any -> [89.200.93.209] 3000 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210143; rev:1;) alert tcp $HOME_NET any -> [120.76.193.152] 6802 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210142; rev:1;) alert tcp $HOME_NET any -> [108.59.9.66] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210141; rev:1;) alert tcp $HOME_NET any -> [23.82.75.184] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210139; rev:1;) alert tcp $HOME_NET any -> [59.78.131.118] 9120 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210140; rev:1;) alert tcp $HOME_NET any -> [173.12.35.173] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210138; rev:1;) alert tcp $HOME_NET any -> [149.202.60.205] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210136; rev:1;) alert tcp $HOME_NET any -> [101.132.192.177] 9007 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210137; rev:1;) alert tcp $HOME_NET any -> [196.200.160.206] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210135; rev:1;) alert tcp $HOME_NET any -> [50.235.36.133] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210134/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210134; rev:1;) alert tcp $HOME_NET any -> [106.54.102.213] 8282 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210133/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210133; rev:1;) alert tcp $HOME_NET any -> [54.39.131.24] 44451 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210131; rev:1;) alert tcp $HOME_NET any -> [91.132.145.163] 22 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210132; rev:1;) alert tcp $HOME_NET any -> [81.169.247.132] 22 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210129/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210129; rev:1;) alert tcp $HOME_NET any -> [31.149.134.171] 3000 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210130; rev:1;) alert tcp $HOME_NET any -> [2.56.99.150] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210128; rev:1;) alert tcp $HOME_NET any -> [93.123.216.197] 3020 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210126/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210126; rev:1;) alert tcp $HOME_NET any -> [65.201.147.254] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210127; rev:1;) alert tcp $HOME_NET any -> [27.120.93.85] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210124; rev:1;) alert tcp $HOME_NET any -> [213.9.97.198] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210125; rev:1;) alert tcp $HOME_NET any -> [180.169.159.44] 9007 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210122; rev:1;) alert tcp $HOME_NET any -> [91.214.70.200] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210123; rev:1;) alert tcp $HOME_NET any -> [202.121.52.27] 9120 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210121; rev:1;) alert tcp $HOME_NET any -> [65.201.147.253] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210119; rev:1;) alert tcp $HOME_NET any -> [173.12.35.169] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210120; rev:1;) alert tcp $HOME_NET any -> [202.120.162.78] 9120 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210118; rev:1;) alert tcp $HOME_NET any -> [54.36.212.24] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210116; rev:1;) alert tcp $HOME_NET any -> [178.238.78.153] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210117; rev:1;) alert tcp $HOME_NET any -> [193.189.188.171] 10010 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210115; rev:1;) alert tcp $HOME_NET any -> [212.146.105.36] 7200 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210113; rev:1;) alert tcp $HOME_NET any -> [45.79.178.114] 1704 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210114; rev:1;) alert tcp $HOME_NET any -> [202.120.79.99] 9120 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210111; rev:1;) alert tcp $HOME_NET any -> [52.45.16.22] 1030 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210112; rev:1;) alert tcp $HOME_NET any -> [42.157.163.219] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210110/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91210110; rev:1;) alert tcp $HOME_NET any -> [166.193.101.187] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210108/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210108; rev:1;) alert tcp $HOME_NET any -> [2.55.122.171] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210109/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210109; rev:1;) alert tcp $HOME_NET any -> [72.142.184.6] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210107/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210107; rev:1;) alert tcp $HOME_NET any -> [186.154.219.18] 701 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210105/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210105; rev:1;) alert tcp $HOME_NET any -> [72.142.184.7] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210106/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210106; rev:1;) alert tcp $HOME_NET any -> [166.154.11.35] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210104/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210104; rev:1;) alert tcp $HOME_NET any -> [166.151.58.58] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210102/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210102; rev:1;) alert tcp $HOME_NET any -> [74.198.231.126] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210103/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210103; rev:1;) alert tcp $HOME_NET any -> [166.151.58.58] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210101/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210101; rev:1;) alert tcp $HOME_NET any -> [166.154.135.224] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210100/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210100; rev:1;) alert tcp $HOME_NET any -> [194.197.67.160] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210098/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210098; rev:1;) alert tcp $HOME_NET any -> [76.70.246.230] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210099/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210099; rev:1;) alert tcp $HOME_NET any -> [166.164.115.108] 703 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210096/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210096; rev:1;) alert tcp $HOME_NET any -> [166.164.115.108] 3001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210097/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210097; rev:1;) alert tcp $HOME_NET any -> [74.198.231.123] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210095/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210095; rev:1;) alert tcp $HOME_NET any -> [2.55.112.248] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210093/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210093; rev:1;) alert tcp $HOME_NET any -> [2.54.234.48] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210094/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210094; rev:1;) alert tcp $HOME_NET any -> [200.93.161.123] 701 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210092/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210092; rev:1;) alert tcp $HOME_NET any -> [205.200.10.254] 448 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210091/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210091; rev:1;) alert tcp $HOME_NET any -> [166.249.62.113] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210089/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210089; rev:1;) alert tcp $HOME_NET any -> [166.249.62.113] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210090/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210090; rev:1;) alert tcp $HOME_NET any -> [186.155.251.173] 701 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210088/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210088; rev:1;) alert tcp $HOME_NET any -> [184.151.143.70] 9881 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210086/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210086; rev:1;) alert tcp $HOME_NET any -> [96.1.60.95] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210087/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210087; rev:1;) alert tcp $HOME_NET any -> [166.161.146.187] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210085/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210085; rev:1;) alert tcp $HOME_NET any -> [166.249.62.103] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210083/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210083; rev:1;) alert tcp $HOME_NET any -> [166.249.62.103] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210084/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210084; rev:1;) alert tcp $HOME_NET any -> [137.221.14.191] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210082/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210082; rev:1;) alert tcp $HOME_NET any -> [2.55.113.15] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210080/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210080; rev:1;) alert tcp $HOME_NET any -> [78.89.177.82] 4000 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210081/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210081; rev:1;) alert tcp $HOME_NET any -> [49.229.157.32] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210079/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210079; rev:1;) alert tcp $HOME_NET any -> [166.151.58.62] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210077/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210077; rev:1;) alert tcp $HOME_NET any -> [166.151.58.62] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210078/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210078; rev:1;) alert tcp $HOME_NET any -> [76.70.199.230] 2 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210076/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210076; rev:1;) alert tcp $HOME_NET any -> [166.249.62.110] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210074/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210074; rev:1;) alert tcp $HOME_NET any -> [75.154.254.110] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210075/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210075; rev:1;) alert tcp $HOME_NET any -> [166.151.162.215] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210073/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210073; rev:1;) alert tcp $HOME_NET any -> [78.89.177.83] 4000 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210071/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210071; rev:1;) alert tcp $HOME_NET any -> [166.151.162.215] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210072/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210072; rev:1;) alert tcp $HOME_NET any -> [173.181.137.56] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210070/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210070; rev:1;) alert tcp $HOME_NET any -> [166.249.62.117] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210068/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210068; rev:1;) alert tcp $HOME_NET any -> [166.157.40.67] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210069/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210069; rev:1;) alert tcp $HOME_NET any -> [166.249.62.117] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210067/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210067; rev:1;) alert tcp $HOME_NET any -> [184.151.141.45] 6785 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210065/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210065; rev:1;) alert tcp $HOME_NET any -> [110.49.150.8] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210066/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210066; rev:1;) alert tcp $HOME_NET any -> [166.151.58.57] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210064/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210064; rev:1;) alert tcp $HOME_NET any -> [166.154.77.222] 3001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210062/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210062; rev:1;) alert tcp $HOME_NET any -> [166.151.58.57] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210063/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210063; rev:1;) alert tcp $HOME_NET any -> [166.255.153.126] 3001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210060/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210060; rev:1;) alert tcp $HOME_NET any -> [166.154.77.222] 703 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210061/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210061; rev:1;) alert tcp $HOME_NET any -> [166.255.153.126] 703 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210059/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210059; rev:1;) alert tcp $HOME_NET any -> [72.142.184.236] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210057/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210057; rev:1;) alert tcp $HOME_NET any -> [2.55.87.112] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210058/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210058; rev:1;) alert tcp $HOME_NET any -> [184.70.50.102] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210056/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210056; rev:1;) alert tcp $HOME_NET any -> [186.31.140.66] 701 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210054/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210054; rev:1;) alert tcp $HOME_NET any -> [76.70.193.109] 2 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210055/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210055; rev:1;) alert tcp $HOME_NET any -> [184.151.210.116] 5100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210053/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210053; rev:1;) alert tcp $HOME_NET any -> [166.130.41.203] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210051/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210051; rev:1;) alert tcp $HOME_NET any -> [142.163.208.222] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210052/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210052; rev:1;) alert tcp $HOME_NET any -> [78.89.177.90] 4000 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210050/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210050; rev:1;) alert tcp $HOME_NET any -> [96.1.61.170] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210048/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210048; rev:1;) alert tcp $HOME_NET any -> [72.142.184.10] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210049/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210049; rev:1;) alert tcp $HOME_NET any -> [166.167.90.239] 1300 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210047/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210047; rev:1;) alert tcp $HOME_NET any -> [166.130.48.237] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210046/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210046; rev:1;) alert tcp $HOME_NET any -> [24.222.224.150] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210044/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210044; rev:1;) alert tcp $HOME_NET any -> [166.140.125.71] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210045/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210045; rev:1;) alert tcp $HOME_NET any -> [96.1.60.56] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210043/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210043; rev:1;) alert tcp $HOME_NET any -> [50.117.189.232] 6517 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210042/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210042; rev:1;) alert tcp $HOME_NET any -> [72.142.184.12] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210040/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210040; rev:1;) alert tcp $HOME_NET any -> [50.117.189.232] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210041/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210041; rev:1;) alert tcp $HOME_NET any -> [166.151.162.214] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210039/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210039; rev:1;) alert tcp $HOME_NET any -> [166.151.162.214] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210038/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210038; rev:1;) alert tcp $HOME_NET any -> [166.157.34.32] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210036/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210036; rev:1;) alert tcp $HOME_NET any -> [49.229.152.144] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210037/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210037; rev:1;) alert tcp $HOME_NET any -> [166.157.34.32] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210035/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210035; rev:1;) alert tcp $HOME_NET any -> [110.49.145.29] 2200 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210033/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210033; rev:1;) alert tcp $HOME_NET any -> [78.89.177.190] 4000 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210034/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210034; rev:1;) alert tcp $HOME_NET any -> [110.49.145.29] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210032/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210032; rev:1;) alert tcp $HOME_NET any -> [41.112.34.206] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210030/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210030; rev:1;) alert tcp $HOME_NET any -> [116.68.155.171] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210031/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210031; rev:1;) alert tcp $HOME_NET any -> [107.126.209.240] 1177 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210029/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210029; rev:1;) alert tcp $HOME_NET any -> [2.54.80.4] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210028/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210028; rev:1;) alert tcp $HOME_NET any -> [166.241.140.123] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210026/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210026; rev:1;) alert tcp $HOME_NET any -> [96.1.57.24] 9880 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210027/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210027; rev:1;) alert tcp $HOME_NET any -> [78.89.177.81] 4000 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210025/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210025; rev:1;) alert tcp $HOME_NET any -> [74.198.231.131] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210024/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210024; rev:1;) alert tcp $HOME_NET any -> [184.151.219.221] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210022/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210022; rev:1;) alert tcp $HOME_NET any -> [154.51.165.120] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210023/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210023; rev:1;) alert tcp $HOME_NET any -> [166.167.90.243] 1300 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210021/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210021; rev:1;) alert tcp $HOME_NET any -> [166.130.142.241] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210019/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210019; rev:1;) alert tcp $HOME_NET any -> [72.139.242.84] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210020/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210020; rev:1;) alert tcp $HOME_NET any -> [166.249.62.115] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210018/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210018; rev:1;) alert tcp $HOME_NET any -> [137.221.1.15] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210016/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210016; rev:1;) alert tcp $HOME_NET any -> [166.249.62.115] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210017/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210017; rev:1;) alert tcp $HOME_NET any -> [2.55.99.215] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210015/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210015; rev:1;) alert tcp $HOME_NET any -> [180.180.108.214] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210013/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210013; rev:1;) alert tcp $HOME_NET any -> [96.1.98.11] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210014/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210014; rev:1;) alert tcp $HOME_NET any -> [173.181.139.248] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210012/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210012; rev:1;) alert tcp $HOME_NET any -> [96.1.61.86] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210011/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210011; rev:1;) alert tcp $HOME_NET any -> [24.222.224.154] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210009/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210009; rev:1;) alert tcp $HOME_NET any -> [96.1.60.221] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210010/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210010; rev:1;) alert tcp $HOME_NET any -> [166.130.6.117] 9881 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210008/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210008; rev:1;) alert tcp $HOME_NET any -> [72.142.184.5] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210006/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210006; rev:1;) alert tcp $HOME_NET any -> [166.167.90.246] 1300 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210007/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210007; rev:1;) alert tcp $HOME_NET any -> [96.1.60.107] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210005/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210005; rev:1;) alert tcp $HOME_NET any -> [166.157.34.28] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210003/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210003; rev:1;) alert tcp $HOME_NET any -> [166.157.34.28] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210004/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210004; rev:1;) alert tcp $HOME_NET any -> [113.53.54.178] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210002/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210002; rev:1;) alert tcp $HOME_NET any -> [96.1.61.22] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210001/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210001; rev:1;) alert tcp $HOME_NET any -> [49.229.159.123] 2200 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1210000/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91210000; rev:1;) alert tcp $HOME_NET any -> [41.222.98.132] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209998/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209998; rev:1;) alert tcp $HOME_NET any -> [49.229.159.123] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209999/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209999; rev:1;) alert tcp $HOME_NET any -> [96.1.106.43] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209997/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209997; rev:1;) alert tcp $HOME_NET any -> [41.222.98.127] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209996/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209996; rev:1;) alert tcp $HOME_NET any -> [166.193.101.236] 1177 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209994/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209994; rev:1;) alert tcp $HOME_NET any -> [194.251.16.130] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209995/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209995; rev:1;) alert tcp $HOME_NET any -> [166.249.62.100] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209993/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209993; rev:1;) alert tcp $HOME_NET any -> [72.142.184.11] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209992/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209992; rev:1;) alert tcp $HOME_NET any -> [72.139.242.101] 603 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209990/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209990; rev:1;) alert tcp $HOME_NET any -> [173.182.9.172] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209991/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209991; rev:1;) alert tcp $HOME_NET any -> [72.139.242.101] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209989/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209989; rev:1;) alert tcp $HOME_NET any -> [166.203.177.153] 9881 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209988/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209988; rev:1;) alert tcp $HOME_NET any -> [174.5.120.9] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209987/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209987; rev:1;) alert tcp $HOME_NET any -> [166.164.115.107] 703 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209985/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209985; rev:1;) alert tcp $HOME_NET any -> [166.164.115.107] 3001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209986/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209986; rev:1;) alert tcp $HOME_NET any -> [137.221.0.49] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209984/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209984; rev:1;) alert tcp $HOME_NET any -> [49.229.156.167] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209983/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209983; rev:1;) alert tcp $HOME_NET any -> [166.255.153.125] 703 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209982/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209982; rev:1;) alert tcp $HOME_NET any -> [166.255.153.125] 3001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209981/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209981; rev:1;) alert tcp $HOME_NET any -> [142.177.204.70] 4905 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209980/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209980; rev:1;) alert tcp $HOME_NET any -> [166.249.62.101] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209979/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209979; rev:1;) alert tcp $HOME_NET any -> [166.249.62.101] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209978/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209978; rev:1;) alert tcp $HOME_NET any -> [173.224.241.133] 449 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209977/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209977; rev:1;) alert tcp $HOME_NET any -> [49.231.75.52] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209975/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209975; rev:1;) alert tcp $HOME_NET any -> [149.210.28.96] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209976/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209976; rev:1;) alert tcp $HOME_NET any -> [166.249.62.104] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209974/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209974; rev:1;) alert tcp $HOME_NET any -> [166.249.62.104] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209973/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209973; rev:1;) alert tcp $HOME_NET any -> [78.89.177.85] 4000 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209972/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209972; rev:1;) alert tcp $HOME_NET any -> [96.1.59.246] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209971/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209971; rev:1;) alert tcp $HOME_NET any -> [72.142.184.235] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209970/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209970; rev:1;) alert tcp $HOME_NET any -> [166.154.77.221] 3001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209969/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209969; rev:1;) alert tcp $HOME_NET any -> [166.154.77.221] 703 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209968/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209968; rev:1;) alert tcp $HOME_NET any -> [193.192.196.184] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209967/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209967; rev:1;) alert tcp $HOME_NET any -> [193.192.196.184] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209966/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209966; rev:1;) alert tcp $HOME_NET any -> [72.139.229.151] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209965/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209965; rev:1;) alert tcp $HOME_NET any -> [89.30.233.18] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209964/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209964; rev:1;) alert tcp $HOME_NET any -> [89.30.233.18] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209963/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209963; rev:1;) alert tcp $HOME_NET any -> [193.192.196.186] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209962/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209962; rev:1;) alert tcp $HOME_NET any -> [193.192.196.186] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209961/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209961; rev:1;) alert tcp $HOME_NET any -> [166.130.171.98] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209960/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209960; rev:1;) alert tcp $HOME_NET any -> [193.192.209.202] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209958/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209958; rev:1;) alert tcp $HOME_NET any -> [193.192.209.202] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209959/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209959; rev:1;) alert tcp $HOME_NET any -> [166.140.75.111] 1300 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209957/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209957; rev:1;) alert tcp $HOME_NET any -> [2.55.78.118] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209955/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209955; rev:1;) alert tcp $HOME_NET any -> [72.139.250.31] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209956/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209956; rev:1;) alert tcp $HOME_NET any -> [194.251.16.131] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209954/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209954; rev:1;) alert tcp $HOME_NET any -> [76.70.216.106] 5100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209952/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209952; rev:1;) alert tcp $HOME_NET any -> [37.25.35.177] 8090 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209953/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209953; rev:1;) alert tcp $HOME_NET any -> [96.1.98.118] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209951/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209951; rev:1;) alert tcp $HOME_NET any -> [70.28.194.190] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209950/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209950; rev:1;) alert tcp $HOME_NET any -> [96.1.24.159] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209949/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209949; rev:1;) alert tcp $HOME_NET any -> [41.222.98.131] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209947/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209947; rev:1;) alert tcp $HOME_NET any -> [180.180.108.124] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209948/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209948; rev:1;) alert tcp $HOME_NET any -> [194.251.16.251] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209946/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209946; rev:1;) alert tcp $HOME_NET any -> [186.30.114.100] 701 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209944/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209944; rev:1;) alert tcp $HOME_NET any -> [185.170.179.162] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209945/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209945; rev:1;) alert tcp $HOME_NET any -> [137.221.14.198] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209943/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209943; rev:1;) alert tcp $HOME_NET any -> [216.211.101.159] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209942/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209942; rev:1;) alert tcp $HOME_NET any -> [2.55.70.127] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209940/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209940; rev:1;) alert tcp $HOME_NET any -> [74.198.231.138] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209941/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209941; rev:1;) alert tcp $HOME_NET any -> [96.1.96.203] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209939/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209939; rev:1;) alert tcp $HOME_NET any -> [118.173.247.210] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209938/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209938; rev:1;) alert tcp $HOME_NET any -> [2.55.113.20] 4755 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209936/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209936; rev:1;) alert tcp $HOME_NET any -> [166.151.58.56] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209937/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209937; rev:1;) alert tcp $HOME_NET any -> [2.55.113.20] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209935/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209935; rev:1;) alert tcp $HOME_NET any -> [209.121.104.206] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209934/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209934; rev:1;) alert tcp $HOME_NET any -> [184.151.210.103] 5100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209932/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209932; rev:1;) alert tcp $HOME_NET any -> [184.151.153.114] 6785 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209933/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209933; rev:1;) alert tcp $HOME_NET any -> [173.181.137.59] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209931/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209931; rev:1;) alert tcp $HOME_NET any -> [166.161.164.193] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209930/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209930; rev:1;) alert tcp $HOME_NET any -> [96.1.103.67] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209928/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209928; rev:1;) alert tcp $HOME_NET any -> [96.1.110.123] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209929/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209929; rev:1;) alert tcp $HOME_NET any -> [184.151.235.170] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209927/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209927; rev:1;) alert tcp $HOME_NET any -> [184.151.210.105] 5100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209925/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209925; rev:1;) alert tcp $HOME_NET any -> [78.89.177.89] 4000 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209926/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209926; rev:1;) alert tcp $HOME_NET any -> [166.167.90.238] 1300 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209924/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209924; rev:1;) alert tcp $HOME_NET any -> [72.234.97.25] 1300 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209923/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209923; rev:1;) alert tcp $HOME_NET any -> [166.157.40.68] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209921/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209921; rev:1;) alert tcp $HOME_NET any -> [49.229.153.170] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209922/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209922; rev:1;) alert tcp $HOME_NET any -> [166.157.40.68] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209920/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209920; rev:1;) alert tcp $HOME_NET any -> [41.112.34.197] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209919/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209919; rev:1;) alert tcp $HOME_NET any -> [173.182.71.88] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209917/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209917; rev:1;) alert tcp $HOME_NET any -> [72.142.184.241] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209918/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209918; rev:1;) alert tcp $HOME_NET any -> [190.25.237.164] 701 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209916/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209916; rev:1;) alert tcp $HOME_NET any -> [173.182.107.226] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209915/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209915; rev:1;) alert tcp $HOME_NET any -> [166.193.102.216] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209913/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209913; rev:1;) alert tcp $HOME_NET any -> [49.229.158.250] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209914/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209914; rev:1;) alert tcp $HOME_NET any -> [166.151.56.79] 9881 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209912/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209912; rev:1;) alert tcp $HOME_NET any -> [184.151.143.68] 9881 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209911/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209911; rev:1;) alert tcp $HOME_NET any -> [166.151.58.65] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209909/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209909; rev:1;) alert tcp $HOME_NET any -> [173.181.133.47] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209910/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209910; rev:1;) alert tcp $HOME_NET any -> [155.170.122.23] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209908/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209908; rev:1;) alert tcp $HOME_NET any -> [72.139.242.102] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209906/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209906; rev:1;) alert tcp $HOME_NET any -> [186.31.132.35] 701 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209907/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209907; rev:1;) alert tcp $HOME_NET any -> [199.19.216.215] 9880 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209905/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209905; rev:1;) alert tcp $HOME_NET any -> [113.53.54.177] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209904/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209904; rev:1;) alert tcp $HOME_NET any -> [205.200.239.230] 448 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209902/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209902; rev:1;) alert tcp $HOME_NET any -> [105.145.37.129] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209903/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209903; rev:1;) alert tcp $HOME_NET any -> [72.142.184.239] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209901/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209901; rev:1;) alert tcp $HOME_NET any -> [72.142.184.14] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209899/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209899; rev:1;) alert tcp $HOME_NET any -> [166.241.136.187] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209900/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209900; rev:1;) alert tcp $HOME_NET any -> [166.140.125.76] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209898/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209898; rev:1;) alert tcp $HOME_NET any -> [49.229.158.155] 2200 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209897/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209897; rev:1;) alert tcp $HOME_NET any -> [49.229.158.155] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209896/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209896; rev:1;) alert tcp $HOME_NET any -> [186.30.31.42] 701 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209894/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209894; rev:1;) alert tcp $HOME_NET any -> [72.139.242.99] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209895/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209895; rev:1;) alert tcp $HOME_NET any -> [2.55.84.215] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209893/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209893; rev:1;) alert tcp $HOME_NET any -> [186.154.252.210] 701 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209892/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209892; rev:1;) alert tcp $HOME_NET any -> [76.70.199.33] 1 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209890/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209890; rev:1;) alert tcp $HOME_NET any -> [96.1.61.72] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209891/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209891; rev:1;) alert tcp $HOME_NET any -> [166.140.27.235] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209889/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209889; rev:1;) alert tcp $HOME_NET any -> [212.213.64.25] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209887/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209887; rev:1;) alert tcp $HOME_NET any -> [194.197.65.193] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209888/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209888; rev:1;) alert tcp $HOME_NET any -> [68.182.35.70] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209886/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209886; rev:1;) alert tcp $HOME_NET any -> [131.100.37.100] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209885/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209885; rev:1;) alert tcp $HOME_NET any -> [78.89.177.92] 4000 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209883/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209883; rev:1;) alert tcp $HOME_NET any -> [142.163.55.30] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209884/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209884; rev:1;) alert tcp $HOME_NET any -> [206.45.125.191] 448 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209882/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209882; rev:1;) alert tcp $HOME_NET any -> [2.55.112.253] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209881/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209881; rev:1;) alert tcp $HOME_NET any -> [174.90.224.111] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209880/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209880; rev:1;) alert tcp $HOME_NET any -> [166.130.171.53] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209878/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209878; rev:1;) alert tcp $HOME_NET any -> [68.182.34.145] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209879/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209879; rev:1;) alert tcp $HOME_NET any -> [93.91.45.110] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209877/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209877; rev:1;) alert tcp $HOME_NET any -> [96.1.101.196] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209875/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209875; rev:1;) alert tcp $HOME_NET any -> [93.91.45.110] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209876/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209876; rev:1;) alert tcp $HOME_NET any -> [110.77.137.106] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209874/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209874; rev:1;) alert tcp $HOME_NET any -> [96.1.60.38] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209872/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209872; rev:1;) alert tcp $HOME_NET any -> [154.60.77.197] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209873/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209873; rev:1;) alert tcp $HOME_NET any -> [166.130.9.253] 9881 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209871/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209871; rev:1;) alert tcp $HOME_NET any -> [117.240.142.82] 502 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209870/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209870; rev:1;) alert tcp $HOME_NET any -> [142.163.243.218] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209868/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209868; rev:1;) alert tcp $HOME_NET any -> [142.176.134.226] 4905 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209869/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209869; rev:1;) alert tcp $HOME_NET any -> [212.213.64.21] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209867/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209867; rev:1;) alert tcp $HOME_NET any -> [99.21.187.176] 9884 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209866/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209866; rev:1;) alert tcp $HOME_NET any -> [72.139.242.87] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209864/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209864; rev:1;) alert tcp $HOME_NET any -> [142.165.224.86] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209865/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209865; rev:1;) alert tcp $HOME_NET any -> [72.142.184.240] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209863/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209863; rev:1;) alert tcp $HOME_NET any -> [72.142.184.13] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209862/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209862; rev:1;) alert tcp $HOME_NET any -> [131.255.216.137] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209860/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209860; rev:1;) alert tcp $HOME_NET any -> [166.140.125.68] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209861/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209861; rev:1;) alert tcp $HOME_NET any -> [166.151.162.216] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209858/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209858; rev:1;) alert tcp $HOME_NET any -> [74.198.231.137] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209859/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209859; rev:1;) alert tcp $HOME_NET any -> [166.151.162.216] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209857/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209857; rev:1;) alert tcp $HOME_NET any -> [166.241.164.36] 3001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209856/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209856; rev:1;) alert tcp $HOME_NET any -> [166.241.164.36] 703 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209855/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209855; rev:1;) alert tcp $HOME_NET any -> [173.181.133.46] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209853/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209853; rev:1;) alert tcp $HOME_NET any -> [41.112.47.50] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209854/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209854; rev:1;) alert tcp $HOME_NET any -> [166.151.58.66] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209852/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209852; rev:1;) alert tcp $HOME_NET any -> [166.151.58.66] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209851/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209851; rev:1;) alert tcp $HOME_NET any -> [190.26.56.114] 701 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209849/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209849; rev:1;) alert tcp $HOME_NET any -> [78.89.177.86] 4000 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209850/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209850; rev:1;) alert tcp $HOME_NET any -> [96.1.74.199] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209847/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209847; rev:1;) alert tcp $HOME_NET any -> [47.177.106.145] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209848/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209848; rev:1;) alert tcp $HOME_NET any -> [166.249.62.112] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209846/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209846; rev:1;) alert tcp $HOME_NET any -> [203.150.226.21] 11054 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209844/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209844; rev:1;) alert tcp $HOME_NET any -> [166.249.62.112] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209845/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209845; rev:1;) alert tcp $HOME_NET any -> [203.150.226.21] 10007 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209843/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209843; rev:1;) alert tcp $HOME_NET any -> [72.253.200.110] 1300 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209842/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209842; rev:1;) alert tcp $HOME_NET any -> [118.174.64.219] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209840/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209840; rev:1;) alert tcp $HOME_NET any -> [192.34.129.160] 9884 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209841/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209841; rev:1;) alert tcp $HOME_NET any -> [2.55.113.168] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209839/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209839; rev:1;) alert tcp $HOME_NET any -> [96.1.108.18] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209837/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209837; rev:1;) alert tcp $HOME_NET any -> [96.1.102.226] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209838/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209838; rev:1;) alert tcp $HOME_NET any -> [2.55.79.174] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209836/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209836; rev:1;) alert tcp $HOME_NET any -> [166.249.62.111] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209834/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209834; rev:1;) alert tcp $HOME_NET any -> [99.46.138.238] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209835/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209835; rev:1;) alert tcp $HOME_NET any -> [166.249.62.111] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209833/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209833; rev:1;) alert tcp $HOME_NET any -> [184.151.210.146] 5100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209831/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209831; rev:1;) alert tcp $HOME_NET any -> [2.55.113.9] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209832/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209832; rev:1;) alert tcp $HOME_NET any -> [166.130.170.194] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209830/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209830; rev:1;) alert tcp $HOME_NET any -> [82.102.165.166] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209828/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209828; rev:1;) alert tcp $HOME_NET any -> [24.43.233.74] 1300 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209829/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209829; rev:1;) alert tcp $HOME_NET any -> [72.253.168.115] 1300 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209827/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209827; rev:1;) alert tcp $HOME_NET any -> [81.187.253.131] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209825/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209825; rev:1;) alert tcp $HOME_NET any -> [166.140.82.1] 1300 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209826/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209826; rev:1;) alert tcp $HOME_NET any -> [96.1.103.86] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209823/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209823; rev:1;) alert tcp $HOME_NET any -> [81.187.253.131] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209824/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209824; rev:1;) alert tcp $HOME_NET any -> [96.1.74.194] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209822/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209822; rev:1;) alert tcp $HOME_NET any -> [96.1.62.245] 9880 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209821/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209821; rev:1;) alert tcp $HOME_NET any -> [142.163.43.206] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209819/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209819; rev:1;) alert tcp $HOME_NET any -> [2.55.105.227] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209820/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209820; rev:1;) alert tcp $HOME_NET any -> [194.197.66.3] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209818/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209818; rev:1;) alert tcp $HOME_NET any -> [166.203.163.2] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209816/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209816; rev:1;) alert tcp $HOME_NET any -> [74.198.231.142] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209817/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209817; rev:1;) alert tcp $HOME_NET any -> [96.1.27.221] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209815/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209815; rev:1;) alert tcp $HOME_NET any -> [154.60.78.105] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209813/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209813; rev:1;) alert tcp $HOME_NET any -> [166.153.210.163] 9884 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209814/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209814; rev:1;) alert tcp $HOME_NET any -> [137.221.0.204] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209812/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209812; rev:1;) alert tcp $HOME_NET any -> [138.255.235.15] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209810/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209810; rev:1;) alert tcp $HOME_NET any -> [166.161.153.245] 1300 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209811/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209811; rev:1;) alert tcp $HOME_NET any -> [5.226.58.98] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209809/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209809; rev:1;) alert tcp $HOME_NET any -> [173.181.133.52] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209807/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209807; rev:1;) alert tcp $HOME_NET any -> [187.228.141.78] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209808/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209808; rev:1;) alert tcp $HOME_NET any -> [96.1.61.126] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209806/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209806; rev:1;) alert tcp $HOME_NET any -> [166.130.87.98] 9881 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209805/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209805; rev:1;) alert tcp $HOME_NET any -> [72.142.179.175] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209803/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209803; rev:1;) alert tcp $HOME_NET any -> [81.2.101.81] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209804/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209804; rev:1;) alert tcp $HOME_NET any -> [154.62.179.11] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209801/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209801; rev:1;) alert tcp $HOME_NET any -> [137.221.14.196] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209802/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209802; rev:1;) alert tcp $HOME_NET any -> [184.151.235.171] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209800/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209800; rev:1;) alert tcp $HOME_NET any -> [2.55.71.111] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209798/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209798; rev:1;) alert tcp $HOME_NET any -> [96.1.51.225] 9880 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209799/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209799; rev:1;) alert tcp $HOME_NET any -> [47.154.133.67] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209797/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209797; rev:1;) alert tcp $HOME_NET any -> [184.151.142.11] 9881 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209795/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209795; rev:1;) alert tcp $HOME_NET any -> [166.130.33.29] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209796/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209796; rev:1;) alert tcp $HOME_NET any -> [194.197.67.199] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209794/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209794; rev:1;) alert tcp $HOME_NET any -> [166.151.58.61] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209793/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209793; rev:1;) alert tcp $HOME_NET any -> [166.154.31.197] 703 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209791/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209791; rev:1;) alert tcp $HOME_NET any -> [166.154.31.197] 3001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209792/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209792; rev:1;) alert tcp $HOME_NET any -> [72.142.184.19] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209790/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209790; rev:1;) alert tcp $HOME_NET any -> [206.45.107.77] 448 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209788/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209788; rev:1;) alert tcp $HOME_NET any -> [72.139.229.152] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209789/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209789; rev:1;) alert tcp $HOME_NET any -> [41.112.34.202] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209787/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209787; rev:1;) alert tcp $HOME_NET any -> [180.180.108.237] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209786/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209786; rev:1;) alert tcp $HOME_NET any -> [96.1.108.17] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209784/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209784; rev:1;) alert tcp $HOME_NET any -> [76.70.165.145] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209785/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209785; rev:1;) alert tcp $HOME_NET any -> [166.130.71.228] 9881 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209783/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209783; rev:1;) alert tcp $HOME_NET any -> [2.55.113.171] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209781/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209781; rev:1;) alert tcp $HOME_NET any -> [205.200.13.220] 448 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209782/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209782; rev:1;) alert tcp $HOME_NET any -> [173.181.141.106] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209780/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209780; rev:1;) alert tcp $HOME_NET any -> [174.90.98.101] 449 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209778/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209778; rev:1;) alert tcp $HOME_NET any -> [194.251.18.93] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209779/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209779; rev:1;) alert tcp $HOME_NET any -> [81.187.9.122] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209777/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209777; rev:1;) alert tcp $HOME_NET any -> [166.140.125.75] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209775/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209775; rev:1;) alert tcp $HOME_NET any -> [72.142.184.9] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209776/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209776; rev:1;) alert tcp $HOME_NET any -> [166.140.125.72] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209774/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209774; rev:1;) alert tcp $HOME_NET any -> [104.160.233.67] 9880 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209772/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209772; rev:1;) alert tcp $HOME_NET any -> [184.151.210.140] 5100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209773/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209773; rev:1;) alert tcp $HOME_NET any -> [166.140.125.65] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209771/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209771; rev:1;) alert tcp $HOME_NET any -> [166.140.125.69] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209769/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209769; rev:1;) alert tcp $HOME_NET any -> [96.1.108.19] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209770/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209770; rev:1;) alert tcp $HOME_NET any -> [173.181.133.48] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209768/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209768; rev:1;) alert tcp $HOME_NET any -> [154.62.179.2] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209766/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209766; rev:1;) alert tcp $HOME_NET any -> [207.195.88.247] 4433 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209767/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209767; rev:1;) alert tcp $HOME_NET any -> [149.210.80.198] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209764/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209764; rev:1;) alert tcp $HOME_NET any -> [189.190.175.149] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209765/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209765; rev:1;) alert tcp $HOME_NET any -> [154.62.179.25] 10002 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209763/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209763; rev:1;) alert tcp $HOME_NET any -> [166.193.103.247] 1177 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209761/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209761; rev:1;) alert tcp $HOME_NET any -> [72.139.242.95] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209762/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209762; rev:1;) alert tcp $HOME_NET any -> [186.29.78.74] 701 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209760/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209760; rev:1;) alert tcp $HOME_NET any -> [96.1.61.136] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209758/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209758; rev:1;) alert tcp $HOME_NET any -> [96.1.60.237] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209759/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209759; rev:1;) alert tcp $HOME_NET any -> [173.181.132.96] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209756/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209756; rev:1;) alert tcp $HOME_NET any -> [74.198.231.125] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209757/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209757; rev:1;) alert tcp $HOME_NET any -> [142.177.204.66] 4905 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209755/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209755; rev:1;) alert tcp $HOME_NET any -> [194.137.1.7] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209754/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209754; rev:1;) alert tcp $HOME_NET any -> [166.151.162.217] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209752/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209752; rev:1;) alert tcp $HOME_NET any -> [49.229.153.189] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209753/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209753; rev:1;) alert tcp $HOME_NET any -> [173.224.248.117] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209750/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209750; rev:1;) alert tcp $HOME_NET any -> [166.151.162.217] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209751/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209751; rev:1;) alert tcp $HOME_NET any -> [142.163.59.246] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209749/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209749; rev:1;) alert tcp $HOME_NET any -> [82.102.149.157] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209747/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209747; rev:1;) alert tcp $HOME_NET any -> [166.167.90.245] 1300 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209748/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209748; rev:1;) alert tcp $HOME_NET any -> [96.1.61.97] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209746/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209746; rev:1;) alert tcp $HOME_NET any -> [2.55.112.251] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209744/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209744; rev:1;) alert tcp $HOME_NET any -> [184.151.142.9] 9881 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209745/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209745; rev:1;) alert tcp $HOME_NET any -> [154.51.165.119] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209743/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209743; rev:1;) alert tcp $HOME_NET any -> [166.161.142.118] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209741/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209741; rev:1;) alert tcp $HOME_NET any -> [186.28.229.58] 701 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209742/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209742; rev:1;) alert tcp $HOME_NET any -> [166.154.121.42] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209740/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209740; rev:1;) alert tcp $HOME_NET any -> [184.151.251.37] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209738/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209738; rev:1;) alert tcp $HOME_NET any -> [72.139.242.93] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209739/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209739; rev:1;) alert tcp $HOME_NET any -> [78.89.177.80] 4000 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209737/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209737; rev:1;) alert tcp $HOME_NET any -> [49.231.161.114] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209735/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209735; rev:1;) alert tcp $HOME_NET any -> [41.222.98.129] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209736/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209736; rev:1;) alert tcp $HOME_NET any -> [189.190.83.55] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209733/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209733; rev:1;) alert tcp $HOME_NET any -> [166.154.11.33] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209734/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209734; rev:1;) alert tcp $HOME_NET any -> [165.0.224.9] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209732/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209732; rev:1;) alert tcp $HOME_NET any -> [96.1.60.159] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209730/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209730; rev:1;) alert tcp $HOME_NET any -> [180.180.108.153] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209731/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209731; rev:1;) alert tcp $HOME_NET any -> [184.151.143.69] 9881 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209729/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209729; rev:1;) alert tcp $HOME_NET any -> [78.89.177.88] 4000 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209727/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209727; rev:1;) alert tcp $HOME_NET any -> [78.89.177.79] 4000 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209728/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209728; rev:1;) alert tcp $HOME_NET any -> [166.140.27.237] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209726/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209726; rev:1;) alert tcp $HOME_NET any -> [78.89.177.84] 4000 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209724/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209724; rev:1;) alert tcp $HOME_NET any -> [96.1.60.9] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209725/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209725; rev:1;) alert tcp $HOME_NET any -> [68.182.34.155] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209723/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209723; rev:1;) alert tcp $HOME_NET any -> [173.182.108.248] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209721/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209721; rev:1;) alert tcp $HOME_NET any -> [96.1.102.30] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209722/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209722; rev:1;) alert tcp $HOME_NET any -> [81.187.188.85] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209720/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209720; rev:1;) alert tcp $HOME_NET any -> [166.195.6.212] 1177 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209718/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209718; rev:1;) alert tcp $HOME_NET any -> [142.177.197.250] 4905 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209719/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209719; rev:1;) alert tcp $HOME_NET any -> [173.181.133.40] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209717/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209717; rev:1;) alert tcp $HOME_NET any -> [166.151.58.63] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209715/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209715; rev:1;) alert tcp $HOME_NET any -> [173.181.139.249] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209716/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209716; rev:1;) alert tcp $HOME_NET any -> [166.140.27.238] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209714/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209714; rev:1;) alert tcp $HOME_NET any -> [194.251.16.179] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209713/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209713; rev:1;) alert tcp $HOME_NET any -> [166.203.176.5] 1177 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209711/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209711; rev:1;) alert tcp $HOME_NET any -> [166.130.41.183] 9881 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209712/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209712; rev:1;) alert tcp $HOME_NET any -> [173.181.133.42] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209710/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209710; rev:1;) alert tcp $HOME_NET any -> [96.1.60.71] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209708/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209708; rev:1;) alert tcp $HOME_NET any -> [2.55.106.22] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209709/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209709; rev:1;) alert tcp $HOME_NET any -> [142.163.191.62] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209707/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209707; rev:1;) alert tcp $HOME_NET any -> [2.55.71.15] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209705/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209705; rev:1;) alert tcp $HOME_NET any -> [24.222.29.242] 4905 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209706/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209706; rev:1;) alert tcp $HOME_NET any -> [166.130.53.35] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209704/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209704; rev:1;) alert tcp $HOME_NET any -> [162.210.8.35] 9880 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209703/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209703; rev:1;) alert tcp $HOME_NET any -> [186.28.237.178] 701 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209701/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209701; rev:1;) alert tcp $HOME_NET any -> [184.151.142.17] 9881 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209702/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209702; rev:1;) alert tcp $HOME_NET any -> [200.52.213.250] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209700/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209700; rev:1;) alert tcp $HOME_NET any -> [184.151.142.16] 9881 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209698/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209698; rev:1;) alert tcp $HOME_NET any -> [41.112.34.205] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209699/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209699; rev:1;) alert tcp $HOME_NET any -> [2.55.124.25] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209697/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209697; rev:1;) alert tcp $HOME_NET any -> [49.229.159.45] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209695/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209695; rev:1;) alert tcp $HOME_NET any -> [96.1.61.25] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209696/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209696; rev:1;) alert tcp $HOME_NET any -> [61.7.146.58] 2200 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209694/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209694; rev:1;) alert tcp $HOME_NET any -> [49.229.158.195] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209692/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209692; rev:1;) alert tcp $HOME_NET any -> [66.91.178.61] 1300 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209693/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209693; rev:1;) alert tcp $HOME_NET any -> [142.166.36.230] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209691/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209691; rev:1;) alert tcp $HOME_NET any -> [209.128.20.162] 3001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209689/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209689; rev:1;) alert tcp $HOME_NET any -> [137.221.0.224] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209690/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209690; rev:1;) alert tcp $HOME_NET any -> [74.198.226.178] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209688/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209688; rev:1;) alert tcp $HOME_NET any -> [72.139.242.94] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209686/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209686; rev:1;) alert tcp $HOME_NET any -> [110.49.146.188] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209687/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209687; rev:1;) alert tcp $HOME_NET any -> [72.139.250.29] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209685/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209685; rev:1;) alert tcp $HOME_NET any -> [194.197.66.60] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209683/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209683; rev:1;) alert tcp $HOME_NET any -> [166.130.171.77] 4441 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209684/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209684; rev:1;) alert tcp $HOME_NET any -> [149.210.44.123] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209682/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209682; rev:1;) alert tcp $HOME_NET any -> [109.109.150.176] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209680/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209680; rev:1;) alert tcp $HOME_NET any -> [41.222.98.128] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209681/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209681; rev:1;) alert tcp $HOME_NET any -> [212.213.64.22] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209679/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209679; rev:1;) alert tcp $HOME_NET any -> [96.1.96.200] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209677/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209677; rev:1;) alert tcp $HOME_NET any -> [2.55.66.78] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209678/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209678; rev:1;) alert tcp $HOME_NET any -> [173.224.245.130] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209676/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209676; rev:1;) alert tcp $HOME_NET any -> [63.230.130.135] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209674/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209674; rev:1;) alert tcp $HOME_NET any -> [154.62.179.24] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209675/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209675; rev:1;) alert tcp $HOME_NET any -> [113.53.54.176] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209673/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209673; rev:1;) alert tcp $HOME_NET any -> [2.55.113.10] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209671/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209671; rev:1;) alert tcp $HOME_NET any -> [186.216.241.139] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209672/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209672; rev:1;) alert tcp $HOME_NET any -> [173.181.133.39] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209669/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209669; rev:1;) alert tcp $HOME_NET any -> [2.55.105.132] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209670/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209670; rev:1;) alert tcp $HOME_NET any -> [72.139.242.89] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209668/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209668; rev:1;) alert tcp $HOME_NET any -> [212.93.127.116] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209666/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209666; rev:1;) alert tcp $HOME_NET any -> [1.179.147.82] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209667/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209667; rev:1;) alert tcp $HOME_NET any -> [82.102.165.17] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209665/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209665; rev:1;) alert tcp $HOME_NET any -> [186.30.165.50] 701 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209663/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209663; rev:1;) alert tcp $HOME_NET any -> [216.226.43.203] 8443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209664/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209664; rev:1;) alert tcp $HOME_NET any -> [2.55.105.224] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209662/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209662; rev:1;) alert tcp $HOME_NET any -> [137.221.14.197] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209660/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209660; rev:1;) alert tcp $HOME_NET any -> [72.235.209.221] 1300 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209661/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209661; rev:1;) alert tcp $HOME_NET any -> [72.139.242.88] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209658/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209658; rev:1;) alert tcp $HOME_NET any -> [2.55.112.229] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209659/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209659; rev:1;) alert tcp $HOME_NET any -> [72.142.184.8] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209657/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209657; rev:1;) alert tcp $HOME_NET any -> [2.55.105.130] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209655/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209655; rev:1;) alert tcp $HOME_NET any -> [72.139.250.28] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209656/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209656; rev:1;) alert tcp $HOME_NET any -> [96.1.61.70] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209654/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209654; rev:1;) alert tcp $HOME_NET any -> [166.151.58.64] 443 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209652/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209652; rev:1;) alert tcp $HOME_NET any -> [154.62.179.4] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209653/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209653; rev:1;) alert tcp $HOME_NET any -> [96.1.24.227] 9880 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209651/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209651; rev:1;) alert tcp $HOME_NET any -> [137.221.14.194] 10001 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209650/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209650; rev:1;) alert tcp $HOME_NET any -> [110.34.3.219] 9881 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209648/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209648; rev:1;) alert tcp $HOME_NET any -> [82.102.157.154] 4756 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209649/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209649; rev:1;) alert tcp $HOME_NET any -> [186.30.167.220] 701 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209647/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209647; rev:1;) alert tcp $HOME_NET any -> [184.151.220.224] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209645/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209645; rev:1;) alert tcp $HOME_NET any -> [74.198.231.143] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209646/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209646; rev:1;) alert tcp $HOME_NET any -> [173.224.241.134] 449 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209644/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209644; rev:1;) alert tcp $HOME_NET any -> [113.53.54.179] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209642/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209642; rev:1;) alert tcp $HOME_NET any -> [184.151.142.14] 9881 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209643/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209643; rev:1;) alert tcp $HOME_NET any -> [78.89.177.87] 4000 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209641/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209641; rev:1;) alert tcp $HOME_NET any -> [72.142.184.237] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209639/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209639; rev:1;) alert tcp $HOME_NET any -> [166.130.170.198] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209640/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209640; rev:1;) alert tcp $HOME_NET any -> [184.151.143.134] 444 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209638/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209638; rev:1;) alert tcp $HOME_NET any -> [68.182.35.71] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209636/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209636; rev:1;) alert tcp $HOME_NET any -> [118.172.187.127] 2100 (msg:"ThreatFox Darktrack RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209637/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209637; rev:1;) alert tcp $HOME_NET any -> [162.248.161.252] 443 (msg:"ThreatFox Octopus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209634/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209634; rev:1;) alert tcp $HOME_NET any -> [167.99.117.245] 8080 (msg:"ThreatFox Octopus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209635; rev:1;) alert tcp $HOME_NET any -> [162.248.161.252] 80 (msg:"ThreatFox Octopus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209633/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209633; rev:1;) alert tcp $HOME_NET any -> [149.81.74.207] 8080 (msg:"ThreatFox Octopus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209631; rev:1;) alert tcp $HOME_NET any -> [149.81.87.18] 8080 (msg:"ThreatFox Octopus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209632; rev:1;) alert tcp $HOME_NET any -> [149.81.74.205] 8080 (msg:"ThreatFox Octopus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209630; rev:1;) alert tcp $HOME_NET any -> [149.81.74.204] 8080 (msg:"ThreatFox Octopus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209628; rev:1;) alert tcp $HOME_NET any -> [149.81.74.206] 8080 (msg:"ThreatFox Octopus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209629; rev:1;) alert tcp $HOME_NET any -> [116.63.138.59] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209627; rev:1;) alert tcp $HOME_NET any -> [134.65.48.134] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209626/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209626; rev:1;) alert tcp $HOME_NET any -> [141.94.69.198] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209564; rev:1;) alert tcp $HOME_NET any -> [68.183.56.78] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chateau-saint-benoit.89-163-255-130.plesk.page"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209562/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.usagers.antai.webgouv.fr.89-163-255-130.plesk.page"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209561/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209561; rev:1;) alert tcp $HOME_NET any -> [77.91.68.162] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209560/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209560; rev:1;) alert tcp $HOME_NET any -> [18.132.68.205] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209558; rev:1;) alert tcp $HOME_NET any -> [20.11.190.12] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209559/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209559; rev:1;) alert tcp $HOME_NET any -> [51.68.169.103] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209557/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209557; rev:1;) alert tcp $HOME_NET any -> [123.249.114.252] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209556/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209556; rev:1;) alert tcp $HOME_NET any -> [52.136.192.228] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209555; rev:1;) alert tcp $HOME_NET any -> [47.120.50.234] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209554/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209554; rev:1;) alert tcp $HOME_NET any -> [205.234.233.51] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209553; rev:1;) alert tcp $HOME_NET any -> [145.239.99.234] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209552; rev:1;) alert tcp $HOME_NET any -> [18.228.115.60] 15448 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209549; rev:1;) alert tcp $HOME_NET any -> [18.229.248.167] 15448 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209548; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 15448 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209547; rev:1;) alert tcp $HOME_NET any -> [8.219.229.99] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209546/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209546; rev:1;) alert tcp $HOME_NET any -> [146.185.243.4] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209545/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209545; rev:1;) alert tcp $HOME_NET any -> [212.118.39.73] 15649 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209544; rev:1;) alert tcp $HOME_NET any -> [62.234.54.38] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baidusec.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"esg.baidusec.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel"; depth:6; nocase; http.host; content:"baidusec.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dsf.baidusec.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel"; depth:6; nocase; http.host; content:"esg.baidusec.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release"; depth:8; nocase; http.host; content:"dsf.baidusec.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release"; depth:8; nocase; http.host; content:"dns.baidusec.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.baidusec.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faq"; depth:4; nocase; http.host; content:"biaozhu.baidusec.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biaozhu.baidusec.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209534; rev:1;) alert tcp $HOME_NET any -> [185.174.135.12] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209532/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209532; rev:1;) alert tcp $HOME_NET any -> [168.100.11.156] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209531/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209531; rev:1;) alert tcp $HOME_NET any -> [4.240.60.121] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209530; rev:1;) alert tcp $HOME_NET any -> [80.85.241.169] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209528/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_04; classtype:trojan-activity; sid:91209528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"wriggleregisterycos.pw"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209527; rev:1;) alert tcp $HOME_NET any -> [208.85.19.189] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swf.help.karachihelpdesk.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.help.karachihelpdesk.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"check.help.karachihelpdesk.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209523; rev:1;) alert tcp $HOME_NET any -> [116.211.120.25] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.h1ck0r.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"slantrearperiosdew.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209520; rev:1;) alert tcp $HOME_NET any -> [193.233.132.4] 62111 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209519; rev:1;) alert tcp $HOME_NET any -> [91.92.248.48] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209518/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209518; rev:1;) alert tcp $HOME_NET any -> [91.92.108.8] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209517/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209517; rev:1;) alert tcp $HOME_NET any -> [161.129.47.59] 54980 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209516; rev:1;) alert tcp $HOME_NET any -> [39.40.147.178] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209515/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_04; classtype:trojan-activity; sid:91209515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"101.43.109.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209514; rev:1;) alert tcp $HOME_NET any -> [188.54.103.199] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209513/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_04; classtype:trojan-activity; sid:91209513; rev:1;) alert tcp $HOME_NET any -> [78.101.93.137] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209512/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_04; classtype:trojan-activity; sid:91209512; rev:1;) alert tcp $HOME_NET any -> [112.29.177.36] 10036 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209511/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_04; classtype:trojan-activity; sid:91209511; rev:1;) alert tcp $HOME_NET any -> [112.29.180.12] 10036 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209510/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_04; classtype:trojan-activity; sid:91209510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209509; rev:1;) alert tcp $HOME_NET any -> [13.49.166.101] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209508/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_04; classtype:trojan-activity; sid:91209508; rev:1;) alert tcp $HOME_NET any -> [13.49.166.101] 7443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209507/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_04; classtype:trojan-activity; sid:91209507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2022/03/29136388_"; depth:45; nocase; http.host; content:"111.229.142.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"186.64.113.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209505; rev:1;) alert tcp $HOME_NET any -> [134.122.75.115] 444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209504/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"payfrecklematurei.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209503; rev:1;) alert tcp $HOME_NET any -> [217.182.8.47] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209502/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternaljslowprocessflowergeneratordownloads.php"; depth:48; nocase; http.host; content:"666541cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209501; rev:1;) alert tcp $HOME_NET any -> [8.219.229.99] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209500/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"citrix-update.centralus.cloudapp.azure.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2021/10/hufypdbs3hyqcs4s3"; depth:53; nocase; http.host; content:"citrix-update.centralus.cloudapp.azure.com"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209498/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hainanwctvme.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"www.hainanwctvme.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"115.159.50.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209495; rev:1;) alert tcp $HOME_NET any -> [146.190.8.159] 9001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209494; rev:1;) alert tcp $HOME_NET any -> [146.190.8.159] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209493; rev:1;) alert tcp $HOME_NET any -> [212.233.123.175] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209492; rev:1;) alert tcp $HOME_NET any -> [206.237.26.222] 28443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209490; rev:1;) alert tcp $HOME_NET any -> [216.107.136.231] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209491; rev:1;) alert tcp $HOME_NET any -> [123.249.114.252] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209489/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209489; rev:1;) alert tcp $HOME_NET any -> [43.136.218.157] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209487; rev:1;) alert tcp $HOME_NET any -> [8.134.178.243] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209488; rev:1;) alert tcp $HOME_NET any -> [52.192.163.129] 1111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209486; rev:1;) alert tcp $HOME_NET any -> [43.138.66.190] 8848 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209485; rev:1;) alert tcp $HOME_NET any -> [4.156.171.17] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209484/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209484; rev:1;) alert tcp $HOME_NET any -> [43.129.198.242] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209482; rev:1;) alert tcp $HOME_NET any -> [115.159.50.50] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209483; rev:1;) alert tcp $HOME_NET any -> [38.207.176.34] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209481; rev:1;) alert tcp $HOME_NET any -> [3.16.163.134] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209480; rev:1;) alert tcp $HOME_NET any -> [3.144.104.21] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209478; rev:1;) alert tcp $HOME_NET any -> [13.234.231.99] 10010 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209479; rev:1;) alert tcp $HOME_NET any -> [128.199.19.163] 9001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209477; rev:1;) alert tcp $HOME_NET any -> [128.199.19.163] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209475; rev:1;) alert tcp $HOME_NET any -> [128.199.19.163] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209476; rev:1;) alert tcp $HOME_NET any -> [119.91.207.9] 65522 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209473; rev:1;) alert tcp $HOME_NET any -> [139.59.140.134] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209474; rev:1;) alert tcp $HOME_NET any -> [119.91.207.9] 65521 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209472; rev:1;) alert tcp $HOME_NET any -> [107.174.246.20] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209471; rev:1;) alert tcp $HOME_NET any -> [3.65.214.164] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209470; rev:1;) alert tcp $HOME_NET any -> [149.28.243.22] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209469; rev:1;) alert tcp $HOME_NET any -> [149.28.243.22] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209468; rev:1;) alert tcp $HOME_NET any -> [43.130.60.49] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209467; rev:1;) alert tcp $HOME_NET any -> [47.120.37.45] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209465; rev:1;) alert tcp $HOME_NET any -> [68.183.68.212] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209466; rev:1;) alert tcp $HOME_NET any -> [107.174.242.71] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209463; rev:1;) alert tcp $HOME_NET any -> [8.130.96.218] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guiro.pesca.jordiololab.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209462; rev:1;) alert tcp $HOME_NET any -> [39.99.255.99] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209460; rev:1;) alert tcp $HOME_NET any -> [149.104.22.151] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209461; rev:1;) alert tcp $HOME_NET any -> [47.243.236.236] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209458; rev:1;) alert tcp $HOME_NET any -> [194.36.209.24] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209459; rev:1;) alert tcp $HOME_NET any -> [47.243.236.236] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209457; rev:1;) alert tcp $HOME_NET any -> [39.100.78.64] 2443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209456; rev:1;) alert tcp $HOME_NET any -> [39.100.78.64] 8077 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209455; rev:1;) alert tcp $HOME_NET any -> [85.209.176.237] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209454; rev:1;) alert tcp $HOME_NET any -> [85.209.176.237] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209453; rev:1;) alert tcp $HOME_NET any -> [45.136.15.215] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209452; rev:1;) alert tcp $HOME_NET any -> [103.68.193.54] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209450; rev:1;) alert tcp $HOME_NET any -> [64.69.41.109] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209451; rev:1;) alert tcp $HOME_NET any -> [47.116.41.191] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209449; rev:1;) alert tcp $HOME_NET any -> [162.14.109.90] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209447; rev:1;) alert tcp $HOME_NET any -> [42.192.111.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209448; rev:1;) alert tcp $HOME_NET any -> [91.92.250.237] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209446; rev:1;) alert tcp $HOME_NET any -> [121.40.254.24] 8724 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209444; rev:1;) alert tcp $HOME_NET any -> [112.116.205.147] 2255 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209445; rev:1;) alert tcp $HOME_NET any -> [118.31.36.3] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209443; rev:1;) alert tcp $HOME_NET any -> [124.220.50.83] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209442; rev:1;) alert tcp $HOME_NET any -> [117.50.47.98] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209440; rev:1;) alert tcp $HOME_NET any -> [121.36.207.219] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209441; rev:1;) alert tcp $HOME_NET any -> [141.255.159.163] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209439; rev:1;) alert tcp $HOME_NET any -> [140.82.23.48] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209437; rev:1;) alert tcp $HOME_NET any -> [62.234.166.174] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209438; rev:1;) alert tcp $HOME_NET any -> [121.41.107.20] 12346 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209436; rev:1;) alert tcp $HOME_NET any -> [3.71.107.73] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209434; rev:1;) alert tcp $HOME_NET any -> [103.148.244.90] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209435; rev:1;) alert tcp $HOME_NET any -> [193.222.96.34] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209433; rev:1;) alert tcp $HOME_NET any -> [43.134.57.109] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209432; rev:1;) alert tcp $HOME_NET any -> [192.210.243.203] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209431; rev:1;) alert tcp $HOME_NET any -> [147.78.47.226] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209429; rev:1;) alert tcp $HOME_NET any -> [106.75.107.243] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209430; rev:1;) alert tcp $HOME_NET any -> [103.234.72.93] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209427; rev:1;) alert tcp $HOME_NET any -> [121.40.69.150] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209428; rev:1;) alert tcp $HOME_NET any -> [81.71.15.38] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209426; rev:1;) alert tcp $HOME_NET any -> [98.70.26.139] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209424; rev:1;) alert tcp $HOME_NET any -> [124.221.17.198] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209425; rev:1;) alert tcp $HOME_NET any -> [8.138.101.84] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aios.yunibobo.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.guiro.pesca.jordiololab.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"53.85.92.34.bc.googleusercontent.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209420; rev:1;) alert tcp $HOME_NET any -> [154.12.23.222] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-116-204-122-201.compute.hwclouds-dns.com"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guoyashuai.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209418; rev:1;) alert tcp $HOME_NET any -> [154.23.141.34] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209416/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bolb.wingsofmine.uk"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209415; rev:1;) alert tcp $HOME_NET any -> [77.92.146.147] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hungry-wu.89-163-255-130.plesk.page"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209414; rev:1;) alert tcp $HOME_NET any -> [91.92.251.79] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-53-125-231.eu-north-1.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209410; rev:1;) alert tcp $HOME_NET any -> [188.40.15.18] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.practical-bardeen.89-163-255-130.plesk.page"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.compassionate-saha.89-163-255-130.plesk.page"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"77-92-146-147.rdns.internetsahibi.org"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dazzling-mclean.89-163-255-130.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-07e00eb8.vps.ovh.ca"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209407; rev:1;) alert tcp $HOME_NET any -> [24.144.89.120] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"compassionate-saha.89-163-255-130.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fatimafoods.co.uk"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1514776.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cvc.ptechconsult.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"priceless-lamport.91-215-85-177.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mystifying-noyce.89-163-255-130.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.103-61-224-87.cprapid.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"172-104-207-197.ip.linodeusercontent.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209397; rev:1;) alert tcp $HOME_NET any -> [45.131.2.192] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209394; rev:1;) alert tcp $HOME_NET any -> [91.92.251.8] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209395; rev:1;) alert tcp $HOME_NET any -> [162.19.175.57] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209393; rev:1;) alert tcp $HOME_NET any -> [146.190.163.104] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209392; rev:1;) alert tcp $HOME_NET any -> [43.136.218.157] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209391; rev:1;) alert tcp $HOME_NET any -> [43.143.7.85] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209390; rev:1;) alert tcp $HOME_NET any -> [124.223.17.162] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209389; rev:1;) alert tcp $HOME_NET any -> [144.34.180.85] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209387; rev:1;) alert tcp $HOME_NET any -> [146.56.213.230] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209388; rev:1;) alert tcp $HOME_NET any -> [49.113.74.182] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209386; rev:1;) alert tcp $HOME_NET any -> [45.145.229.19] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209385; rev:1;) alert tcp $HOME_NET any -> [27.9.166.52] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209383; rev:1;) alert tcp $HOME_NET any -> [49.113.79.95] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209384; rev:1;) alert tcp $HOME_NET any -> [185.179.216.11] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209382; rev:1;) alert tcp $HOME_NET any -> [8.134.36.228] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209381; rev:1;) alert tcp $HOME_NET any -> [172.245.5.171] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209380; rev:1;) alert tcp $HOME_NET any -> [154.91.196.116] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209379; rev:1;) alert tcp $HOME_NET any -> [137.184.220.96] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209378/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_04; classtype:trojan-activity; sid:91209378; rev:1;) alert tcp $HOME_NET any -> [180.156.240.252] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209377; rev:1;) alert tcp $HOME_NET any -> [110.43.39.69] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209376; rev:1;) alert tcp $HOME_NET any -> [39.98.42.55] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209375; rev:1;) alert tcp $HOME_NET any -> [120.233.114.229] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209374/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_04; classtype:trojan-activity; sid:91209374; rev:1;) alert tcp $HOME_NET any -> [120.233.114.186] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209373/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_04; classtype:trojan-activity; sid:91209373; rev:1;) alert tcp $HOME_NET any -> [3.91.231.34] 8083 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209372/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_04; classtype:trojan-activity; sid:91209372; rev:1;) alert tcp $HOME_NET any -> [80.208.221.140] 82 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209371; rev:1;) alert tcp $HOME_NET any -> [209.222.18.222] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209370/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_04; classtype:trojan-activity; sid:91209370; rev:1;) alert tcp $HOME_NET any -> [52.4.12.90] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209368; rev:1;) alert tcp $HOME_NET any -> [34.202.112.58] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-204-40-27.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-44-198-148-77.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-86-130-105.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-220-60-95.compute-1.amazonaws.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-206-84-200.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209364; rev:1;) alert tcp $HOME_NET any -> [162.33.178.82] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209362; rev:1;) alert tcp $HOME_NET any -> [171.232.3.175] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209361; rev:1;) alert tcp $HOME_NET any -> [171.232.3.175] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209360; rev:1;) alert tcp $HOME_NET any -> [91.92.248.239] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209359; rev:1;) alert tcp $HOME_NET any -> [180.184.74.125] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209358; rev:1;) alert tcp $HOME_NET any -> [118.89.88.241] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"99.177.67.34.bc.googleusercontent.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209355; rev:1;) alert tcp $HOME_NET any -> [154.38.167.90] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209356; rev:1;) alert tcp $HOME_NET any -> [110.50.87.237] 85 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209354; rev:1;) alert tcp $HOME_NET any -> [82.147.85.246] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209353; rev:1;) alert tcp $HOME_NET any -> [91.92.251.47] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209352; rev:1;) alert tcp $HOME_NET any -> [95.46.107.25] 23731 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209351; rev:1;) alert tcp $HOME_NET any -> [111.90.143.37] 1888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209350; rev:1;) alert tcp $HOME_NET any -> [192.121.102.21] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209349; rev:1;) alert tcp $HOME_NET any -> [191.82.204.28] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209347; rev:1;) alert tcp $HOME_NET any -> [154.9.254.21] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209348; rev:1;) alert tcp $HOME_NET any -> [136.243.151.21] 76 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209346; rev:1;) alert tcp $HOME_NET any -> [91.92.244.16] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209344; rev:1;) alert tcp $HOME_NET any -> [91.92.244.16] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209345; rev:1;) alert tcp $HOME_NET any -> [88.229.10.198] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209343; rev:1;) alert tcp $HOME_NET any -> [5.249.161.42] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209341; rev:1;) alert tcp $HOME_NET any -> [88.229.10.198] 3004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209342; rev:1;) alert tcp $HOME_NET any -> [193.149.176.5] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209340; rev:1;) alert tcp $HOME_NET any -> [193.149.176.5] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209339; rev:1;) alert tcp $HOME_NET any -> [91.109.178.9] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209338; rev:1;) alert tcp $HOME_NET any -> [141.255.146.81] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209336; rev:1;) alert tcp $HOME_NET any -> [141.255.159.47] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209337; rev:1;) alert tcp $HOME_NET any -> [141.255.144.96] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209335/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"95-165-99-74.static.spd-mgts.ru"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kztime.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiipo.com.ht-hldrotermica.com.br"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209331/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"8.131.118.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.43.96.246"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"43.138.66.190"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209324; rev:1;) alert tcp $HOME_NET any -> [91.92.244.25] 23 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209323/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209323; rev:1;) alert tcp $HOME_NET any -> [84.54.51.156] 65281 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209304/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209304; rev:1;) alert tcp $HOME_NET any -> [91.92.244.25] 562 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app.up.karachihelpdesk.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209322; rev:1;) alert tcp $HOME_NET any -> [193.222.96.19] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209320/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209320; rev:1;) alert tcp $HOME_NET any -> [193.222.96.19] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209321/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209321; rev:1;) alert tcp $HOME_NET any -> [193.222.96.19] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.236.70.51"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"1.14.92.24"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209316; rev:1;) alert tcp $HOME_NET any -> [85.192.63.240] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209315/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_04; classtype:trojan-activity; sid:91209315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/sqlite3.dll"; depth:45; nocase; http.host; content:"23.227.196.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/sqlite3.dll"; depth:45; nocase; http.host; content:"94.103.93.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/sqlite3.dll"; depth:45; nocase; http.host; content:"193.233.132.15"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.103.93.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/sqlite3.dll"; depth:45; nocase; http.host; content:"178.20.41.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"23.227.196.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209309; rev:1;) alert tcp $HOME_NET any -> [178.20.41.15] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209305; rev:1;) alert tcp $HOME_NET any -> [193.233.132.15] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209306; rev:1;) alert tcp $HOME_NET any -> [23.227.196.198] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209307; rev:1;) alert tcp $HOME_NET any -> [94.103.93.70] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0888474.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209303; rev:1;) alert tcp $HOME_NET any -> [39.104.57.145] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209302/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209302; rev:1;) alert tcp $HOME_NET any -> [65.109.217.186] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209301/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209301; rev:1;) alert tcp $HOME_NET any -> [18.184.135.86] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209300/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythongeoflowergeneratortrackdatalifewpcdncentral.php"; depth:54; nocase; http.host; content:"004242cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209299/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209299; rev:1;) alert tcp $HOME_NET any -> [77.91.68.167] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209285/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209285; rev:1;) alert tcp $HOME_NET any -> [143.198.10.18] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209286/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209286; rev:1;) alert tcp $HOME_NET any -> [103.214.173.68] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209287/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209287; rev:1;) alert tcp $HOME_NET any -> [172.208.121.27] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209288; rev:1;) alert tcp $HOME_NET any -> [193.176.190.186] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209289; rev:1;) alert tcp $HOME_NET any -> [94.228.168.172] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209290; rev:1;) alert tcp $HOME_NET any -> [95.181.173.244] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209291; rev:1;) alert tcp $HOME_NET any -> [89.163.255.130] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209292; rev:1;) alert tcp $HOME_NET any -> [172.104.207.197] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209293; rev:1;) alert tcp $HOME_NET any -> [45.82.70.104] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209294; rev:1;) alert tcp $HOME_NET any -> [162.0.238.106] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209295; rev:1;) alert tcp $HOME_NET any -> [159.69.77.234] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209296/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209296; rev:1;) alert tcp $HOME_NET any -> [113.207.105.229] 8302 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209298/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"marybskitchen.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"marybskitchen.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209283/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"marybskitchen.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209282; rev:1;) alert tcp $HOME_NET any -> [15.235.140.12] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209250; rev:1;) alert tcp $HOME_NET any -> [45.76.188.227] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209251/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209251; rev:1;) alert tcp $HOME_NET any -> [45.88.186.66] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209252/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209252; rev:1;) alert tcp $HOME_NET any -> [62.72.46.59] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209253/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209253; rev:1;) alert tcp $HOME_NET any -> [63.250.36.134] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209254/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209254; rev:1;) alert tcp $HOME_NET any -> [77.91.68.164] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209255/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209255; rev:1;) alert tcp $HOME_NET any -> [77.91.78.246] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209256; rev:1;) alert tcp $HOME_NET any -> [79.137.199.14] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209257; rev:1;) alert tcp $HOME_NET any -> [80.66.85.142] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209258; rev:1;) alert tcp $HOME_NET any -> [91.92.246.230] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209259/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209259; rev:1;) alert tcp $HOME_NET any -> [91.92.251.79] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209260; rev:1;) alert tcp $HOME_NET any -> [158.220.117.55] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209261; rev:1;) alert tcp $HOME_NET any -> [193.233.254.44] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209262; rev:1;) alert tcp $HOME_NET any -> [40.76.124.5] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209263; rev:1;) alert tcp $HOME_NET any -> [62.146.226.39] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209265; rev:1;) alert tcp $HOME_NET any -> [85.198.9.7] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209266; rev:1;) alert tcp $HOME_NET any -> [45.82.70.104] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209264; rev:1;) alert tcp $HOME_NET any -> [88.198.83.21] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209267; rev:1;) alert tcp $HOME_NET any -> [89.23.103.41] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209268; rev:1;) alert tcp $HOME_NET any -> [89.23.103.79] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209269; rev:1;) alert tcp $HOME_NET any -> [89.23.113.67] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209270; rev:1;) alert tcp $HOME_NET any -> [89.23.113.110] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209271; rev:1;) alert tcp $HOME_NET any -> [91.215.85.58] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209272; rev:1;) alert tcp $HOME_NET any -> [91.215.85.186] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209273; rev:1;) alert tcp $HOME_NET any -> [94.228.162.29] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209274; rev:1;) alert tcp $HOME_NET any -> [94.228.168.172] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209275; rev:1;) alert tcp $HOME_NET any -> [104.248.168.233] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209276; rev:1;) alert tcp $HOME_NET any -> [149.100.138.162] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209277; rev:1;) alert tcp $HOME_NET any -> [172.174.144.147] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209278/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209278; rev:1;) alert tcp $HOME_NET any -> [172.178.83.46] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209279/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209279; rev:1;) alert tcp $HOME_NET any -> [172.190.120.239] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209280/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209280; rev:1;) alert tcp $HOME_NET any -> [203.161.62.205] 8082 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209281; rev:1;) alert tcp $HOME_NET any -> [47.113.186.167] 9191 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209249/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209249; rev:1;) alert tcp $HOME_NET any -> [139.59.140.134] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209248/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209248; rev:1;) alert tcp $HOME_NET any -> [43.134.57.109] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unzip2.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"unzip2.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209245; rev:1;) alert tcp $HOME_NET any -> [45.134.225.243] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"45.134.225.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209243/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/365c1d12.php"; depth:13; nocase; http.host; content:"185.242.86.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209242/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cs58019.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209241; rev:1;) alert tcp $HOME_NET any -> [94.156.71.254] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209240/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"getwiththelingo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"getwiththelingo.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"getwiththelingo.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209237; rev:1;) alert tcp $HOME_NET any -> [94.156.67.170] 6657 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209236/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209236; rev:1;) alert tcp $HOME_NET any -> [212.113.116.63] 37334 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209235; rev:1;) alert tcp $HOME_NET any -> [115.159.50.50] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209234/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjm0ywmzzjq5yzqz/"; depth:18; nocase; http.host; content:"kalplerderyakadardan.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209123/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjm0ywmzzjq5yzqz/"; depth:18; nocase; http.host; content:"ahvahetmegelkalda.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209124/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjm0ywmzzjq5yzqz/"; depth:18; nocase; http.host; content:"sybrailevip.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209125/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjm0ywmzzjq5yzqz/"; depth:18; nocase; http.host; content:"kalkgelsybradan.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209126/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjm0ywmzzjq5yzqz/"; depth:18; nocase; http.host; content:"kamalaktandagel.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209127/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"bukoshmuko.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209128/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cfk3ulgyps7nns81/"; depth:18; nocase; http.host; content:"cmdtoorocto.com.tr"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209129/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cfk3ulgyps7nns81/"; depth:18; nocase; http.host; content:"auxtoorocto.com.tr"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209130/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cfk3ulgyps7nns81/"; depth:18; nocase; http.host; content:"auxocto.com.tr"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209131/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g8djmsaxa/login.php"; depth:20; nocase; http.host; content:"80.66.75.214"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"chairtrainlineadju.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209200; rev:1;) alert tcp $HOME_NET any -> [14.225.211.141] 56999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209194/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bolo.lmanber.fun"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209195/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bebrik.php"; depth:11; nocase; http.host; content:"89.208.107.12"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"btldinc7.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g8samsa2/login.php"; depth:19; nocase; http.host; content:"77.91.76.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u6vhsc3ppq/login.php"; depth:21; nocase; http.host; content:"185.196.8.195"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209227; rev:1;) alert tcp $HOME_NET any -> [139.59.40.198] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209233/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_04; classtype:trojan-activity; sid:91209233; rev:1;) alert tcp $HOME_NET any -> [77.103.140.46] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209232/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_04; classtype:trojan-activity; sid:91209232; rev:1;) alert tcp $HOME_NET any -> [24.199.125.30] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209231/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_04; classtype:trojan-activity; sid:91209231; rev:1;) alert tcp $HOME_NET any -> [88.119.171.56] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209230/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_04; classtype:trojan-activity; sid:91209230; rev:1;) alert tcp $HOME_NET any -> [167.235.132.231] 39501 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209229; rev:1;) alert tcp $HOME_NET any -> [49.13.57.52] 2053 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209228/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_04; classtype:trojan-activity; sid:91209228; rev:1;) alert tcp $HOME_NET any -> [135.181.13.134] 8395 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209226; rev:1;) alert tcp $HOME_NET any -> [3.115.50.227] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209223/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209223; rev:1;) alert tcp $HOME_NET any -> [95.164.46.54] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209222/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209222; rev:1;) alert tcp $HOME_NET any -> [45.137.22.69] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209221; rev:1;) alert tcp $HOME_NET any -> [108.59.194.164] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209219/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_04; classtype:trojan-activity; sid:91209219; rev:1;) alert tcp $HOME_NET any -> [91.92.251.203] 4510 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209218; rev:1;) alert tcp $HOME_NET any -> [91.92.251.47] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209217; rev:1;) alert tcp $HOME_NET any -> [185.157.162.241] 1303 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209216/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"atillapro.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209215/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_04; classtype:trojan-activity; sid:91209215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/azo/index.php"; depth:14; nocase; http.host; content:"globalcitydelivery.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.113.191.88"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"43.139.151.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"146.190.8.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209211; rev:1;) alert tcp $HOME_NET any -> [101.200.37.16] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"101.200.37.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"94.156.71.254"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_04; classtype:trojan-activity; sid:91209208; rev:1;) alert tcp $HOME_NET any -> [45.87.61.156] 8899 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209207; rev:1;) alert tcp $HOME_NET any -> [41.109.90.34] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209206/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209206; rev:1;) alert tcp $HOME_NET any -> [5.146.45.129] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209205/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"111.230.47.95"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209204; rev:1;) alert tcp $HOME_NET any -> [206.189.113.118] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quit/fk/b4zao0sj2"; depth:18; nocase; http.host; content:"157.245.28.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"121.41.107.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"buffettrickopsd.pw"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"easyloanbazzar.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"easyloanbazzar.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"easyloanbazzar.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"124.70.187.37"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"101.34.222.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209189; rev:1;) alert tcp $HOME_NET any -> [18.209.36.79] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.electric-coop.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.electric-coop.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"greatesttreatise.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"greatesttreatise.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"greatesttreatise.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"128.199.153.222"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.233.132.15"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209181; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 19220 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209180; rev:1;) alert tcp $HOME_NET any -> [124.222.82.248] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209179/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209179; rev:1;) alert tcp $HOME_NET any -> [82.205.93.170] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209178/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_03; classtype:trojan-activity; sid:91209178; rev:1;) alert tcp $HOME_NET any -> [217.165.234.100] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209177/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_03; classtype:trojan-activity; sid:91209177; rev:1;) alert tcp $HOME_NET any -> [175.110.202.232] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209176/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_03; classtype:trojan-activity; sid:91209176; rev:1;) alert tcp $HOME_NET any -> [90.75.186.255] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209175/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_03; classtype:trojan-activity; sid:91209175; rev:1;) alert tcp $HOME_NET any -> [45.89.55.81] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209174/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_03; classtype:trojan-activity; sid:91209174; rev:1;) alert tcp $HOME_NET any -> [178.62.57.69] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209173/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_03; classtype:trojan-activity; sid:91209173; rev:1;) alert tcp $HOME_NET any -> [108.51.80.70] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209172/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_03; classtype:trojan-activity; sid:91209172; rev:1;) alert tcp $HOME_NET any -> [104.238.35.85] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209171/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_03; classtype:trojan-activity; sid:91209171; rev:1;) alert tcp $HOME_NET any -> [104.36.229.15] 6136 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209170/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_03; classtype:trojan-activity; sid:91209170; rev:1;) alert tcp $HOME_NET any -> [180.184.74.248] 32002 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209169/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_03; classtype:trojan-activity; sid:91209169; rev:1;) alert tcp $HOME_NET any -> [148.72.247.39] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209168/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209168; rev:1;) alert tcp $HOME_NET any -> [13.115.223.29] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209167/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209167; rev:1;) alert tcp $HOME_NET any -> [141.255.153.30] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"t3terncy.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209165; rev:1;) alert tcp $HOME_NET any -> [83.213.157.103] 5555 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209164; rev:1;) alert tcp $HOME_NET any -> [2.57.149.94] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209162/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"116.204.122.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209122/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_03; classtype:trojan-activity; sid:91209122; rev:1;) alert tcp $HOME_NET any -> [200.232.236.60] 4448 (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209121; rev:1;) alert tcp $HOME_NET any -> [3.93.178.75] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209120/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linepythonjavascriptbigloadprotectflowercentral.php"; depth:52; nocase; http.host; content:"213.159.208.250"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209119; rev:1;) alert tcp $HOME_NET any -> [141.255.159.83] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209118/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209118; rev:1;) alert tcp $HOME_NET any -> [122.54.105.164] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209117/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"149.28.243.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"149.28.243.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209115; rev:1;) alert tcp $HOME_NET any -> [196.51.37.139] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209114/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sad.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209110/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sae.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahm.fartit.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"edd.trickip.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sed.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209089/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"saa.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209090/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahamedalatir.fartit.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209091/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahamedalatirr.fartit.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209092/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cds.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209093/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sah.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chm.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sca.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"swh.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shv.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"she.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahamedalati.fartit.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahw.fartit.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"edd.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209102/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shm.onmypc.us"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209103/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"edh.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sdn.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sha.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"scw.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sch.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sdl.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209109/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cse.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eda.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahe.fartit.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ssd.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"edla.fartit.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e-h-r-a-z-14.trickip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209072/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ssh.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e-h-r-a-z-13.trickip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209074/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eds.dumb1.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209075/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ssn.dumb1.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209076/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shamedalatirs.dnset.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sea.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209078/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"edr.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209079/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"edli.fartit.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e-b-d.fartit.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shm.jetos.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209082/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sham.fartit.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shaa.fartit.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ssb.onmypc.us"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahamedalato.ftp1.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bza.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209087/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"saha.fartit.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209088; rev:1;) alert tcp $HOME_NET any -> [103.13.211.211] 40993 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209066; rev:1;) alert tcp $HOME_NET any -> [193.233.132.4] 26066 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209065; rev:1;) alert tcp $HOME_NET any -> [45.15.156.127] 48665 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209051; rev:1;) alert tcp $HOME_NET any -> [2.56.247.173] 33605 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"admplous.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"baitbillioledbel.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209064; rev:1;) alert tcp $HOME_NET any -> [180.184.74.164] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209062/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209062; rev:1;) alert tcp $HOME_NET any -> [5.42.65.34] 25530 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209060/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209060; rev:1;) alert tcp $HOME_NET any -> [193.233.132.4] 1285 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209059/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sosorry.php"; depth:12; nocase; http.host; content:"89.208.107.12"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209058/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209058; rev:1;) alert tcp $HOME_NET any -> [3.67.9.189] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209057/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209057; rev:1;) alert tcp $HOME_NET any -> [35.153.249.112] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209056/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"149.28.243.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209055/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft/owa/"; depth:15; nocase; http.host; content:"101.43.45.243"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209054/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/zh02adm3fswt6k4vzbl8lb09"; depth:35; nocase; http.host; content:"178.128.238.137"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209053/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209053; rev:1;) alert tcp $HOME_NET any -> [94.130.51.115] 15648 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209052/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209052; rev:1;) alert tcp $HOME_NET any -> [34.118.166.49] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209050/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/serversqlbaseasync.php"; depth:23; nocase; http.host; content:"491061cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209049; rev:1;) alert tcp $HOME_NET any -> [88.229.10.198] 3001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209048/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209048; rev:1;) alert tcp $HOME_NET any -> [23.95.44.73] 3306 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209047/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_03; classtype:trojan-activity; sid:91209047; rev:1;) alert tcp $HOME_NET any -> [154.247.87.209] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209046/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_03; classtype:trojan-activity; sid:91209046; rev:1;) alert tcp $HOME_NET any -> [79.107.150.55] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209045/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_03; classtype:trojan-activity; sid:91209045; rev:1;) alert tcp $HOME_NET any -> [95.215.108.29] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209044/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_03; classtype:trojan-activity; sid:91209044; rev:1;) alert tcp $HOME_NET any -> [5.161.118.248] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209043/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_03; classtype:trojan-activity; sid:91209043; rev:1;) alert tcp $HOME_NET any -> [13.215.227.78] 5532 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209042/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_03; classtype:trojan-activity; sid:91209042; rev:1;) alert tcp $HOME_NET any -> [112.29.180.43] 10036 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209041/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_03; classtype:trojan-activity; sid:91209041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e78a6263.php"; depth:13; nocase; http.host; content:"a0889572.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209040; rev:1;) alert tcp $HOME_NET any -> [111.229.226.140] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209039/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209039; rev:1;) alert tcp $HOME_NET any -> [149.28.243.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209038/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209038; rev:1;) alert tcp $HOME_NET any -> [3.68.56.232] 14627 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209037/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209037; rev:1;) alert tcp $HOME_NET any -> [3.67.15.169] 14627 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209036; rev:1;) alert tcp $HOME_NET any -> [3.126.224.214] 14627 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209035; rev:1;) alert tcp $HOME_NET any -> [35.157.111.131] 14627 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209034; rev:1;) alert tcp $HOME_NET any -> [155.94.182.194] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209033/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"102.33.72.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209032/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_03; classtype:trojan-activity; sid:91209032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/06642940.php"; depth:13; nocase; http.host; content:"a0890495.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_03; classtype:trojan-activity; sid:91209031; rev:1;) alert tcp $HOME_NET any -> [85.209.176.237] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209030/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_03; classtype:trojan-activity; sid:91209030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"smoothawarescreenyo.pw"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91209029; rev:1;) alert tcp $HOME_NET any -> [4.156.171.17] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91209028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"4.156.171.17"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91209027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/define/cookies/j7y8xv07bjq"; depth:27; nocase; http.host; content:"43.136.185.137"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91209026; rev:1;) alert tcp $HOME_NET any -> [217.160.99.73] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91209025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fam_calendar.css"; depth:17; nocase; http.host; content:"217.160.99.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91209024; rev:1;) alert tcp $HOME_NET any -> [42.194.142.142] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91209023; rev:1;) alert tcp $HOME_NET any -> [143.92.58.106] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91209022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"143.92.58.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91209021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-lew09ujr-1307700818.sh.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1209020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91209020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/path"; depth:5; nocase; http.host; content:"service-lew09ujr-1307700818.sh.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1209019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91209019; rev:1;) alert tcp $HOME_NET any -> [95.217.51.145] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209018/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91209018; rev:1;) alert tcp $HOME_NET any -> [18.191.34.239] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209017/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91209017; rev:1;) alert tcp $HOME_NET any -> [193.149.129.202] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209016/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_02; classtype:trojan-activity; sid:91209016; rev:1;) alert tcp $HOME_NET any -> [168.100.8.42] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209015/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_02; classtype:trojan-activity; sid:91209015; rev:1;) alert tcp $HOME_NET any -> [122.114.26.247] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209014/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91209014; rev:1;) alert tcp $HOME_NET any -> [141.255.144.167] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209013/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91209013; rev:1;) alert tcp $HOME_NET any -> [141.255.146.60] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209012/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91209012; rev:1;) alert tcp $HOME_NET any -> [186.13.27.61] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209011/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91209011; rev:1;) alert tcp $HOME_NET any -> [74.12.146.185] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209010/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91209010; rev:1;) alert tcp $HOME_NET any -> [37.59.239.17] 445 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209009/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91209009; rev:1;) alert tcp $HOME_NET any -> [64.176.164.102] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209008/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91209008; rev:1;) alert tcp $HOME_NET any -> [198.176.59.64] 6379 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209007/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91209007; rev:1;) alert tcp $HOME_NET any -> [142.202.205.35] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209006/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91209006; rev:1;) alert tcp $HOME_NET any -> [184.100.144.58] 8080 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209005/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91209005; rev:1;) alert tcp $HOME_NET any -> [182.92.190.177] 11211 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209004/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91209004; rev:1;) alert tcp $HOME_NET any -> [113.207.105.241] 17803 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209003/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_02; classtype:trojan-activity; sid:91209003; rev:1;) alert tcp $HOME_NET any -> [80.66.66.40] 15647 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209002/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91209002; rev:1;) alert tcp $HOME_NET any -> [185.196.8.10] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209001/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_02; classtype:trojan-activity; sid:91209001; rev:1;) alert tcp $HOME_NET any -> [208.76.222.168] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1209000/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_02; classtype:trojan-activity; sid:91209000; rev:1;) alert tcp $HOME_NET any -> [38.47.221.193] 34368 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"media-talk.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"downloads.media-talk.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"koroshishere.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208997/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/"; depth:5; nocase; http.host; content:"koroshishere.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208996/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/"; depth:8; nocase; http.host; content:"koroshishere.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208995/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/-1001228456341"; depth:22; nocase; http.host; content:"koroshishere.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1001228456341"; depth:19; nocase; http.host; content:"koroshishere.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1001228456341"; depth:19; nocase; http.host; content:"koroshishere.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208992/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"koroshishere.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208991/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.71.158.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208990/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"128.199.70.91"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208989/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"123.56.194.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208988/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208987/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.116.198.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208986/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"43.249.9.208"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208985/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"115.159.64.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208984/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"s1.rsrc.eu.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208983/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.232.145.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208982/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"111.67.197.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208981/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"82.157.44.254"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"8.134.161.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208979/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"download.micknow.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"download.micknow.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208976/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"eas.cqivc.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"edu.hicomputing.huawei.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208974/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208974; rev:1;) alert tcp $HOME_NET any -> [193.233.132.51] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208973/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91208973; rev:1;) alert tcp $HOME_NET any -> [52.34.61.189] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208972/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208972; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 19220 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208970/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208970; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 19220 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208969/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208969; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 19220 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208968; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 19220 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208967; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 19220 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"193.37.71.56"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208961/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_02; classtype:trojan-activity; sid:91208961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"193.37.71.56"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208962/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_02; classtype:trojan-activity; sid:91208962; rev:1;) alert tcp $HOME_NET any -> [193.37.71.56] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208963/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_02; classtype:trojan-activity; sid:91208963; rev:1;) alert tcp $HOME_NET any -> [80.66.89.151] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208964/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208964; rev:1;) alert tcp $HOME_NET any -> [213.248.43.99] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208958/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"80.66.89.151"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"80.66.89.151"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208957; rev:1;) alert tcp $HOME_NET any -> [134.175.127.254] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208955; rev:1;) alert tcp $HOME_NET any -> [123.206.29.183] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208954/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208954; rev:1;) alert tcp $HOME_NET any -> [14.225.19.116] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208953/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208953; rev:1;) alert tcp $HOME_NET any -> [103.148.113.54] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208952/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208952; rev:1;) alert tcp $HOME_NET any -> [95.216.54.251] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208951/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208951; rev:1;) alert tcp $HOME_NET any -> [193.233.132.51] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"sabgggsabggg.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208882/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"sabgggsabgggsabggg.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208883/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"nisiqnisiq.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208884/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"fujetgue.shop"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208880/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208880; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"xijunggao.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208881/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208881; rev:1;) alert tcp $HOME_NET any -> [191.55.155.244] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208865/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"fujevvvtgue.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208879/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nodetecton.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208866; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"abgggpoh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208885/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208885; rev:1;) alert tcp $HOME_NET any -> [91.92.252.214] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208923/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_02; classtype:trojan-activity; sid:91208923; rev:1;) alert tcp $HOME_NET any -> [203.25.119.141] 18888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208947/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91208947; rev:1;) alert tcp $HOME_NET any -> [23.94.168.114] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208946/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91208946; rev:1;) alert tcp $HOME_NET any -> [154.242.81.6] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208945/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91208945; rev:1;) alert tcp $HOME_NET any -> [93.210.174.102] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208944/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91208944; rev:1;) alert tcp $HOME_NET any -> [188.54.108.188] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208943/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91208943; rev:1;) alert tcp $HOME_NET any -> [99.235.85.4] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208942/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91208942; rev:1;) alert tcp $HOME_NET any -> [54.218.96.28] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208941/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91208941; rev:1;) alert tcp $HOME_NET any -> [18.191.149.233] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208940/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91208940; rev:1;) alert tcp $HOME_NET any -> [147.182.230.183] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208939/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91208939; rev:1;) alert tcp $HOME_NET any -> [198.176.59.64] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208938/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91208938; rev:1;) alert tcp $HOME_NET any -> [146.56.179.219] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208937/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91208937; rev:1;) alert tcp $HOME_NET any -> [18.176.27.91] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208936/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91208936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"futuretechfarm.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208932/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_02; classtype:trojan-activity; sid:91208932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"digtupu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208933/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_02; classtype:trojan-activity; sid:91208933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"avblokhutten.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208934/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_02; classtype:trojan-activity; sid:91208934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"szdeas.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208935/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_02; classtype:trojan-activity; sid:91208935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"remontisto.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208930/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91208930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"visioquote.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208931/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_02; classtype:trojan-activity; sid:91208931; rev:1;) alert tcp $HOME_NET any -> [178.9.171.196] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208929/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208929; rev:1;) alert tcp $HOME_NET any -> [43.139.151.208] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208928/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208928; rev:1;) alert tcp $HOME_NET any -> [149.210.41.82] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208927/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208927; rev:1;) alert tcp $HOME_NET any -> [101.33.250.143] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208926/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208926; rev:1;) alert tcp $HOME_NET any -> [2.58.113.190] 8080 (msg:"ThreatFox Ares botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208925/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208925; rev:1;) alert tcp $HOME_NET any -> [146.190.8.159] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208924/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208924; rev:1;) alert tcp $HOME_NET any -> [54.234.19.243] 443 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208922/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"175.178.111.34"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208921; rev:1;) alert tcp $HOME_NET any -> [15.157.75.90] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208920/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_02; classtype:trojan-activity; sid:91208920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"37.120.247.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_02; classtype:trojan-activity; sid:91208919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonjavascriptpollwindowslocalcdn.php"; depth:40; nocase; http.host; content:"185.234.247.107"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208918/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208918; rev:1;) alert tcp $HOME_NET any -> [201.24.206.40] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208917/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pollcpuupdatetempcdn.php"; depth:25; nocase; http.host; content:"740307cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208916/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208916; rev:1;) alert tcp $HOME_NET any -> [124.222.140.151] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208915/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"124.222.140.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208914/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2023/10/29136388_"; depth:45; nocase; http.host; content:"update.windows-beta.info"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208912/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.windows-beta.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208913/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"4.156.171.17"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208911/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208911; rev:1;) alert tcp $HOME_NET any -> [193.168.141.119] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208910/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_01; classtype:trojan-activity; sid:91208910; rev:1;) alert tcp $HOME_NET any -> [213.139.205.167] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208909/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_01; classtype:trojan-activity; sid:91208909; rev:1;) alert tcp $HOME_NET any -> [146.190.8.159] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208908/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208908; rev:1;) alert tcp $HOME_NET any -> [34.70.86.217] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208906; rev:1;) alert tcp $HOME_NET any -> [198.13.35.130] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208907/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208907; rev:1;) alert tcp $HOME_NET any -> [185.179.216.11] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208905; rev:1;) alert tcp $HOME_NET any -> [43.136.218.157] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208904/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208904; rev:1;) alert tcp $HOME_NET any -> [167.172.162.95] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208902/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208902; rev:1;) alert tcp $HOME_NET any -> [43.143.141.97] 3101 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"github.guiro.pesca.jordiololab.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208901/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208901; rev:1;) alert tcp $HOME_NET any -> [8.222.248.214] 28080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.sayid.pesca.jordiololab.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208900/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208900; rev:1;) alert tcp $HOME_NET any -> [62.234.45.38] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208898; rev:1;) alert tcp $HOME_NET any -> [77.91.78.246] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208897; rev:1;) alert tcp $HOME_NET any -> [13.53.125.231] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alextrucking.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208895; rev:1;) alert tcp $HOME_NET any -> [43.143.147.135] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208894; rev:1;) alert tcp $HOME_NET any -> [39.104.209.210] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208893; rev:1;) alert tcp $HOME_NET any -> [122.193.120.7] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208892; rev:1;) alert tcp $HOME_NET any -> [185.81.157.213] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208891/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208891; rev:1;) alert tcp $HOME_NET any -> [195.20.16.45] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208890/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208890; rev:1;) alert tcp $HOME_NET any -> [91.212.166.58] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208889; rev:1;) alert tcp $HOME_NET any -> [147.189.173.65] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208888/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208888; rev:1;) alert tcp $HOME_NET any -> [2.58.56.188] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208887/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208887; rev:1;) alert tcp $HOME_NET any -> [157.230.223.248] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208886/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208886; rev:1;) alert tcp $HOME_NET any -> [5.163.159.163] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208878/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208878; rev:1;) alert tcp $HOME_NET any -> [41.99.82.7] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208877/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208877; rev:1;) alert tcp $HOME_NET any -> [190.133.154.174] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208876/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208876; rev:1;) alert tcp $HOME_NET any -> [95.15.152.189] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208875/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208875; rev:1;) alert tcp $HOME_NET any -> [189.140.28.206] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208874/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208874; rev:1;) alert tcp $HOME_NET any -> [197.2.174.78] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208873/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208873; rev:1;) alert tcp $HOME_NET any -> [5.15.251.200] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208872/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208872; rev:1;) alert tcp $HOME_NET any -> [86.98.212.45] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208871/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208871; rev:1;) alert tcp $HOME_NET any -> [47.108.117.51] 8081 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208870/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208870; rev:1;) alert tcp $HOME_NET any -> [176.123.7.190] 32927 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208869/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208869; rev:1;) alert tcp $HOME_NET any -> [47.116.192.240] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208868/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208868; rev:1;) alert tcp $HOME_NET any -> [185.222.58.243] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208867; rev:1;) alert tcp $HOME_NET any -> [51.21.12.128] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208864/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pinkipinevazzey.pw"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"thinkroarseso.pw"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208857/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thinkroarseso.pw"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208858/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208858; rev:1;) alert tcp $HOME_NET any -> [147.50.252.48] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208863/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208863; rev:1;) alert tcp $HOME_NET any -> [172.208.93.32] 1337 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208862/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lander/feqsdqdsq/_cf.php"; depth:25; nocase; http.host; content:"brushremovalequipment.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208861/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"brushremovalequipment.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208860/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"brushremovalequipment.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208859/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brushremovalequipment.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208856/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"167.114.90.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208855/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wpengine.clsr.ca"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208854/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"wpengine.clsr.ca"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208853/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.96.94.237"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208852/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"117.50.184.100"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208851/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"103.179.243.198"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208850/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"139.155.159.81"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208849/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"186.64.113.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208848; rev:1;) alert tcp $HOME_NET any -> [47.109.102.98] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208847/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208847; rev:1;) alert tcp $HOME_NET any -> [193.233.132.48] 24324 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208846; rev:1;) alert tcp $HOME_NET any -> [47.113.205.124] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208845; rev:1;) alert tcp $HOME_NET any -> [37.120.247.80] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208844/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208844; rev:1;) alert tcp $HOME_NET any -> [182.92.156.73] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208843; rev:1;) alert tcp $HOME_NET any -> [104.219.214.114] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208841; rev:1;) alert tcp $HOME_NET any -> [45.207.49.121] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208842; rev:1;) alert tcp $HOME_NET any -> [8.130.132.92] 3000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208840; rev:1;) alert tcp $HOME_NET any -> [59.110.6.123] 6001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208839; rev:1;) alert tcp $HOME_NET any -> [38.207.178.68] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208838; rev:1;) alert tcp $HOME_NET any -> [123.57.20.12] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208837; rev:1;) alert tcp $HOME_NET any -> [39.96.85.37] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208835; rev:1;) alert tcp $HOME_NET any -> [18.162.193.5] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208836; rev:1;) alert tcp $HOME_NET any -> [85.209.176.237] 8085 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208834; rev:1;) alert tcp $HOME_NET any -> [149.104.24.154] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208833; rev:1;) alert tcp $HOME_NET any -> [118.193.47.149] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208832; rev:1;) alert tcp $HOME_NET any -> [94.156.71.254] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208830; rev:1;) alert tcp $HOME_NET any -> [147.78.47.226] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.sayid.pesca.jordiololab.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208829; rev:1;) alert tcp $HOME_NET any -> [81.19.137.54] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208828; rev:1;) alert tcp $HOME_NET any -> [195.35.11.135] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208827; rev:1;) alert tcp $HOME_NET any -> [94.142.138.128] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208826/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208826; rev:1;) alert tcp $HOME_NET any -> [117.50.188.53] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208825/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208825; rev:1;) alert tcp $HOME_NET any -> [49.113.78.81] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208824/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208824; rev:1;) alert tcp $HOME_NET any -> [194.233.66.38] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208823/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_01; classtype:trojan-activity; sid:91208823; rev:1;) alert tcp $HOME_NET any -> [2.50.16.161] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208822; rev:1;) alert tcp $HOME_NET any -> [161.142.98.230] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208821/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208821; rev:1;) alert tcp $HOME_NET any -> [142.202.205.35] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208820; rev:1;) alert tcp $HOME_NET any -> [185.82.127.212] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208819; rev:1;) alert tcp $HOME_NET any -> [120.55.37.69] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208818/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208818; rev:1;) alert tcp $HOME_NET any -> [18.135.210.230] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208817/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208817; rev:1;) alert tcp $HOME_NET any -> [121.40.171.154] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208816; rev:1;) alert tcp $HOME_NET any -> [167.94.158.156] 8989 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208815; rev:1;) alert tcp $HOME_NET any -> [103.161.171.127] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208814/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208814; rev:1;) alert tcp $HOME_NET any -> [79.245.246.193] 13832 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208813/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208813; rev:1;) alert tcp $HOME_NET any -> [78.163.243.12] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208812/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208812; rev:1;) alert tcp $HOME_NET any -> [66.94.118.174] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208811/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208811; rev:1;) alert tcp $HOME_NET any -> [91.109.188.9] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b1e57687.php"; depth:13; nocase; http.host; content:"94.131.112.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208809; rev:1;) alert tcp $HOME_NET any -> [101.42.170.233] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208808/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208808; rev:1;) alert tcp $HOME_NET any -> [195.20.16.45] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208807; rev:1;) alert tcp $HOME_NET any -> [176.123.10.211] 47430 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208806; rev:1;) alert tcp $HOME_NET any -> [141.94.107.128] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208804/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208804; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cropfemininedynam.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208803; rev:1;) alert tcp $HOME_NET any -> [91.92.248.147] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208802/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208802; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 18200 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208801; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 18200 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208800; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 18200 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208799; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 18200 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208798; rev:1;) alert tcp $HOME_NET any -> [134.175.55.199] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208797; rev:1;) alert tcp $HOME_NET any -> [37.120.247.80] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208796; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"37.120.247.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208795; rev:1;) alert tcp $HOME_NET any -> [8.130.123.131] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208794; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"8.130.123.131"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208793; rev:1;) alert tcp $HOME_NET any -> [198.27.121.194] 2024 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208792/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_01; classtype:trojan-activity; sid:91208792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"gybin6gz.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208791; rev:1;) alert tcp $HOME_NET any -> [158.160.77.234] 80 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/917abd55.php"; depth:13; nocase; http.host; content:"cw11723.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208790; rev:1;) alert tcp $HOME_NET any -> [3.14.182.203] 14849 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208789; rev:1;) alert tcp $HOME_NET any -> [3.134.125.175] 14849 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208788; rev:1;) alert tcp $HOME_NET any -> [3.134.39.220] 14849 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208787; rev:1;) alert tcp $HOME_NET any -> [3.17.7.232] 14849 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208786; rev:1;) alert tcp $HOME_NET any -> [3.13.191.225] 14849 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208785; rev:1;) alert tcp $HOME_NET any -> [3.22.30.40] 14849 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208784; rev:1;) alert tcp $HOME_NET any -> [47.116.198.16] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208783/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208783; rev:1;) alert tcp $HOME_NET any -> [31.129.43.34] 5494 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"celestinepanel.000webhostapp.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.184.4"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.243.145"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208778; rev:1;) alert tcp $HOME_NET any -> [123.60.176.96] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208777/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208777; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"acotechgh.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208776; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 13940 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208775/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208775; rev:1;) alert tcp $HOME_NET any -> [3.67.62.142] 13940 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208774; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 13940 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208773; rev:1;) alert tcp $HOME_NET any -> [3.67.112.102] 13940 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208772; rev:1;) alert tcp $HOME_NET any -> [146.19.170.210] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208771; rev:1;) alert tcp $HOME_NET any -> [150.158.139.244] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208770/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208770; rev:1;) alert tcp $HOME_NET any -> [202.79.168.65] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208769/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208769; rev:1;) alert tcp $HOME_NET any -> [107.150.100.4] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208768/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208768; rev:1;) alert tcp $HOME_NET any -> [201.137.227.59] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208767/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208767; rev:1;) alert tcp $HOME_NET any -> [201.249.29.196] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208766/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208766; rev:1;) alert tcp $HOME_NET any -> [170.64.164.161] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208765/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208765; rev:1;) alert tcp $HOME_NET any -> [185.221.216.103] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208764/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208764; rev:1;) alert tcp $HOME_NET any -> [13.215.228.73] 10443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208763/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208763; rev:1;) alert tcp $HOME_NET any -> [142.202.205.35] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208762/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208762; rev:1;) alert tcp $HOME_NET any -> [142.202.205.35] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208761/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208761; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0889022.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208760; rev:1;) alert tcp $HOME_NET any -> [47.107.76.190] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208759/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3886d2276f6914c4.php"; depth:21; nocase; http.host; content:"77.91.76.36"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nso5rjixzduwzob2/"; depth:18; nocase; http.host; content:"185.196.8.105"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208621/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nso5rjixzduwzob2/"; depth:18; nocase; http.host; content:"cantationnatationclass1.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208622/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nso5rjixzduwzob2/"; depth:18; nocase; http.host; content:"cantationnatationclass2.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208623/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nso5rjixzduwzob2/"; depth:18; nocase; http.host; content:"cantationnatationclass3.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208624/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nso5rjixzduwzob2/"; depth:18; nocase; http.host; content:"cantationnatationclass4.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208625/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nso5rjixzduwzob2/"; depth:18; nocase; http.host; content:"cantationnatationclass5.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208626/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"cm603lzeyxdw.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208627/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"cm603lzeyxdw1.site"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208628/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"arw2he7x57wp.pw"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208629/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"cm603lzeyxdw.biz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208631/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"9r8i1u84t2gp.online"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208630/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"arw2he7x57wp1.pw"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208632/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"9r8i1u84t2gp1.online"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208633/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"cm603lzeyxdw.space"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208634/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"yjf241z0uu75.info"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208635/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"5a9udxg6l6gd.su"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208636/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"trans1ategooglecom.com"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1208638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"saintelzearlava.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1208639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"acotechgh.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208641/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"acotechgh.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208642; rev:1;) alert tcp $HOME_NET any -> [194.49.94.126] 47002 (msg:"ThreatFox MetaStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208649; rev:1;) alert tcp $HOME_NET any -> [194.67.197.139] 16515 (msg:"ThreatFox MetaStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208650; rev:1;) alert tcp $HOME_NET any -> [194.49.94.182] 6977 (msg:"ThreatFox MetaStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208651; rev:1;) alert tcp $HOME_NET any -> [91.92.247.79] 666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208652; rev:1;) alert tcp $HOME_NET any -> [5.181.80.54] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208653/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"slabbymenusportef.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208712/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slabbymenusportef.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208713; rev:1;) alert tcp $HOME_NET any -> [2.57.149.230] 4357 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207467/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91207467; rev:1;) alert tcp $HOME_NET any -> [2.57.149.230] 49705 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207468/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91207468; rev:1;) alert tcp $HOME_NET any -> [2.57.149.230] 4970 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207469/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91207469; rev:1;) alert tcp $HOME_NET any -> [5.181.156.235] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208430; rev:1;) alert tcp $HOME_NET any -> [5.181.80.127] 47471 (msg:"ThreatFox Houdini botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208757/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_01; classtype:trojan-activity; sid:91208757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"snk2333.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208756/; target:src_ip; metadata: confidence_level 50, first_seen 2023_12_01; classtype:trojan-activity; sid:91208756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/4988"; depth:15; nocase; http.host; content:"178.128.238.137"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208755/; target:src_ip; metadata: confidence_level 75, first_seen 2023_12_01; classtype:trojan-activity; sid:91208755; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/25064245498223"; depth:25; nocase; http.host; content:"178.128.238.137"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208754; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/multi/python7/4cdn/api/proton/pollcpugameapidefaultlinuxgeneratorwp.php"; depth:72; nocase; http.host; content:"80.66.89.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208753; rev:1;) alert tcp $HOME_NET any -> [164.90.238.127] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208752/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208752; rev:1;) alert tcp $HOME_NET any -> [5.188.159.44] 58001 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208751; rev:1;) alert tcp $HOME_NET any -> [101.43.159.73] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208750; rev:1;) alert tcp $HOME_NET any -> [60.204.133.143] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208749; rev:1;) alert tcp $HOME_NET any -> [23.22.252.64] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208748; rev:1;) alert tcp $HOME_NET any -> [154.12.26.151] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208747; rev:1;) alert tcp $HOME_NET any -> [123.56.194.52] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208746; rev:1;) alert tcp $HOME_NET any -> [20.42.56.4] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208744; rev:1;) alert tcp $HOME_NET any -> [154.19.185.181] 10086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208745; rev:1;) alert tcp $HOME_NET any -> [142.202.205.35] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208743; rev:1;) alert tcp $HOME_NET any -> [60.204.199.200] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208742; rev:1;) alert tcp $HOME_NET any -> [119.3.155.79] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208741; rev:1;) alert tcp $HOME_NET any -> [120.233.114.184] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208740/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_01; classtype:trojan-activity; sid:91208740; rev:1;) alert tcp $HOME_NET any -> [120.233.114.184] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208739/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_01; classtype:trojan-activity; sid:91208739; rev:1;) alert tcp $HOME_NET any -> [120.233.114.184] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208738/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_01; classtype:trojan-activity; sid:91208738; rev:1;) alert tcp $HOME_NET any -> [124.70.38.91] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208737/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_01; classtype:trojan-activity; sid:91208737; rev:1;) alert tcp $HOME_NET any -> [124.70.38.91] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208735/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_01; classtype:trojan-activity; sid:91208735; rev:1;) alert tcp $HOME_NET any -> [124.70.38.91] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208736/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_01; classtype:trojan-activity; sid:91208736; rev:1;) alert tcp $HOME_NET any -> [124.70.38.91] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208734/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_01; classtype:trojan-activity; sid:91208734; rev:1;) alert tcp $HOME_NET any -> [124.70.38.91] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208732/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_01; classtype:trojan-activity; sid:91208732; rev:1;) alert tcp $HOME_NET any -> [124.70.38.91] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208733/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_01; classtype:trojan-activity; sid:91208733; rev:1;) alert tcp $HOME_NET any -> [124.70.38.91] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208731/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_01; classtype:trojan-activity; sid:91208731; rev:1;) alert tcp $HOME_NET any -> [124.70.38.91] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208730/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_01; classtype:trojan-activity; sid:91208730; rev:1;) alert tcp $HOME_NET any -> [149.202.45.103] 8081 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208729/; target:src_ip; metadata: confidence_level 90, first_seen 2023_12_01; classtype:trojan-activity; sid:91208729; rev:1;) alert tcp $HOME_NET any -> [187.135.114.234] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208728; rev:1;) alert tcp $HOME_NET any -> [187.135.114.234] 1850 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208726/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208726; rev:1;) alert tcp $HOME_NET any -> [187.135.114.234] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208727; rev:1;) alert tcp $HOME_NET any -> [187.135.114.234] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208725; rev:1;) alert tcp $HOME_NET any -> [91.92.250.79] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208724; rev:1;) alert tcp $HOME_NET any -> [116.62.172.40] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208723; rev:1;) alert tcp $HOME_NET any -> [213.195.117.254] 4002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208722; rev:1;) alert tcp $HOME_NET any -> [193.124.205.3] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208721; rev:1;) alert tcp $HOME_NET any -> [141.255.151.249] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208720; rev:1;) alert tcp $HOME_NET any -> [172.191.67.230] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"8.222.237.128"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208718/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208717; rev:1;) alert tcp $HOME_NET any -> [8.134.161.181] 8181 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208716/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208716; rev:1;) alert tcp $HOME_NET any -> [187.135.114.234] 2121 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208715/; target:src_ip; metadata: confidence_level 80, first_seen 2023_12_01; classtype:trojan-activity; sid:91208715; rev:1;) alert tcp $HOME_NET any -> [179.155.103.154] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_12_01; classtype:trojan-activity; sid:91208714; rev:1;) alert tcp $HOME_NET any -> [95.214.26.199] 465 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208711/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_30; classtype:trojan-activity; sid:91208711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s1.rsrc.eu.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208710/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208710; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"s1.rsrc.eu.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.222.237.128"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208708/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"159.223.6.128"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208707/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208707; rev:1;) alert tcp $HOME_NET any -> [161.97.71.41] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208706/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_30; classtype:trojan-activity; sid:91208706; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 12147 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208705; rev:1;) alert tcp $HOME_NET any -> [3.68.171.119] 12147 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208704/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208704; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 12147 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208703/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208703; rev:1;) alert tcp $HOME_NET any -> [3.66.38.117] 12147 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208702/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208702; rev:1;) alert tcp $HOME_NET any -> [168.138.178.209] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208701/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208701; rev:1;) alert tcp $HOME_NET any -> [212.233.75.66] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208700; rev:1;) alert tcp $HOME_NET any -> [107.151.148.247] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208699; rev:1;) alert tcp $HOME_NET any -> [85.17.9.170] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208698/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208698; rev:1;) alert tcp $HOME_NET any -> [38.147.171.70] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208697; rev:1;) alert tcp $HOME_NET any -> [47.236.70.51] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208695; rev:1;) alert tcp $HOME_NET any -> [38.6.189.182] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208696; rev:1;) alert tcp $HOME_NET any -> [47.236.70.51] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208694; rev:1;) alert tcp $HOME_NET any -> [163.5.64.47] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208693/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208693; rev:1;) alert tcp $HOME_NET any -> [163.5.64.32] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208691/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208691; rev:1;) alert tcp $HOME_NET any -> [193.233.254.90] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208692/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208692; rev:1;) alert tcp $HOME_NET any -> [212.113.106.241] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208689/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208689; rev:1;) alert tcp $HOME_NET any -> [163.5.64.46] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208690/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208690; rev:1;) alert tcp $HOME_NET any -> [47.92.125.98] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208688/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208688; rev:1;) alert tcp $HOME_NET any -> [223.109.175.218] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208687/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208687; rev:1;) alert tcp $HOME_NET any -> [54.86.130.105] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208686/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208686; rev:1;) alert tcp $HOME_NET any -> [213.139.205.115] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208684/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208684; rev:1;) alert tcp $HOME_NET any -> [45.61.154.229] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208685/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208685; rev:1;) alert tcp $HOME_NET any -> [154.12.90.87] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208683/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208683; rev:1;) alert tcp $HOME_NET any -> [154.246.25.204] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208682/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208682; rev:1;) alert tcp $HOME_NET any -> [89.117.79.31] 2 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208681/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208681; rev:1;) alert tcp $HOME_NET any -> [107.175.243.138] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208680/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208680; rev:1;) alert tcp $HOME_NET any -> [213.195.117.254] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208679/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208679; rev:1;) alert tcp $HOME_NET any -> [187.24.69.254] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208678/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208678; rev:1;) alert tcp $HOME_NET any -> [148.135.75.34] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208677/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208677; rev:1;) alert tcp $HOME_NET any -> [52.91.116.180] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208676/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208676; rev:1;) alert tcp $HOME_NET any -> [168.100.10.60] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208675/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_30; classtype:trojan-activity; sid:91208675; rev:1;) alert tcp $HOME_NET any -> [193.149.129.86] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208674/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_30; classtype:trojan-activity; sid:91208674; rev:1;) alert tcp $HOME_NET any -> [5.180.114.88] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208673/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_30; classtype:trojan-activity; sid:91208673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rut341/index.php"; depth:17; nocase; http.host; content:"hoswell.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208672/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_30; classtype:trojan-activity; sid:91208672; rev:1;) alert tcp $HOME_NET any -> [213.65.233.25] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208671; rev:1;) alert tcp $HOME_NET any -> [128.199.70.91] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208670/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_30; classtype:trojan-activity; sid:91208670; rev:1;) alert tcp $HOME_NET any -> [41.99.46.66] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208669/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208669; rev:1;) alert tcp $HOME_NET any -> [37.186.58.149] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208668/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208668; rev:1;) alert tcp $HOME_NET any -> [191.112.15.111] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208667/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208667; rev:1;) alert tcp $HOME_NET any -> [89.23.99.83] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207449/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207449; rev:1;) alert tcp $HOME_NET any -> [89.23.101.188] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207450/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207450; rev:1;) alert tcp $HOME_NET any -> [89.23.101.210] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207451/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207451; rev:1;) alert tcp $HOME_NET any -> [188.127.227.49] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207452/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207452; rev:1;) alert tcp $HOME_NET any -> [188.127.229.238] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207453/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207453; rev:1;) alert tcp $HOME_NET any -> [188.127.242.156] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207454/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207454; rev:1;) alert tcp $HOME_NET any -> [189.140.81.234] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208666/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208666; rev:1;) alert tcp $HOME_NET any -> [86.222.183.241] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208665/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208665; rev:1;) alert tcp $HOME_NET any -> [87.223.93.11] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208664/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208664; rev:1;) alert tcp $HOME_NET any -> [201.103.222.151] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208663/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208663; rev:1;) alert tcp $HOME_NET any -> [201.210.77.83] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208662/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208662; rev:1;) alert tcp $HOME_NET any -> [193.57.139.54] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208661/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208661; rev:1;) alert tcp $HOME_NET any -> [31.28.170.72] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208660/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208660; rev:1;) alert tcp $HOME_NET any -> [142.93.185.248] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208659/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208659; rev:1;) alert tcp $HOME_NET any -> [54.198.145.43] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208658/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"legdfls2369.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208657/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_30; classtype:trojan-activity; sid:91208657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"gucc352093520.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208656/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_30; classtype:trojan-activity; sid:91208656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"fpodsp0532xc.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208655/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_30; classtype:trojan-activity; sid:91208655; rev:1;) alert tcp $HOME_NET any -> [185.62.85.197] 444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208654/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_30; classtype:trojan-activity; sid:91208654; rev:1;) alert tcp $HOME_NET any -> [88.117.27.108] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208648/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_30; classtype:trojan-activity; sid:91208648; rev:1;) alert tcp $HOME_NET any -> [82.157.44.254] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208647/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_30; classtype:trojan-activity; sid:91208647; rev:1;) alert tcp $HOME_NET any -> [94.228.162.22] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208646/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"evgenzow.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208645; rev:1;) alert tcp $HOME_NET any -> [46.246.86.8] 3030 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208644; rev:1;) alert tcp $HOME_NET any -> [217.76.59.48] 9878 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208643; rev:1;) alert tcp $HOME_NET any -> [120.55.183.218] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208640/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_30; classtype:trojan-activity; sid:91208640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dbflowerdatalife.php"; depth:21; nocase; http.host; content:"a0840745.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208637; rev:1;) alert tcp $HOME_NET any -> [95.214.26.79] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208618/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208618; rev:1;) alert tcp $HOME_NET any -> [95.214.26.90] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208619/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208619; rev:1;) alert tcp $HOME_NET any -> [95.214.26.99] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208620/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208620; rev:1;) alert tcp $HOME_NET any -> [95.214.26.18] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208611/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208611; rev:1;) alert tcp $HOME_NET any -> [95.214.26.190] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208612/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208612; rev:1;) alert tcp $HOME_NET any -> [95.214.26.199] 21 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208613/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208613; rev:1;) alert tcp $HOME_NET any -> [95.214.26.199] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208614/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208614; rev:1;) alert tcp $HOME_NET any -> [95.214.26.199] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208615/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208615; rev:1;) alert tcp $HOME_NET any -> [95.214.26.25] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208616/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208616; rev:1;) alert tcp $HOME_NET any -> [95.214.26.60] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208617/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208617; rev:1;) alert tcp $HOME_NET any -> [185.65.105.197] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208608/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208608; rev:1;) alert tcp $HOME_NET any -> [185.65.105.198] 465 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208609/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208609; rev:1;) alert tcp $HOME_NET any -> [185.65.105.199] 465 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208610/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208610; rev:1;) alert tcp $HOME_NET any -> [185.65.105.196] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208606/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208606; rev:1;) alert tcp $HOME_NET any -> [185.65.105.196] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208607/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208607; rev:1;) alert tcp $HOME_NET any -> [185.65.105.194] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208604/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208604; rev:1;) alert tcp $HOME_NET any -> [185.65.105.195] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208605/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208605; rev:1;) alert tcp $HOME_NET any -> [185.65.105.193] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208603/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208603; rev:1;) alert tcp $HOME_NET any -> [185.65.105.193] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208602/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208602; rev:1;) alert tcp $HOME_NET any -> [185.65.105.190] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208599/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208599; rev:1;) alert tcp $HOME_NET any -> [185.65.105.191] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208600/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208600; rev:1;) alert tcp $HOME_NET any -> [185.65.105.192] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208601/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208601; rev:1;) alert tcp $HOME_NET any -> [185.65.105.15] 465 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208598/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208598; rev:1;) alert tcp $HOME_NET any -> [101.99.92.218] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208596/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208596; rev:1;) alert tcp $HOME_NET any -> [101.99.92.218] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208597/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208597; rev:1;) alert tcp $HOME_NET any -> [101.99.92.19] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208593/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208593; rev:1;) alert tcp $HOME_NET any -> [101.99.92.19] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208594/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208594; rev:1;) alert tcp $HOME_NET any -> [101.99.92.212] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208595/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208595; rev:1;) alert tcp $HOME_NET any -> [101.99.92.102] 8080 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208590/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208590; rev:1;) alert tcp $HOME_NET any -> [101.99.92.103] 465 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208591/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208591; rev:1;) alert tcp $HOME_NET any -> [101.99.92.19] 465 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208592/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208592; rev:1;) alert tcp $HOME_NET any -> [101.99.92.101] 465 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208587/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208587; rev:1;) alert tcp $HOME_NET any -> [101.99.92.102] 465 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208588/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208588; rev:1;) alert tcp $HOME_NET any -> [101.99.92.102] 80 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208589/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91208589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.138.65.90"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208586/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208586; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prikhapert.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208582/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aprilcharou.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208583/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208583; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arsimonopa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208584/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lemonimonakio.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208585/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"118.89.71.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208581/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"148.135.116.42"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208580/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.103.77.37"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208579/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"1.14.43.163"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208578/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.113.225.37"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208577/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"147.139.212.210"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1208576/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208576; rev:1;) alert tcp $HOME_NET any -> [163.5.64.9] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208574/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208574; rev:1;) alert tcp $HOME_NET any -> [8.222.253.218] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208575/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208575; rev:1;) alert tcp $HOME_NET any -> [46.243.182.63] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208573; rev:1;) alert tcp $HOME_NET any -> [85.209.176.200] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208572/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208572; rev:1;) alert tcp $HOME_NET any -> [205.234.244.2] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208570/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208570; rev:1;) alert tcp $HOME_NET any -> [5.178.111.176] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208571/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhgjxr.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208569/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhggt.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208567/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.85.22.27.37.clients.your-server.de"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208568/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165115.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208565/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165057.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208566/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165099.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhabe.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165053.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208561/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165103.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208562/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165088.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208560/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16503.cz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16505.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208559/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165140.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208556/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"58701.tv"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208557/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16505.win"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208554/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165187.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16501.win"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165042.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165018.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adminuser.euew3172.live"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165110.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maizi.tokenpocket.wiki"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhbest.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165096.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208547; rev:1;) alert tcp $HOME_NET any -> [62.109.13.217] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208544; rev:1;) alert tcp $HOME_NET any -> [193.233.255.255] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208545; rev:1;) alert tcp $HOME_NET any -> [103.61.224.87] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208543; rev:1;) alert tcp $HOME_NET any -> [158.220.117.55] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165101.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208540; rev:1;) alert tcp $HOME_NET any -> [163.5.64.30] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165094.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165005.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165095.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165109.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165143.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhjjr.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165176.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165041.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"davi-vienda.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165050.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165064.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208528; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165218.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208529; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165094.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208526; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165134.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app-ramp.co"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208525; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165157.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208523; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hwsrv-1100652.hostwindsdns.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165029.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208521; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16511.wang"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208522; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1300007.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208519; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16501.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"status.hosting.felicity-services.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"333333.heun.live"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208516; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165100.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhabb.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165128.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-215-161-69.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-intesapaolo.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208513; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhtfd.biz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208510; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hook.p3xx.gq"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208511; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dsh.mg.qiluqhapp.vip"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165140.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208509; rev:1;) alert tcp $HOME_NET any -> [85.209.176.63] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208507; rev:1;) alert tcp $HOME_NET any -> [44.219.227.178] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208505; rev:1;) alert tcp $HOME_NET any -> [91.92.240.22] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208506; rev:1;) alert tcp $HOME_NET any -> [91.215.85.139] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208504; rev:1;) alert tcp $HOME_NET any -> [217.197.107.103] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208502; rev:1;) alert tcp $HOME_NET any -> [5.42.92.177] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165028.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208501; rev:1;) alert tcp $HOME_NET any -> [91.92.248.224] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208498/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165001.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208499; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165189.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208500/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208500; rev:1;) alert tcp $HOME_NET any -> [193.233.254.19] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208497; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165155.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165215.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208496; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165128.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165108.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165200.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"host.ptechconsult.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208492; rev:1;) alert tcp $HOME_NET any -> [194.33.191.251] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webdisk.vrfonline247.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.sms.ptechconsult.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.23-101-206-34.cprapid.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-pleo.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208485; rev:1;) alert tcp $HOME_NET any -> [144.76.254.11] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208483; rev:1;) alert tcp $HOME_NET any -> [85.209.176.188] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208484/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16501.id"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app.baitianshiyou.fun"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165024.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165021.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165150.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165091.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.status.felicity-services.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165031.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165074.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165124.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165006.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165008.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165094.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amendes.webgouv.fr.89-163-255-130.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-kbcportal.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16510.win"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165115.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165061.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.199-101-135-49.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agdetails.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feelajans.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165114.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165133.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165044.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208460; rev:1;) alert tcp $HOME_NET any -> [137.184.197.138] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhtime.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208458; rev:1;) alert tcp $HOME_NET any -> [80.66.85.141] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165044.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.intelligent-galileo.89-163-255-130.plesk.page"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165159.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165056.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165026.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165048.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165049.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165126.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165168.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165213.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208447; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165240.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208444; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165197.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165119.biz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208442; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1098393-cx34326.tmweb.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208443; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165118.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208440; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165160.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208441; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165026.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208439; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165137.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208437; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165040.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208438; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165057.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165010.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165021.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h.mcimtn.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-allianz.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165121.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baitian.imtoken.fan"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165134.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165096.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165059.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165007.tw"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16531.cn"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165223.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.webgouv.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165067.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165137.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165011.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165208.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165115.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-rak.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165024.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208414; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165112.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208415; rev:1;) alert tcp $HOME_NET any -> [159.100.6.50] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165082.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208413; rev:1;) alert tcp $HOME_NET any -> [45.131.2.163] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165168.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165245.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208410; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165015.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16509.win"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165076.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165006.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sleepy-einstein.91-215-85-145.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165007.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"picoshot.softether.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.23-101-206-34.cprapid.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165097.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165060.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165098.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165154.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165199.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16503.wang"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165022.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165153.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165161.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165163.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165117.biz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165007.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165017.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16541.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165217.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165129.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165106.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165108.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165043.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165027.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhgjgt.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165107.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165108.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16510.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prometheus.felicity-services.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165011.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhrise.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165086.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165063.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-populaire.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165084.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plnest-bank.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165044.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165149.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dl.shop-pro.cn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208367; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165052.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165025.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eu-anytime.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ebgostahdferee.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165034.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165093.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165050.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhgbu.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhgjct.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165033.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16547.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16512.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-nbg.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drainer.89-163-255-130.plesk.page"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testings.ptechconsult.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16501.wang"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muchdomain333.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.194-146-13-49.cprapid.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhjje.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhgjgq.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165214.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165020.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hasanulukaya2312.com.tr"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165163.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-postbank.group"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bozkurt.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16516.wang"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165009.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165241.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165092.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-inetesapaolo.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208335/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap1129546-2.zap-srv.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165207.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208332; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165048.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165046.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208330; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165054.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208331/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208331; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165190.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208329; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165235.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208327; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165137.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208328; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bank-verification.myddns.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208325; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-sabadell.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208326; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165097.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165203.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208324; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165025.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.kinetic.supplies"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16510.wang"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165165.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165026.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208318; rev:1;) alert tcp $HOME_NET any -> [163.5.64.20] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208316; rev:1;) alert tcp $HOME_NET any -> [167.235.66.122] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208317; rev:1;) alert tcp $HOME_NET any -> [51.161.10.33] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208315; rev:1;) alert tcp $HOME_NET any -> [46.175.149.90] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208314; rev:1;) alert tcp $HOME_NET any -> [85.209.176.206] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208313; rev:1;) alert tcp $HOME_NET any -> [51.79.235.44] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208311; rev:1;) alert tcp $HOME_NET any -> [85.209.176.49] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208312; rev:1;) alert tcp $HOME_NET any -> [79.137.207.52] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208309; rev:1;) alert tcp $HOME_NET any -> [163.5.64.31] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208310; rev:1;) alert tcp $HOME_NET any -> [178.130.132.106] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208308; rev:1;) alert tcp $HOME_NET any -> [194.33.191.230] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208306; rev:1;) alert tcp $HOME_NET any -> [194.49.94.115] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208307; rev:1;) alert tcp $HOME_NET any -> [193.233.232.38] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165060.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208303; rev:1;) alert tcp $HOME_NET any -> [77.91.68.160] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165087.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208301/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165043.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165149.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208299/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165069.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165138.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208297/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dragonslayer12.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208298/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165012.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208296/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165075.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ca-bnc.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165049.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165084.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165105.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165158.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"staging.teg.london"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165112.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16525.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208286/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16522.tv"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208287/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16503.win"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sms.ptechconsult.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208285/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"interface.qiluqhapp.vip"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165003.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208283/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16505.vin"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208280/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165123.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-divvy.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208278/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-asb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208279/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165020.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kn1976.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165104.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165100.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165112.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-instamed.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhggr.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"generatedata.felicity-services.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"precisionrenovationri.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208267; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16504.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208268; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165090.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xsqaeddmckcncjdkmoqncjdl.store"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.precisionrenovationri.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208264; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165107.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208265; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ahmeddhouib.hosting.felicity-services.com"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208262; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.jayelectrons.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.23-101-206-34.cprapid.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208259/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165142.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assets.qiluqhapp.vip"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165132.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208258; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165026.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"havayoluhatti.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165047.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208254/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208254; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165141.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208255/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208255; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165181.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208252/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhssw.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208253/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165037.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165159.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208251/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcalendars.23-101-206-34.cprapid.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208248/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165056.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-asb.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhsht.es"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165079.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"55555.heun.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165081.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208242/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhkwn.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208243/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165032.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165129.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165027.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"index.pornhtxub.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-block-chain.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165224.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gram.riseup101.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208234/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165133.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165119.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c-q060-u1739-49.webazilla.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcontacts.23-101-206-34.cprapid.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165063.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165002.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208228; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhsst.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16508.wang"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165222.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-divvy.co"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"87-248-157-219.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208223/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208223; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165120.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"us-brave.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1651111.bid"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208222; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165017.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165126.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208220; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165068.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208217; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165110.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208218; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16504.wang"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208215; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165004.mba"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208216/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208216; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165047.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208213; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-tradingview.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208214; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165045.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16515.uk"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165146.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165085.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.91-215-85-145.cprapid.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208208; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165033.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhbth.es"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165167.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"connexion-anytime.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcalendars.199-101-135-49.cprapid.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165079.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smtp37-4.mailer.expandtrack.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anindacar.com.tr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165008.tw"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165085.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"193.233.232.38.sslip.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mikehp.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165130.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165002.tw"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clothingyote.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.baitianshiyou.fun"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165053.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165131.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhabd.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165039.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16504.vin"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165090.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"priceless-fermat.87-248-157-149.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208184; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ter.chokolak.mom"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"link.eksevents.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"home-bendigo.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165104.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap653051-3.zap-srv.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165034.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208178; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165040.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1651111.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208176; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165041.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hodge.produceanimation.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165013.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ordinalwallets.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208174/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165117.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165177.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"64.54.176.34.bc.googleusercontent.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165148.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165132.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16511.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165139.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165157.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165097.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165145.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208164; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165079.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165056.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208162; rev:1;) alert tcp $HOME_NET any -> [154.204.60.34] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165015.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208160; rev:1;) alert tcp $HOME_NET any -> [103.147.12.179] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208158; rev:1;) alert tcp $HOME_NET any -> [24.144.93.215] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208157; rev:1;) alert tcp $HOME_NET any -> [158.220.117.52] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208156; rev:1;) alert tcp $HOME_NET any -> [163.5.169.41] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208154; rev:1;) alert tcp $HOME_NET any -> [193.233.254.49] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208155; rev:1;) alert tcp $HOME_NET any -> [163.5.169.19] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208153; rev:1;) alert tcp $HOME_NET any -> [85.209.176.197] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208152; rev:1;) alert tcp $HOME_NET any -> [194.87.246.55] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208150; rev:1;) alert tcp $HOME_NET any -> [82.115.223.175] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208151; rev:1;) alert tcp $HOME_NET any -> [158.220.105.223] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208149; rev:1;) alert tcp $HOME_NET any -> [94.131.106.86] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208147; rev:1;) alert tcp $HOME_NET any -> [43.207.241.87] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208148; rev:1;) alert tcp $HOME_NET any -> [185.221.67.10] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208146; rev:1;) alert tcp $HOME_NET any -> [199.101.135.49] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208144; rev:1;) alert tcp $HOME_NET any -> [85.209.176.47] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208145; rev:1;) alert tcp $HOME_NET any -> [18.142.44.78] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208143; rev:1;) alert tcp $HOME_NET any -> [91.215.85.177] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208142; rev:1;) alert tcp $HOME_NET any -> [194.33.191.229] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208140; rev:1;) alert tcp $HOME_NET any -> [160.20.108.242] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208141; rev:1;) alert tcp $HOME_NET any -> [194.33.191.250] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208139; rev:1;) alert tcp $HOME_NET any -> [85.209.176.210] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208138; rev:1;) alert tcp $HOME_NET any -> [45.77.254.142] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208136; rev:1;) alert tcp $HOME_NET any -> [89.116.227.245] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208137; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app.maiziqianbao.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhltd.biz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208134/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208134; rev:1;) alert tcp $HOME_NET any -> [163.5.64.24] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhbase.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208133/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165121.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165094.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208131; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165083.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208129/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165127.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhgjgr.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhgjaw.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208126/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"us-synchrony.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208125; rev:1;) alert tcp $HOME_NET any -> [188.132.197.242] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208124; rev:1;) alert tcp $HOME_NET any -> [20.121.46.232] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208123; rev:1;) alert tcp $HOME_NET any -> [164.90.149.96] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16525.tv"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16542.cn"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165114.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhgjaq.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208118; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165111.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208117; rev:1;) alert tcp $HOME_NET any -> [91.92.241.135] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208116; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165130.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208115; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165125.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"207-32-217-248.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16545.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcontacts.199-101-135-49.cprapid.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208110/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165055.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208111; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165128.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208108; rev:1;) alert tcp $HOME_NET any -> [85.209.176.208] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1208109/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165232.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhabh.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208107; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165102.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16509.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208105; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165147.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208102/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165086.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208103/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208103; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"monitoring.rankio.app"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208100; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165122.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhgbs.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208098; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165036.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208099; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165001.tw"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165006.mba"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1489111.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208094; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165066.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"45-11-181-30.cprapid.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208092/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16501.nl"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208093/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208093; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165010.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208090/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208090; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-wells.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208091/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208091; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165084.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208088; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165097.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208089/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208089; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165031.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.199-101-135-49.cprapid.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208087/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208087; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165092.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhgjae.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208085; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165138.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208082/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208082; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165023.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"account-bendigo.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165135.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208081; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165030.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208078/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208078; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165170.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208079/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16505.wang"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208076/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208076; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165100.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhrest.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208074/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208074; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165076.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208075/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208075; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165118.biz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208072/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208072; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165012.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165036.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165179.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cutoutstyle.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165042.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165097.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhipa.id"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yharea.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165038.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ramp-web.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165051.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165123.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165116.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208059/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165244.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208060/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165068.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208057/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165133.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208058/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhgjxq.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208054/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plnestbank.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208055/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-capitalonetap.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208056/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165087.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208052/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165116.biz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208053/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165032.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208050/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165050.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ordinallwallets.site"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208048/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165154.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208049; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165089.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208046/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208046; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhsse.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ordinallswalltes.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165091.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165007.mba"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208042/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208042; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhgjar.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208043/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhqwek.win"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"23-101-206-34.cprapid.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208041/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-auda.city"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208038/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208038; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165009.tw"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208039/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208039; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"146.140.32.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208036; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165001.mba"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208037/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165243.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-wisse.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165043.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165116.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165145.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208032; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165204.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"us-paymetech.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165091.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208027; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165095.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165085.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-targo.de"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16503.uk"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165234.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165027.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhssq.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.cad-con-systemplanung.de"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.91-242-229-247.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208018/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-viewer.team"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165014.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208016/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165038.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208017/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165101.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208014/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208014; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.drainer.89-163-255-130.plesk.page"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208015/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16502.bid"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208012/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165045.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208013/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208013; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ptechconsult.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208010/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208010; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165005.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208011/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hosting.ptechconsult.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208008/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208008; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"199-101-135-49.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208009/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165161.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208006/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165035.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208007/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165116.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208004/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208004; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165152.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208005/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165009.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208002/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hosting.ptechconsult.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208003/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165077.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208000/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165010.tw"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1208001/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91208001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165027.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"194-146-13-49.cprapid.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165088.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207996/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-44-219-227-178.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207997/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhjjw.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"201.lan-bg1-1.static.rozabg.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207995/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16526.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207992/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165216.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165246.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207990/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165099.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207991/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.91-242-229-247.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207988/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165191.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207989/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165101.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207986/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16504.win"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207987/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165100.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207985/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.tokenpocket.wiki"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207983/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ptechconsult.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207984/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165079.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207981/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165022.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207982/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16501.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207979/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165074.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165011.tw"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165106.biz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207978; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165236.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207975; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-uniswap.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207976/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16537.cn"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207973/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207973; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhgbi.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207974/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165029.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207971; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhdkk.es"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207972/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207972; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165202.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207969/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207969; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165054.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207970/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165018.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207967; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165035.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207968; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165049.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207965/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207965; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-142-44-78.ap-southeast-1.compute.amazonaws.com"; depth:53; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207966; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.rankio.app"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207963/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207963; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165073.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207964/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207964; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165087.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207961/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16502.biz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207962/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16502.cz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207959; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elastic-haslett.91-215-85-153.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207960; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165125.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207957; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165066.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207958/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207958; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165073.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207955; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16502.uk"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207956; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.jayelectrons.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207953/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207953; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.web-tradingview.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207954/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207954; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165072.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207951/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165090.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207952/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207952; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165084.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165052.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207950; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165036.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207947/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207947; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ordinaullswaullet.in"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165131.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165019.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207944/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-usbank.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207945/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207945; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.ptechconsult.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207942/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207942; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip175.ip-87-98-185.eu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207943/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165047.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207940/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207940; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whm.23-101-206-34.cprapid.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207941/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165151.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207938/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165143.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207939/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165093.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207936/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207936; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.23-101-206-34.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207937/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207937; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16508.win"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207934/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web--sabadell.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207935/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207935; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165166.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207932/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207932; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16507.win"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207933/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207933; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165058.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207930/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207930; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ded609.hostwindsdns.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207931/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207931; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhgjcw.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207928; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16509.cn"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207929/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207929; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165225.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165064.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207927/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207927; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165102.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207924/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amendes.fr.webgouv.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207925; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhgba.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207922/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207922; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suddenly.riseup101.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207923/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207923; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165198.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207920/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.connexion-anytime.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207921; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165109.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207918/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207918; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165095.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165035.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207916/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165227.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207917/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165096.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207914/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207914; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whm.199-101-135-49.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207915/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207915; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-sofiopen.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207913/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhbca.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207911/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165037.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207912/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165144.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207909/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165122.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207910/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-bankinter.group"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207907/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165118.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207908/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16523.tv"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ordinalswallets.site"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165053.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muchdomain999.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207904/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207904; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.shop-pro.cn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207901/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhgjxw.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207902/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165058.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhabf.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207900/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165114.biz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165034.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165010.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165126.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"91-215-85-145.cprapid.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165028.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165221.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165139.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207890/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165003.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207891/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.199-101-135-49.cprapid.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165008.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207887/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207887; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165136.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207888/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207888; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.199-101-135-49.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207885/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165037.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207886/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207886; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhggw.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207883/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165196.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207884/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-bawag.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207881/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap532253-1.zap-srv.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207882/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap897562-1.zap-srv.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207880/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165008.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207878/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msk.arifjan.su"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207879/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207879; rev:1;) alert tcp $HOME_NET any -> [104.248.168.233] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207876/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165002.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207877/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165073.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207874/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaraclar.com.tr"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165078.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207872/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165044.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207873/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"confident-faraday.160-20-109-76.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207870/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165039.co"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207871/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fatimafoods.co.uk"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207869/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165117.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.207-32-217-248.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207868/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165109.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207865/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165034.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zones.one"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207863/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.cad-con-systemplanung.de"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165162.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207861/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165001.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207862/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165130.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207859/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207859; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip234.ip-87-98-185.eu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207860/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165086.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207857/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207857; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165063.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207858/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207858; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165098.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207855/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165104.biz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207856/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207856; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maiziqianbao.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207853/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207853; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165182.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207854/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207854; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165071.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207851/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207851; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165093.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207852/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207852; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dextools.ws"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207850/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207850; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165186.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207848; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165124.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207849/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207849; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165231.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assets.cnsinopecqh.vip"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207847; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-rainertrankle.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207844/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165160.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165138.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"konta-nest.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1485730.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-fnb.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165180.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16502.vin"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207839; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-1horizon.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207836; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165078.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muchdomain228.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1651112.bid"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ordinaullswaullet.site"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165156.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16521.tv"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165229.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165083.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165009.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"domainover9999.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207826/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165036.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165077.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207824/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165136.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207825/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165088.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165134.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207823/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-bpm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165060.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207821/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207821; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhgjcq.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207818/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhabj.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-anytime.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207817/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"status.felicity-services.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165045.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165106.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207813/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207813; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165152.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207814/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165162.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207811/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165010.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207812/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165111.biz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165041.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165048.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207810; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jayelectrons.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16540.cn"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165230.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207804/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165195.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207805; rev:1;) alert tcp $HOME_NET any -> [45.11.181.156] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-desjardins.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207803; rev:1;) alert tcp $HOME_NET any -> [34.42.132.228] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165091.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rogrscadretrn.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165133.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165089.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207798; rev:1;) alert tcp $HOME_NET any -> [163.5.64.17] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165210.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207796; rev:1;) alert tcp $HOME_NET any -> [188.120.240.217] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207793; rev:1;) alert tcp $HOME_NET any -> [163.5.64.19] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207794; rev:1;) alert tcp $HOME_NET any -> [194.156.99.133] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207792; rev:1;) alert tcp $HOME_NET any -> [103.151.4.23] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207790; rev:1;) alert tcp $HOME_NET any -> [85.209.176.40] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207791; rev:1;) alert tcp $HOME_NET any -> [38.242.145.226] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207789; rev:1;) alert tcp $HOME_NET any -> [85.209.176.23] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207787; rev:1;) alert tcp $HOME_NET any -> [194.26.192.46] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207788; rev:1;) alert tcp $HOME_NET any -> [172.208.40.215] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207786; rev:1;) alert tcp $HOME_NET any -> [85.209.176.54] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207784; rev:1;) alert tcp $HOME_NET any -> [194.33.191.166] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207785; rev:1;) alert tcp $HOME_NET any -> [91.92.246.144] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207783; rev:1;) alert tcp $HOME_NET any -> [85.209.176.38] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207781; rev:1;) alert tcp $HOME_NET any -> [91.92.243.93] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207782; rev:1;) alert tcp $HOME_NET any -> [2.57.149.227] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207780; rev:1;) alert tcp $HOME_NET any -> [23.101.206.34] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207779; rev:1;) alert tcp $HOME_NET any -> [77.91.68.164] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207777; rev:1;) alert tcp $HOME_NET any -> [91.107.122.180] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207778; rev:1;) alert tcp $HOME_NET any -> [94.156.68.201] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207776; rev:1;) alert tcp $HOME_NET any -> [20.84.147.169] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207775/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207775; rev:1;) alert tcp $HOME_NET any -> [45.138.16.58] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207773; rev:1;) alert tcp $HOME_NET any -> [74.235.136.117] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207774; rev:1;) alert tcp $HOME_NET any -> [91.92.250.39] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207771; rev:1;) alert tcp $HOME_NET any -> [172.208.40.228] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207772; rev:1;) alert tcp $HOME_NET any -> [178.16.129.88] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207770/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207770; rev:1;) alert tcp $HOME_NET any -> [103.159.188.34] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207768; rev:1;) alert tcp $HOME_NET any -> [163.5.64.18] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207769/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0rrdinalswallet.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165126.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-verstapay.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207766/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165107.biz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhgame.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165164.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207761/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhnas.es"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207762/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165122.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165092.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"capital-on.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207757/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web0-fnb.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16527.cn"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ordlnallswallets.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207756/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eksevents.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.207-32-217-248.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165104.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165042.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165072.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165113.biz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165058.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mzqb.tokenpocket.wiki"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-bnc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165032.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165171.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1493470.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smtp37-1.mailer.expandtrack.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165228.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165066.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.centraless.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165125.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap1015621-5.zap-srv.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165007.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165135.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16570.cn"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165020.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165099.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165089.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.automoto.tn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165091.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165004.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-blockchain.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207726/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165059.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165062.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lhp.honghan.buzz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165075.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165014.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165110.biz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165004.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muchdomain444.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165113.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165124.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207718/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhatb.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207715/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.precisionrenovationri.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207716/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165172.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-synchrony.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165042.uk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207711/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165088.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207712/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165158.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webdevluminor.team"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207710/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cry4now.club"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207707/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165067.vip"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207708/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"16501.net"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usagers.antai.webgouv.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207706/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165121.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207703/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165115.biz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207704/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165107.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207701/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165012.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207702/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165045.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webdisk.cad-con-systemplanung.de"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207698/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.165095.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yhssr.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207696; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mar.muchdomain999.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"165005.cz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207695; rev:1;) alert tcp $HOME_NET any -> [50.116.11.220] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207694/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_30; classtype:trojan-activity; sid:91207694; rev:1;) alert tcp $HOME_NET any -> [120.46.142.56] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207693/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207693; rev:1;) alert tcp $HOME_NET any -> [120.46.142.56] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207692/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207692; rev:1;) alert tcp $HOME_NET any -> [120.46.142.56] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207691/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207691; rev:1;) alert tcp $HOME_NET any -> [120.46.142.56] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207690/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207690; rev:1;) alert tcp $HOME_NET any -> [120.46.142.56] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207689/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207689; rev:1;) alert tcp $HOME_NET any -> [120.46.142.56] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207688/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207688; rev:1;) alert tcp $HOME_NET any -> [120.46.142.56] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207687/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207687; rev:1;) alert tcp $HOME_NET any -> [120.46.142.56] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207686/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207686; rev:1;) alert tcp $HOME_NET any -> [120.233.114.187] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207685/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207685; rev:1;) alert tcp $HOME_NET any -> [124.70.202.122] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207684/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207684; rev:1;) alert tcp $HOME_NET any -> [124.70.202.122] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207683/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207683; rev:1;) alert tcp $HOME_NET any -> [124.70.202.122] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207682/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207682; rev:1;) alert tcp $HOME_NET any -> [124.70.202.122] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207681/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207681; rev:1;) alert tcp $HOME_NET any -> [124.70.202.122] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207679/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207679; rev:1;) alert tcp $HOME_NET any -> [124.70.202.122] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207680/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207680; rev:1;) alert tcp $HOME_NET any -> [124.70.202.122] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207678/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207678; rev:1;) alert tcp $HOME_NET any -> [124.70.202.122] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207677/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207677; rev:1;) alert tcp $HOME_NET any -> [101.200.77.210] 6051 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207676/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207676; rev:1;) alert tcp $HOME_NET any -> [120.233.114.215] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207675/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207675; rev:1;) alert tcp $HOME_NET any -> [120.233.114.144] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207674/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207674; rev:1;) alert tcp $HOME_NET any -> [120.233.114.186] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207673/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207673; rev:1;) alert tcp $HOME_NET any -> [120.233.114.186] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207672/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207672; rev:1;) alert tcp $HOME_NET any -> [120.233.114.186] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207670/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207670; rev:1;) alert tcp $HOME_NET any -> [120.233.114.186] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207671/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207671; rev:1;) alert tcp $HOME_NET any -> [120.233.114.186] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207669/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207669; rev:1;) alert tcp $HOME_NET any -> [120.233.114.186] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207668/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207668; rev:1;) alert tcp $HOME_NET any -> [120.233.114.186] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207667/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207667; rev:1;) alert tcp $HOME_NET any -> [120.233.114.184] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207666/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207666; rev:1;) alert tcp $HOME_NET any -> [120.233.114.184] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207665/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207665; rev:1;) alert tcp $HOME_NET any -> [120.233.114.184] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207664/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207664; rev:1;) alert tcp $HOME_NET any -> [120.233.114.184] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207663/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207663; rev:1;) alert tcp $HOME_NET any -> [120.233.114.184] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207662/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207662; rev:1;) alert tcp $HOME_NET any -> [124.70.63.174] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207661/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207661; rev:1;) alert tcp $HOME_NET any -> [124.70.63.174] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207660/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207660; rev:1;) alert tcp $HOME_NET any -> [124.70.63.174] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207659/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207659; rev:1;) alert tcp $HOME_NET any -> [124.70.63.174] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207658/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207658; rev:1;) alert tcp $HOME_NET any -> [124.70.63.174] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207657/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207657; rev:1;) alert tcp $HOME_NET any -> [124.70.63.174] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207656/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207656; rev:1;) alert tcp $HOME_NET any -> [124.70.63.174] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207655/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207655; rev:1;) alert tcp $HOME_NET any -> [124.70.63.174] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207654/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207654; rev:1;) alert tcp $HOME_NET any -> [124.70.200.238] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207653/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207653; rev:1;) alert tcp $HOME_NET any -> [124.70.200.238] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207652/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207652; rev:1;) alert tcp $HOME_NET any -> [124.70.200.238] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207651/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207651; rev:1;) alert tcp $HOME_NET any -> [124.70.200.238] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207650/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207650; rev:1;) alert tcp $HOME_NET any -> [124.70.200.238] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207649/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207649; rev:1;) alert tcp $HOME_NET any -> [124.70.200.238] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207648/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207648; rev:1;) alert tcp $HOME_NET any -> [124.70.200.238] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207647/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207647; rev:1;) alert tcp $HOME_NET any -> [124.70.200.238] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207646/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207646; rev:1;) alert tcp $HOME_NET any -> [121.36.106.89] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207645/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207645; rev:1;) alert tcp $HOME_NET any -> [121.36.106.89] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207644/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207644; rev:1;) alert tcp $HOME_NET any -> [121.36.106.89] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207643/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207643; rev:1;) alert tcp $HOME_NET any -> [121.36.106.89] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207642/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207642; rev:1;) alert tcp $HOME_NET any -> [121.36.106.89] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207641/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207641; rev:1;) alert tcp $HOME_NET any -> [121.36.106.89] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207640/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207640; rev:1;) alert tcp $HOME_NET any -> [121.36.106.89] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207639/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207639; rev:1;) alert tcp $HOME_NET any -> [121.36.106.89] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207638/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207638; rev:1;) alert tcp $HOME_NET any -> [124.70.56.41] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207637/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207637; rev:1;) alert tcp $HOME_NET any -> [124.70.56.41] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207636/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207636; rev:1;) alert tcp $HOME_NET any -> [124.70.56.41] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207635/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207635; rev:1;) alert tcp $HOME_NET any -> [124.70.56.41] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207634/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207634; rev:1;) alert tcp $HOME_NET any -> [124.70.56.41] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207633/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207633; rev:1;) alert tcp $HOME_NET any -> [124.70.56.41] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207632/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207632; rev:1;) alert tcp $HOME_NET any -> [124.70.56.41] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207631/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207631; rev:1;) alert tcp $HOME_NET any -> [124.70.56.41] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207630/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207630; rev:1;) alert tcp $HOME_NET any -> [120.233.114.237] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207629/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207629; rev:1;) alert tcp $HOME_NET any -> [120.233.114.237] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207628/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207628; rev:1;) alert tcp $HOME_NET any -> [120.233.114.237] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207627/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207627; rev:1;) alert tcp $HOME_NET any -> [120.233.114.242] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207626/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207626; rev:1;) alert tcp $HOME_NET any -> [120.233.114.229] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207625/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207625; rev:1;) alert tcp $HOME_NET any -> [120.233.114.229] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207624/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207624; rev:1;) alert tcp $HOME_NET any -> [120.233.114.229] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207623/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207623; rev:1;) alert tcp $HOME_NET any -> [120.233.114.229] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207622/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207622; rev:1;) alert tcp $HOME_NET any -> [120.233.114.229] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207620/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207620; rev:1;) alert tcp $HOME_NET any -> [120.233.114.229] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207621/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207621; rev:1;) alert tcp $HOME_NET any -> [120.233.114.229] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207619/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207619; rev:1;) alert tcp $HOME_NET any -> [120.233.114.161] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207618/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207618; rev:1;) alert tcp $HOME_NET any -> [120.233.114.226] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207617/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207617; rev:1;) alert tcp $HOME_NET any -> [120.233.114.169] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207615/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207615; rev:1;) alert tcp $HOME_NET any -> [120.233.114.243] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207616/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207616; rev:1;) alert tcp $HOME_NET any -> [120.233.114.244] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207614/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207614; rev:1;) alert tcp $HOME_NET any -> [120.233.50.14] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207612/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207612; rev:1;) alert tcp $HOME_NET any -> [120.233.50.14] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207613/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207613; rev:1;) alert tcp $HOME_NET any -> [120.233.50.14] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207611/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207611; rev:1;) alert tcp $HOME_NET any -> [120.233.50.14] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207609/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207609; rev:1;) alert tcp $HOME_NET any -> [120.233.50.14] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207610/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207610; rev:1;) alert tcp $HOME_NET any -> [120.233.50.14] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207608/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207608; rev:1;) alert tcp $HOME_NET any -> [120.233.50.14] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207606/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207606; rev:1;) alert tcp $HOME_NET any -> [120.233.50.14] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207607/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207607; rev:1;) alert tcp $HOME_NET any -> [122.114.18.100] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207605/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207605; rev:1;) alert tcp $HOME_NET any -> [120.233.114.146] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207604/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207604; rev:1;) alert tcp $HOME_NET any -> [123.60.55.205] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207603/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207603; rev:1;) alert tcp $HOME_NET any -> [123.60.55.205] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207601/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207601; rev:1;) alert tcp $HOME_NET any -> [123.60.55.205] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207602/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207602; rev:1;) alert tcp $HOME_NET any -> [123.60.55.205] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207600/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207600; rev:1;) alert tcp $HOME_NET any -> [123.60.55.205] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207599/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207599; rev:1;) alert tcp $HOME_NET any -> [123.60.55.205] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207597/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207597; rev:1;) alert tcp $HOME_NET any -> [123.60.55.205] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207598/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207598; rev:1;) alert tcp $HOME_NET any -> [123.60.55.205] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207596/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207596; rev:1;) alert tcp $HOME_NET any -> [121.36.83.144] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207595/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207595; rev:1;) alert tcp $HOME_NET any -> [121.36.83.144] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207593/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207593; rev:1;) alert tcp $HOME_NET any -> [121.36.83.144] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207594/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207594; rev:1;) alert tcp $HOME_NET any -> [121.36.83.144] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207592/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207592; rev:1;) alert tcp $HOME_NET any -> [121.36.83.144] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207591/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207591; rev:1;) alert tcp $HOME_NET any -> [121.36.83.144] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207589/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207589; rev:1;) alert tcp $HOME_NET any -> [121.36.83.144] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207590/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207590; rev:1;) alert tcp $HOME_NET any -> [120.233.114.141] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207587/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207587; rev:1;) alert tcp $HOME_NET any -> [121.36.83.144] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207588/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207588; rev:1;) alert tcp $HOME_NET any -> [120.233.114.218] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207586/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207586; rev:1;) alert tcp $HOME_NET any -> [119.3.227.189] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207585/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207585; rev:1;) alert tcp $HOME_NET any -> [119.3.227.189] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207583/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207583; rev:1;) alert tcp $HOME_NET any -> [119.3.227.189] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207584/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207584; rev:1;) alert tcp $HOME_NET any -> [119.3.227.189] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207582/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207582; rev:1;) alert tcp $HOME_NET any -> [119.3.227.189] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207580/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207580; rev:1;) alert tcp $HOME_NET any -> [119.3.227.189] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207581/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207581; rev:1;) alert tcp $HOME_NET any -> [119.3.227.189] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207579/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207579; rev:1;) alert tcp $HOME_NET any -> [119.3.227.189] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207578/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207578; rev:1;) alert tcp $HOME_NET any -> [119.3.188.193] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207576/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207576; rev:1;) alert tcp $HOME_NET any -> [119.3.188.193] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207577/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207577; rev:1;) alert tcp $HOME_NET any -> [119.3.188.193] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207575/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207575; rev:1;) alert tcp $HOME_NET any -> [119.3.188.193] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207574/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207574; rev:1;) alert tcp $HOME_NET any -> [119.3.188.193] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207572/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207572; rev:1;) alert tcp $HOME_NET any -> [119.3.188.193] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207573/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207573; rev:1;) alert tcp $HOME_NET any -> [119.3.188.193] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207571/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207571; rev:1;) alert tcp $HOME_NET any -> [120.233.114.204] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207569/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207569; rev:1;) alert tcp $HOME_NET any -> [119.3.188.193] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207570/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207570; rev:1;) alert tcp $HOME_NET any -> [120.233.114.204] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207568/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207568; rev:1;) alert tcp $HOME_NET any -> [120.233.114.182] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207567/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207567; rev:1;) alert tcp $HOME_NET any -> [120.233.114.182] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207566/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_30; classtype:trojan-activity; sid:91207566; rev:1;) alert tcp $HOME_NET any -> [152.89.198.229] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207565/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207565; rev:1;) alert tcp $HOME_NET any -> [95.217.5.29] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207564; rev:1;) alert tcp $HOME_NET any -> [134.122.52.228] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207563; rev:1;) alert tcp $HOME_NET any -> [103.150.10.45] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207562/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207562; rev:1;) alert tcp $HOME_NET any -> [47.120.32.46] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207561/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207561; rev:1;) alert tcp $HOME_NET any -> [47.236.66.119] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207560/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207560; rev:1;) alert tcp $HOME_NET any -> [106.15.225.158] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207558; rev:1;) alert tcp $HOME_NET any -> [112.116.204.186] 2255 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207559/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207559; rev:1;) alert tcp $HOME_NET any -> [47.92.213.25] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207557/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207557; rev:1;) alert tcp $HOME_NET any -> [198.46.189.218] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207555; rev:1;) alert tcp $HOME_NET any -> [1.117.93.65] 23566 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207556/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207556; rev:1;) alert tcp $HOME_NET any -> [139.84.173.190] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207554/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207554; rev:1;) alert tcp $HOME_NET any -> [207.246.115.71] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207553; rev:1;) alert tcp $HOME_NET any -> [103.212.81.159] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207552; rev:1;) alert tcp $HOME_NET any -> [34.92.85.53] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207551; rev:1;) alert tcp $HOME_NET any -> [60.205.115.92] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207550; rev:1;) alert tcp $HOME_NET any -> [107.174.243.101] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207549; rev:1;) alert tcp $HOME_NET any -> [167.179.104.154] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207547; rev:1;) alert tcp $HOME_NET any -> [180.76.99.119] 18889 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207548; rev:1;) alert tcp $HOME_NET any -> [8.137.39.212] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207546; rev:1;) alert tcp $HOME_NET any -> [47.115.210.48] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207545; rev:1;) alert tcp $HOME_NET any -> [107.172.137.231] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207543; rev:1;) alert tcp $HOME_NET any -> [107.172.137.231] 6443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207544; rev:1;) alert tcp $HOME_NET any -> [103.146.140.99] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207542; rev:1;) alert tcp $HOME_NET any -> [8.130.18.12] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207541; rev:1;) alert tcp $HOME_NET any -> [110.42.164.248] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207539; rev:1;) alert tcp $HOME_NET any -> [74.48.58.144] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207540; rev:1;) alert tcp $HOME_NET any -> [124.222.140.151] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207538; rev:1;) alert tcp $HOME_NET any -> [23.94.233.69] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207537; rev:1;) alert tcp $HOME_NET any -> [20.42.56.4] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207536; rev:1;) alert tcp $HOME_NET any -> [111.180.199.252] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207535; rev:1;) alert tcp $HOME_NET any -> [101.43.66.67] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207534; rev:1;) alert tcp $HOME_NET any -> [193.134.209.162] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207533; rev:1;) alert tcp $HOME_NET any -> [101.34.219.226] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207531; rev:1;) alert tcp $HOME_NET any -> [121.5.220.61] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207532; rev:1;) alert tcp $HOME_NET any -> [120.25.237.146] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207530; rev:1;) alert tcp $HOME_NET any -> [102.157.45.180] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207529; rev:1;) alert tcp $HOME_NET any -> [45.86.163.224] 2098 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207528; rev:1;) alert tcp $HOME_NET any -> [47.241.35.83] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207526; rev:1;) alert tcp $HOME_NET any -> [52.62.165.65] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207527; rev:1;) alert tcp $HOME_NET any -> [187.135.176.249] 1801 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207525; rev:1;) alert tcp $HOME_NET any -> [54.204.40.27] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207524; rev:1;) alert tcp $HOME_NET any -> [163.5.169.22] 1194 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207522; rev:1;) alert tcp $HOME_NET any -> [91.92.250.80] 8080 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207523; rev:1;) alert tcp $HOME_NET any -> [95.214.26.66] 7788 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207521; rev:1;) alert tcp $HOME_NET any -> [154.91.230.50] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207520; rev:1;) alert tcp $HOME_NET any -> [98.142.140.178] 18888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207518; rev:1;) alert tcp $HOME_NET any -> [64.31.63.239] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207519; rev:1;) alert tcp $HOME_NET any -> [172.83.159.68] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207517; rev:1;) alert tcp $HOME_NET any -> [136.175.177.60] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207516; rev:1;) alert tcp $HOME_NET any -> [97.74.92.26] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207515; rev:1;) alert tcp $HOME_NET any -> [114.132.162.203] 41236 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207513; rev:1;) alert tcp $HOME_NET any -> [47.99.138.235] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.aptiv-hr.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207512; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"production.knime.youknights.nl"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207511; rev:1;) alert tcp $HOME_NET any -> [152.89.198.222] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207510; rev:1;) alert tcp $HOME_NET any -> [152.89.198.222] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207509; rev:1;) alert tcp $HOME_NET any -> [191.82.255.52] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207507; rev:1;) alert tcp $HOME_NET any -> [3.129.208.252] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207508; rev:1;) alert tcp $HOME_NET any -> [91.109.184.5] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207506; rev:1;) alert tcp $HOME_NET any -> [213.195.117.254] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207504; rev:1;) alert tcp $HOME_NET any -> [213.195.117.254] 4003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207505; rev:1;) alert tcp $HOME_NET any -> [213.195.117.254] 5003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207502; rev:1;) alert tcp $HOME_NET any -> [213.195.117.254] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207503; rev:1;) alert tcp $HOME_NET any -> [158.220.96.15] 3318 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207501; rev:1;) alert tcp $HOME_NET any -> [198.12.125.30] 8818 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207500/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207500; rev:1;) alert tcp $HOME_NET any -> [91.92.248.33] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207499; rev:1;) alert tcp $HOME_NET any -> [2.58.56.160] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207498/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.21.151.243.136.clients.your-server.de"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207497; rev:1;) alert tcp $HOME_NET any -> [91.109.190.6] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207496; rev:1;) alert tcp $HOME_NET any -> [146.70.79.110] 4445 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207495; rev:1;) alert tcp $HOME_NET any -> [45.123.188.186] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207494; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"504e165d.host.njalla.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207492; rev:1;) alert tcp $HOME_NET any -> [13.42.17.180] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pwshrepo.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207491; rev:1;) alert tcp $HOME_NET any -> [185.222.58.246] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207490; rev:1;) alert tcp $HOME_NET any -> [81.68.248.191] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207489/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_30; classtype:trojan-activity; sid:91207489; rev:1;) alert tcp $HOME_NET any -> [193.233.132.43] 9095 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207488; rev:1;) alert tcp $HOME_NET any -> [154.9.228.107] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207487; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns4.data.microsoftdata.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.data.microsoftdata.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207485; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.data.microsoftdata.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207484/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207484; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.data.microsoftdata.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207483; rev:1;) alert tcp $HOME_NET any -> [203.24.92.243] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"logs.ddm11125.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207481; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"log.ddm11125.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207480; rev:1;) alert tcp $HOME_NET any -> [207.246.79.109] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.ionoslaba.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"betrareptileplas.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"162.14.209.70"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"18.204.142.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"101.43.165.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.34.56.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.42.4.81"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"207.246.115.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.108.175.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"95.214.25.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207466; rev:1;) alert tcp $HOME_NET any -> [122.152.244.183] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"43.139.182.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"122.152.244.183"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207463; rev:1;) alert tcp $HOME_NET any -> [120.78.131.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"120.78.131.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/myabs.js"; depth:9; nocase; http.host; content:"62.234.54.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207460; rev:1;) alert tcp $HOME_NET any -> [143.198.199.241] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tmuh.tmuh-tw.one"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207458; rev:1;) alert tcp $HOME_NET any -> [143.198.101.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207457/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_30; classtype:trojan-activity; sid:91207457; rev:1;) alert tcp $HOME_NET any -> [95.214.26.140] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207456; rev:1;) alert tcp $HOME_NET any -> [91.191.236.61] 49847 (msg:"ThreatFox RMS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207455; rev:1;) alert tcp $HOME_NET any -> [193.109.85.53] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"wantpiecesoftef.pw"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207448; rev:1;) alert tcp $HOME_NET any -> [91.92.252.74] 58002 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207446; rev:1;) alert tcp $HOME_NET any -> [35.212.196.32] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207445/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_30; classtype:trojan-activity; sid:91207445; rev:1;) alert tcp $HOME_NET any -> [175.27.244.141] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207444/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_30; classtype:trojan-activity; sid:91207444; rev:1;) alert tcp $HOME_NET any -> [111.229.76.63] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207443/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207443; rev:1;) alert tcp $HOME_NET any -> [195.201.79.232] 2026 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207442/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_30; classtype:trojan-activity; sid:91207442; rev:1;) alert tcp $HOME_NET any -> [70.27.15.38] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207441/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207441; rev:1;) alert tcp $HOME_NET any -> [102.113.169.213] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207440/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207440; rev:1;) alert tcp $HOME_NET any -> [74.12.147.243] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207439/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207439; rev:1;) alert tcp $HOME_NET any -> [3.16.54.238] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207438/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207438; rev:1;) alert tcp $HOME_NET any -> [173.254.235.30] 1433 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207437/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207437; rev:1;) alert tcp $HOME_NET any -> [47.99.135.136] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207436/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207436; rev:1;) alert tcp $HOME_NET any -> [5.78.40.129] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207435/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207435; rev:1;) alert tcp $HOME_NET any -> [216.238.111.147] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207434/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207434; rev:1;) alert tcp $HOME_NET any -> [45.138.157.71] 50547 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207433/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207433; rev:1;) alert tcp $HOME_NET any -> [87.239.108.174] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207432/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207432; rev:1;) alert tcp $HOME_NET any -> [91.92.246.29] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207431/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207431; rev:1;) alert tcp $HOME_NET any -> [91.92.246.29] 53535 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207430/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_30; classtype:trojan-activity; sid:91207430; rev:1;) alert tcp $HOME_NET any -> [4.224.60.120] 38986 (msg:"ThreatFox MetaStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"estafetagoappa.vip"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"estafetagoappb.vip"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207334; rev:1;) alert tcp $HOME_NET any -> [80.85.152.116] 31050 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"meayyammgaterre.pw"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207429; rev:1;) alert tcp $HOME_NET any -> [123.60.90.39] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207428/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_30; classtype:trojan-activity; sid:91207428; rev:1;) alert tcp $HOME_NET any -> [104.4.95.181] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207427/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_30; classtype:trojan-activity; sid:91207427; rev:1;) alert tcp $HOME_NET any -> [31.220.14.248] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207426/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_30; classtype:trojan-activity; sid:91207426; rev:1;) alert tcp $HOME_NET any -> [43.198.248.231] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207425/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_30; classtype:trojan-activity; sid:91207425; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flower/eternalpipegenerator.php"; depth:32; nocase; http.host; content:"89.23.101.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"loogsporus.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_30; classtype:trojan-activity; sid:91207423; rev:1;) alert tcp $HOME_NET any -> [165.22.220.138] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/contact/termsofuse/itu8uyg7"; depth:28; nocase; http.host; content:"cmtscbt.bsnl.wiki"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207421; rev:1;) alert tcp $HOME_NET any -> [220.69.33.57] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207420/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207420; rev:1;) alert tcp $HOME_NET any -> [84.32.41.23] 8082 (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207419/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207419; rev:1;) alert tcp $HOME_NET any -> [163.5.169.26] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207417/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207417; rev:1;) alert tcp $HOME_NET any -> [123.60.168.6] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207416; rev:1;) alert tcp $HOME_NET any -> [47.93.96.180] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207415; rev:1;) alert tcp $HOME_NET any -> [123.60.90.39] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207414; rev:1;) alert tcp $HOME_NET any -> [212.233.123.175] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207413; rev:1;) alert tcp $HOME_NET any -> [5.255.109.131] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207411; rev:1;) alert tcp $HOME_NET any -> [13.125.246.8] 5557 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207412; rev:1;) alert tcp $HOME_NET any -> [121.41.15.41] 8008 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207410; rev:1;) alert tcp $HOME_NET any -> [216.107.136.231] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207409; rev:1;) alert tcp $HOME_NET any -> [124.71.158.221] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207408; rev:1;) alert tcp $HOME_NET any -> [23.94.43.137] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207406; rev:1;) alert tcp $HOME_NET any -> [43.136.14.250] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207407; rev:1;) alert tcp $HOME_NET any -> [123.207.45.112] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207405; rev:1;) alert tcp $HOME_NET any -> [101.34.206.192] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207404; rev:1;) alert tcp $HOME_NET any -> [44.210.240.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207403; rev:1;) alert tcp $HOME_NET any -> [47.99.76.75] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207401; rev:1;) alert tcp $HOME_NET any -> [154.12.88.29] 3000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207402; rev:1;) alert tcp $HOME_NET any -> [47.99.76.75] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207400; rev:1;) alert tcp $HOME_NET any -> [101.43.142.116] 3444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207399; rev:1;) alert tcp $HOME_NET any -> [43.139.53.161] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207398; rev:1;) alert tcp $HOME_NET any -> [154.9.231.114] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207397; rev:1;) alert tcp $HOME_NET any -> [3.145.102.17] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207396; rev:1;) alert tcp $HOME_NET any -> [110.42.251.125] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207395; rev:1;) alert tcp $HOME_NET any -> [192.227.232.195] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207394; rev:1;) alert tcp $HOME_NET any -> [47.120.52.223] 5000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207393; rev:1;) alert tcp $HOME_NET any -> [39.107.239.30] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207391; rev:1;) alert tcp $HOME_NET any -> [8.141.13.130] 8002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207392; rev:1;) alert tcp $HOME_NET any -> [186.64.113.28] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207390; rev:1;) alert tcp $HOME_NET any -> [149.88.69.102] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"k.25koggaam.pw"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207388; rev:1;) alert tcp $HOME_NET any -> [134.122.135.75] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207387/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_29; classtype:trojan-activity; sid:91207387; rev:1;) alert tcp $HOME_NET any -> [60.204.158.136] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207386; rev:1;) alert tcp $HOME_NET any -> [49.113.73.205] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207385; rev:1;) alert tcp $HOME_NET any -> [150.158.12.177] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207384; rev:1;) alert tcp $HOME_NET any -> [47.109.57.38] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207383; rev:1;) alert tcp $HOME_NET any -> [43.130.135.47] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207382; rev:1;) alert tcp $HOME_NET any -> [104.238.60.14] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207381/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_29; classtype:trojan-activity; sid:91207381; rev:1;) alert tcp $HOME_NET any -> [5.35.5.136] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207380/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_29; classtype:trojan-activity; sid:91207380; rev:1;) alert tcp $HOME_NET any -> [123.60.101.112] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207379; rev:1;) alert tcp $HOME_NET any -> [187.135.144.46] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207377; rev:1;) alert tcp $HOME_NET any -> [187.135.144.46] 2272 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207378; rev:1;) alert tcp $HOME_NET any -> [187.135.144.46] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207376; rev:1;) alert tcp $HOME_NET any -> [187.135.144.46] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207374; rev:1;) alert tcp $HOME_NET any -> [187.135.144.46] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207375; rev:1;) alert tcp $HOME_NET any -> [187.135.144.46] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207373; rev:1;) alert tcp $HOME_NET any -> [187.135.144.46] 1842 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207371; rev:1;) alert tcp $HOME_NET any -> [187.135.144.46] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207372; rev:1;) alert tcp $HOME_NET any -> [187.135.144.46] 1608 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207370; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.estafetagoappa.vip"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207369; rev:1;) alert tcp $HOME_NET any -> [44.198.148.77] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207368; rev:1;) alert tcp $HOME_NET any -> [3.220.60.95] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207367; rev:1;) alert tcp $HOME_NET any -> [167.88.170.172] 443 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207366; rev:1;) alert tcp $HOME_NET any -> [124.248.69.97] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v60390.php-friends.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207363; rev:1;) alert tcp $HOME_NET any -> [91.219.148.77] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207364; rev:1;) alert tcp $HOME_NET any -> [84.32.5.135] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v75426.php-friends.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207362; rev:1;) alert tcp $HOME_NET any -> [115.74.22.203] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207360; rev:1;) alert tcp $HOME_NET any -> [113.207.49.54] 9803 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207359; rev:1;) alert tcp $HOME_NET any -> [5.255.114.220] 5000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207358; rev:1;) alert tcp $HOME_NET any -> [5.255.114.220] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207357; rev:1;) alert tcp $HOME_NET any -> [172.245.156.157] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207356; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"176.225.41.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207355; rev:1;) alert tcp $HOME_NET any -> [103.146.202.34] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207354; rev:1;) alert tcp $HOME_NET any -> [34.145.104.44] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207352; rev:1;) alert tcp $HOME_NET any -> [20.211.241.0] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207353; rev:1;) alert tcp $HOME_NET any -> [185.216.70.238] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207351; rev:1;) alert tcp $HOME_NET any -> [141.98.102.227] 24482 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207350; rev:1;) alert tcp $HOME_NET any -> [24.75.175.47] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207348; rev:1;) alert tcp $HOME_NET any -> [96.32.172.60] 1194 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207349; rev:1;) alert tcp $HOME_NET any -> [194.213.3.100] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207347; rev:1;) alert tcp $HOME_NET any -> [78.163.243.12] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207346; rev:1;) alert tcp $HOME_NET any -> [45.92.1.59] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207345; rev:1;) alert tcp $HOME_NET any -> [181.90.42.189] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207343; rev:1;) alert tcp $HOME_NET any -> [45.92.1.59] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207344; rev:1;) alert tcp $HOME_NET any -> [141.255.147.113] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207342; rev:1;) alert tcp $HOME_NET any -> [91.109.176.3] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207341; rev:1;) alert tcp $HOME_NET any -> [168.100.11.29] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207339/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_29; classtype:trojan-activity; sid:91207339; rev:1;) alert tcp $HOME_NET any -> [193.149.176.5] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207340; rev:1;) alert tcp $HOME_NET any -> [138.197.137.42] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207338/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_29; classtype:trojan-activity; sid:91207338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn239.for149.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lido-fi.dev"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207337; rev:1;) alert tcp $HOME_NET any -> [64.227.147.152] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207335/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_29; classtype:trojan-activity; sid:91207335; rev:1;) alert tcp $HOME_NET any -> [104.33.151.251] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207332/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207332; rev:1;) alert tcp $HOME_NET any -> [120.76.119.164] 60040 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207331/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207331; rev:1;) alert tcp $HOME_NET any -> [82.76.99.171] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207330/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207330; rev:1;) alert tcp $HOME_NET any -> [47.149.234.6] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207329/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207329; rev:1;) alert tcp $HOME_NET any -> [102.157.101.136] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207328/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207328; rev:1;) alert tcp $HOME_NET any -> [201.137.175.146] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207327/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207327; rev:1;) alert tcp $HOME_NET any -> [87.223.92.180] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207326/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207326; rev:1;) alert tcp $HOME_NET any -> [86.99.54.50] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207325/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207325; rev:1;) alert tcp $HOME_NET any -> [86.176.237.252] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207324/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207324; rev:1;) alert tcp $HOME_NET any -> [18.236.110.124] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207323/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207323; rev:1;) alert tcp $HOME_NET any -> [82.165.74.190] 1111 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207322; rev:1;) alert tcp $HOME_NET any -> [188.116.22.65] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207321/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207321; rev:1;) alert tcp $HOME_NET any -> [62.84.116.13] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207320/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207320; rev:1;) alert tcp $HOME_NET any -> [45.76.156.94] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207319/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207319; rev:1;) alert tcp $HOME_NET any -> [212.227.211.81] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207318/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207318; rev:1;) alert tcp $HOME_NET any -> [5.101.4.196] 21007 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207316/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207316; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/db/serverprocessor/testpacket/phpupdatelongpoll.php"; depth:52; nocase; http.host; content:"37.220.86.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghsdh39s/index.php"; depth:19; nocase; http.host; content:"185.172.128.19"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"delaneymc.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"delaneymc.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207310; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x4282h"; depth:7; nocase; http.host; content:"delaneymc.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207311; rev:1;) alert tcp $HOME_NET any -> [62.234.54.38] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207308/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207308; rev:1;) alert tcp $HOME_NET any -> [45.77.250.196] 8082 (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207307/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207307; rev:1;) alert tcp $HOME_NET any -> [103.114.106.29] 6696 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cd75930.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagejavascriptsecureupdateserverlinuxwindowsdle.php"; depth:53; nocase; http.host; content:"195.20.16.116"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9cb3d6163ee69f03.php"; depth:21; nocase; http.host; content:"91.242.229.100"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207304; rev:1;) alert tcp $HOME_NET any -> [128.140.100.50] 39808 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207302; rev:1;) alert tcp $HOME_NET any -> [124.221.66.149] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207301/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftp.atelierzolotas.gr"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207300; rev:1;) alert tcp $HOME_NET any -> [118.24.87.10] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207299/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207299; rev:1;) alert tcp $HOME_NET any -> [167.71.4.44] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207298/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"39.107.123.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207297/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"116.196.106.249"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207296/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"43.198.94.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"39.101.198.2"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"129.226.83.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"42.193.14.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"glovesslave.fun"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"8.222.155.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"118.89.71.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207287/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"147.78.47.231"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207286/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.71.205.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207285/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"146.185.22.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"114.115.185.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207283/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"101.42.4.81"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"starinteriordesigns.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207280/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207280; rev:1;) alert tcp $HOME_NET any -> [84.32.191.162] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/design/query/9x5m3soe0f"; depth:24; nocase; http.host; content:"starinteriordesigns.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207279/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207279; rev:1;) alert tcp $HOME_NET any -> [47.104.179.218] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207278/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.104.179.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207277; rev:1;) alert tcp $HOME_NET any -> [35.246.24.13] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207276/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207276; rev:1;) alert tcp $HOME_NET any -> [89.208.107.135] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207275/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207275; rev:1;) alert tcp $HOME_NET any -> [66.235.175.91] 1051 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207268; rev:1;) alert tcp $HOME_NET any -> [66.235.175.91] 23001 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207267; rev:1;) alert tcp $HOME_NET any -> [164.68.112.101] 14684 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207269; rev:1;) alert tcp $HOME_NET any -> [38.242.211.87] 8143 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207270; rev:1;) alert tcp $HOME_NET any -> [45.14.194.253] 10243 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207271; rev:1;) alert tcp $HOME_NET any -> [84.46.251.145] 901 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207272; rev:1;) alert tcp $HOME_NET any -> [84.46.251.145] 1717 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207273; rev:1;) alert tcp $HOME_NET any -> [185.137.122.104] 8484 (msg:"ThreatFox Crimson RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207274; rev:1;) alert tcp $HOME_NET any -> [213.152.187.200] 8185 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207266; rev:1;) alert tcp $HOME_NET any -> [34.118.187.130] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207265/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207265; rev:1;) alert tcp $HOME_NET any -> [91.92.250.65] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207264/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_29; classtype:trojan-activity; sid:91207264; rev:1;) alert tcp $HOME_NET any -> [18.185.224.72] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207263/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207263; rev:1;) alert tcp $HOME_NET any -> [13.115.194.155] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207214; rev:1;) alert tcp $HOME_NET any -> [35.77.99.82] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207215; rev:1;) alert tcp $HOME_NET any -> [96.9.210.77] 21 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207212; rev:1;) alert tcp $HOME_NET any -> [40.74.70.136] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207213; rev:1;) alert tcp $HOME_NET any -> [23.225.71.115] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207208; rev:1;) alert tcp $HOME_NET any -> [148.66.22.106] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207209; rev:1;) alert tcp $HOME_NET any -> [5.183.95.202] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207210; rev:1;) alert tcp $HOME_NET any -> [148.66.22.107] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207205; rev:1;) alert tcp $HOME_NET any -> [148.66.22.108] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207206; rev:1;) alert tcp $HOME_NET any -> [38.181.24.48] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207207; rev:1;) alert tcp $HOME_NET any -> [43.229.112.203] 65000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207202; rev:1;) alert tcp $HOME_NET any -> [148.66.22.107] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207203; rev:1;) alert tcp $HOME_NET any -> [96.9.210.77] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207204; rev:1;) alert tcp $HOME_NET any -> [116.72.78.89] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207200; rev:1;) alert tcp $HOME_NET any -> [38.181.24.48] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207199; rev:1;) alert tcp $HOME_NET any -> [45.76.110.175] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207216/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207216; rev:1;) alert tcp $HOME_NET any -> [96.9.210.77] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207217; rev:1;) alert tcp $HOME_NET any -> [54.219.223.239] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207218; rev:1;) alert tcp $HOME_NET any -> [45.86.162.190] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207219; rev:1;) alert tcp $HOME_NET any -> [64.176.59.90] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207220; rev:1;) alert tcp $HOME_NET any -> [124.223.102.72] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207222; rev:1;) alert tcp $HOME_NET any -> [122.254.94.69] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207223/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207223; rev:1;) alert tcp $HOME_NET any -> [154.84.23.116] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207221; rev:1;) alert tcp $HOME_NET any -> [156.59.39.106] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207225; rev:1;) alert tcp $HOME_NET any -> [148.66.22.109] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207224; rev:1;) alert tcp $HOME_NET any -> [149.28.23.65] 12345 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207226; rev:1;) alert tcp $HOME_NET any -> [148.66.22.109] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207227; rev:1;) alert tcp $HOME_NET any -> [43.128.40.28] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207228; rev:1;) alert tcp $HOME_NET any -> [148.66.22.108] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207229; rev:1;) alert tcp $HOME_NET any -> [54.219.223.239] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207230; rev:1;) alert tcp $HOME_NET any -> [154.84.23.110] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207232; rev:1;) alert tcp $HOME_NET any -> [148.66.22.110] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207233; rev:1;) alert tcp $HOME_NET any -> [148.66.22.110] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207234/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207234; rev:1;) alert tcp $HOME_NET any -> [148.66.22.106] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207231; rev:1;) alert tcp $HOME_NET any -> [52.128.229.98] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207235; rev:1;) alert tcp $HOME_NET any -> [52.128.229.100] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207238; rev:1;) alert tcp $HOME_NET any -> [52.128.229.99] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207236; rev:1;) alert tcp $HOME_NET any -> [165.154.64.215] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207237; rev:1;) alert tcp $HOME_NET any -> [103.56.55.153] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207239; rev:1;) alert tcp $HOME_NET any -> [45.74.6.169] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207240; rev:1;) alert tcp $HOME_NET any -> [165.154.64.215] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207241; rev:1;) alert tcp $HOME_NET any -> [118.69.225.164] 1433 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207242/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207242; rev:1;) alert tcp $HOME_NET any -> [45.74.6.77] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207243/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207243; rev:1;) alert tcp $HOME_NET any -> [45.74.6.251] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207244; rev:1;) alert tcp $HOME_NET any -> [45.77.174.203] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207245; rev:1;) alert tcp $HOME_NET any -> [14.225.192.198] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207246; rev:1;) alert tcp $HOME_NET any -> [216.83.40.84] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207247; rev:1;) alert tcp $HOME_NET any -> [38.180.54.6] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207248/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kronosmagazine.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207169; rev:1;) alert tcp $HOME_NET any -> [195.10.205.16] 2245 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207171; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.49.230.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"passajire555.live"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207162/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"majestike8ca.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207163/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"jikugac818v.vip"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207164/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x4282h"; depth:7; nocase; http.host; content:"doctorkiki.me"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207168; rev:1;) alert tcp $HOME_NET any -> [45.95.146.26] 55590 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"zaglefolki1.info"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207161/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getimagedata.php"; depth:17; nocase; http.host; content:"informativosatelital.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"defrosscrappeo.pw"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207131; rev:1;) alert tcp $HOME_NET any -> [107.150.104.227] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207134/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/get.php"; depth:15; nocase; http.host; content:"nelubelei.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207126/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/qzwewmrqqgqnaww.php"; depth:26; nocase; http.host; content:"nelubelei.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/010ad332/googlecrashhandler64.exe"; depth:34; nocase; http.host; content:"s3.us-east-1.amazonaws.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207121; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"floozielyhowevermist.pw"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206936/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91206936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/010ad332/googlecrashhandler.exe"; depth:32; nocase; http.host; content:"s3.us-east-1.amazonaws.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/010ad332/bravecrashhandler64.exe"; depth:33; nocase; http.host; content:"s3.us-east-1.amazonaws.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40d570f44e84a454.php"; depth:21; nocase; http.host; content:"phoenixexec.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206931/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91206931; rev:1;) alert tcp $HOME_NET any -> [95.214.25.73] 58001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206932/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91206932; rev:1;) alert tcp $HOME_NET any -> [185.192.111.202] 443 (msg:"ThreatFox ClearFake payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206888/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91206888; rev:1;) alert tcp $HOME_NET any -> [5.78.94.201] 56000 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206929/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91206929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tosecurepacketgameprotectdatalifecentral.php"; depth:45; nocase; http.host; content:"95.164.22.193"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206930/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91206930; rev:1;) alert tcp $HOME_NET any -> [185.192.111.198] 443 (msg:"ThreatFox ClearFake payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91206889; rev:1;) alert tcp $HOME_NET any -> [171.41.252.199] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207262/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207262; rev:1;) alert tcp $HOME_NET any -> [190.134.148.34] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207261/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207261; rev:1;) alert tcp $HOME_NET any -> [168.149.47.164] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207260/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207260; rev:1;) alert tcp $HOME_NET any -> [188.48.72.229] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207259/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207259; rev:1;) alert tcp $HOME_NET any -> [104.236.2.176] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207258/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207258; rev:1;) alert tcp $HOME_NET any -> [3.89.114.203] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207257/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207257; rev:1;) alert tcp $HOME_NET any -> [145.0.6.14] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207256/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207256; rev:1;) alert tcp $HOME_NET any -> [124.220.224.87] 8888 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207255/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207255; rev:1;) alert tcp $HOME_NET any -> [18.196.5.34] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207254/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207254; rev:1;) alert tcp $HOME_NET any -> [146.190.231.230] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207253/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207253; rev:1;) alert tcp $HOME_NET any -> [146.190.231.230] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207252/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207252; rev:1;) alert tcp $HOME_NET any -> [13.215.228.73] 1433 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207251/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207251; rev:1;) alert tcp $HOME_NET any -> [112.29.180.31] 10036 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207250/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207250; rev:1;) alert tcp $HOME_NET any -> [35.86.185.174] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207249/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_29; classtype:trojan-activity; sid:91207249; rev:1;) alert tcp $HOME_NET any -> [213.195.117.254] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207198/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207198; rev:1;) alert tcp $HOME_NET any -> [123.60.90.39] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207197/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207197; rev:1;) alert tcp $HOME_NET any -> [52.91.10.228] 9891 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b13/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207195/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_29; classtype:trojan-activity; sid:91207195; rev:1;) alert tcp $HOME_NET any -> [59.110.239.147] 1800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207194/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207194; rev:1;) alert tcp $HOME_NET any -> [1.14.43.163] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207193/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/pjq5dkyz3n65ucz8kt60u2y0stf6qr"; depth:41; nocase; http.host; content:"178.128.238.137"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207192; rev:1;) alert tcp $HOME_NET any -> [62.146.226.202] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207191/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207191; rev:1;) alert tcp $HOME_NET any -> [187.135.144.46] 1925 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207190/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207190; rev:1;) alert tcp $HOME_NET any -> [187.135.144.46] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207189/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207189; rev:1;) alert tcp $HOME_NET any -> [121.41.74.136] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207188/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207188; rev:1;) alert tcp $HOME_NET any -> [154.64.231.246] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207187/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a20/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mamutert.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pl.mamutert.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"pl.mamutert.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_29; classtype:trojan-activity; sid:91207183; rev:1;) alert tcp $HOME_NET any -> [194.107.126.86] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207182/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207182; rev:1;) alert tcp $HOME_NET any -> [66.204.14.89] 37777 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207181/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_29; classtype:trojan-activity; sid:91207181; rev:1;) alert tcp $HOME_NET any -> [45.15.156.127] 23000 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207177; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"149.104.23.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207175; rev:1;) alert tcp $HOME_NET any -> [79.132.128.29] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207174/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dequeue/odbc/1vxdsw2ohjoe"; depth:26; nocase; http.host; content:"nutiensel.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nutiensel.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207173; rev:1;) alert tcp $HOME_NET any -> [208.91.189.83] 43958 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207170; rev:1;) alert tcp $HOME_NET any -> [128.171.99.51] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207167/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_28; classtype:trojan-activity; sid:91207167; rev:1;) alert tcp $HOME_NET any -> [185.183.33.187] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207166/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_28; classtype:trojan-activity; sid:91207166; rev:1;) alert tcp $HOME_NET any -> [194.49.94.80] 29960 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207165; rev:1;) alert tcp $HOME_NET any -> [45.129.199.169] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207160/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_28; classtype:trojan-activity; sid:91207160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.49.230.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207159; rev:1;) alert tcp $HOME_NET any -> [91.92.248.239] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207157/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_28; classtype:trojan-activity; sid:91207157; rev:1;) alert tcp $HOME_NET any -> [91.92.248.239] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40d570f44e84a454.php"; depth:21; nocase; http.host; content:"5.42.64.41"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207155; rev:1;) alert tcp $HOME_NET any -> [3.67.15.169] 12603 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207154; rev:1;) alert tcp $HOME_NET any -> [35.157.111.131] 12603 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207153; rev:1;) alert tcp $HOME_NET any -> [3.126.224.214] 12603 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207152; rev:1;) alert tcp $HOME_NET any -> [120.27.142.236] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207151; rev:1;) alert tcp $HOME_NET any -> [120.26.48.207] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207150; rev:1;) alert tcp $HOME_NET any -> [149.104.23.199] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207149; rev:1;) alert tcp $HOME_NET any -> [13.212.253.78] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207148; rev:1;) alert tcp $HOME_NET any -> [134.122.135.81] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207147/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_28; classtype:trojan-activity; sid:91207147; rev:1;) alert tcp $HOME_NET any -> [121.229.36.89] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207146; rev:1;) alert tcp $HOME_NET any -> [49.113.75.172] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207145; rev:1;) alert tcp $HOME_NET any -> [187.135.90.10] 2145 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207144; rev:1;) alert tcp $HOME_NET any -> [187.135.90.10] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207142; rev:1;) alert tcp $HOME_NET any -> [187.135.90.10] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207143; rev:1;) alert tcp $HOME_NET any -> [187.135.90.10] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207141; rev:1;) alert tcp $HOME_NET any -> [115.74.22.203] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207140; rev:1;) alert tcp $HOME_NET any -> [73.161.248.136] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207139; rev:1;) alert tcp $HOME_NET any -> [2.50.137.133] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207138/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_28; classtype:trojan-activity; sid:91207138; rev:1;) alert tcp $HOME_NET any -> [74.12.145.202] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207137/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_28; classtype:trojan-activity; sid:91207137; rev:1;) alert tcp $HOME_NET any -> [146.190.45.248] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207136/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_28; classtype:trojan-activity; sid:91207136; rev:1;) alert tcp $HOME_NET any -> [209.38.226.163] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207135/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_28; classtype:trojan-activity; sid:91207135; rev:1;) alert tcp $HOME_NET any -> [213.139.205.146] 3739 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207133/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_28; classtype:trojan-activity; sid:91207133; rev:1;) alert tcp $HOME_NET any -> [138.68.173.141] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207132/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_28; classtype:trojan-activity; sid:91207132; rev:1;) alert tcp $HOME_NET any -> [185.105.1.136] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207130/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_28; classtype:trojan-activity; sid:91207130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"ck49537.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207129/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207129; rev:1;) alert tcp $HOME_NET any -> [146.19.170.210] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207125/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_28; classtype:trojan-activity; sid:91207125; rev:1;) alert tcp $HOME_NET any -> [38.147.173.56] 90 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207124/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_28; classtype:trojan-activity; sid:91207124; rev:1;) alert tcp $HOME_NET any -> [178.208.87.96] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207123/; target:src_ip; metadata: confidence_level 60, first_seen 2023_11_28; classtype:trojan-activity; sid:91207123; rev:1;) alert tcp $HOME_NET any -> [91.92.247.248] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"150.158.176.236"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"8.137.48.121"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"192.144.219.118"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"8.134.161.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.143.125.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.113.218.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.108.175.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.236.13.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207110/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.qzyp.buzz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207108; rev:1;) alert tcp $HOME_NET any -> [47.113.218.234] 2086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207109/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"www.qzyp.buzz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207107; rev:1;) alert tcp $HOME_NET any -> [96.4.112.82] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207106/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_28; classtype:trojan-activity; sid:91207106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"doctorkiki.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"doctorkiki.me"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"doctorkiki.me"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1207103/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207103; rev:1;) alert tcp $HOME_NET any -> [43.138.154.64] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207102/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_28; classtype:trojan-activity; sid:91207102; rev:1;) alert tcp $HOME_NET any -> [124.221.183.95] 13333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207100; rev:1;) alert tcp $HOME_NET any -> [101.42.4.81] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207101; rev:1;) alert tcp $HOME_NET any -> [122.51.109.151] 9962 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207099; rev:1;) alert tcp $HOME_NET any -> [175.27.244.141] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207097; rev:1;) alert tcp $HOME_NET any -> [152.136.168.78] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207098; rev:1;) alert tcp $HOME_NET any -> [175.27.159.169] 7788 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207096; rev:1;) alert tcp $HOME_NET any -> [43.138.61.199] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207094; rev:1;) alert tcp $HOME_NET any -> [43.138.77.138] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207095; rev:1;) alert tcp $HOME_NET any -> [47.109.47.50] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207093/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207093; rev:1;) alert tcp $HOME_NET any -> [119.3.90.227] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207092/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207092; rev:1;) alert tcp $HOME_NET any -> [128.199.153.222] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207090/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207090; rev:1;) alert tcp $HOME_NET any -> [60.204.133.143] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207091/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207091; rev:1;) alert tcp $HOME_NET any -> [1.14.92.24] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207089/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207089; rev:1;) alert tcp $HOME_NET any -> [60.204.221.228] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207088; rev:1;) alert tcp $HOME_NET any -> [101.37.21.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207086; rev:1;) alert tcp $HOME_NET any -> [182.136.74.137] 6443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207087/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207087; rev:1;) alert tcp $HOME_NET any -> [147.78.47.183] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207085; rev:1;) alert tcp $HOME_NET any -> [154.40.45.68] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207083; rev:1;) alert tcp $HOME_NET any -> [147.78.47.183] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207084; rev:1;) alert tcp $HOME_NET any -> [47.76.176.156] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207082/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207082; rev:1;) alert tcp $HOME_NET any -> [1.14.102.75] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207081; rev:1;) alert tcp $HOME_NET any -> [45.152.64.57] 2333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207080; rev:1;) alert tcp $HOME_NET any -> [101.35.235.73] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207078/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207078; rev:1;) alert tcp $HOME_NET any -> [121.199.57.45] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207079/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207079; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.marssagroup.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207077; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"139-162-187-166.ip.linodeusercontent.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1207075/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207075; rev:1;) alert tcp $HOME_NET any -> [8.130.161.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207076/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207076; rev:1;) alert tcp $HOME_NET any -> [34.148.58.3] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207074/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207074; rev:1;) alert tcp $HOME_NET any -> [60.205.115.92] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207072/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207072; rev:1;) alert tcp $HOME_NET any -> [114.55.67.221] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207073; rev:1;) alert tcp $HOME_NET any -> [140.143.139.181] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207071; rev:1;) alert tcp $HOME_NET any -> [197.2.11.142] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207069; rev:1;) alert tcp $HOME_NET any -> [161.142.99.88] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207070; rev:1;) alert tcp $HOME_NET any -> [192.121.113.129] 2057 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207068; rev:1;) alert tcp $HOME_NET any -> [223.109.207.233] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207067; rev:1;) alert tcp $HOME_NET any -> [64.74.160.91] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207065; rev:1;) alert tcp $HOME_NET any -> [15.236.233.211] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207066; rev:1;) alert tcp $HOME_NET any -> [8.219.156.100] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207064; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 58487 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207063; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 57563 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207062; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 54889 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207060/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207060; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 56347 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207061; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 60000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207059/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207059; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 56557 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207057/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207057; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 59834 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207058/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207058; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 56074 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207056/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207056; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 55316 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207055/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207055; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 59989 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207053/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207053; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 54429 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207054/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207054; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 56826 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207052/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207052; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 59193 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207050/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207050; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 59704 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207051; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 55728 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207049; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 55173 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207048/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207048; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 54168 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207046/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207046; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 54238 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207047; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 58804 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207045; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 56708 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207043/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207043; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 58305 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207044; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 55736 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207042/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207042; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 57176 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207041/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207041; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 55491 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207039/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207039; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 55911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207040; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 54797 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207038/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207038; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 59746 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207036; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 54294 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207037/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207037; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 58000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207035; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 56207 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207033; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 56588 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207034; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 55657 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207032; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 59603 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207030; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 54767 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207031; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 59226 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207029; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 58943 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207028; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 58699 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207026; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 57541 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207027; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 57025 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207025; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 56508 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207023; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 56991 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207024; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 54783 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207022; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 57982 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207020; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 58603 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207021; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 57537 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207018/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207018; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 57700 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207019; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 58015 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207017/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207017; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 55941 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207016/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207016; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 54317 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207014/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207014; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 55934 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207015/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207015; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 58594 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207013/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207013; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 59221 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207011/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207011; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 58446 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207012/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207012; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 58876 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207010/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207010; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 58168 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207009/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207009; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 56954 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207007/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207007; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 54407 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207008/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207008; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 56189 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207006/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207006; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 54963 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207004/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207004; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 55198 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207005/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207005; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 57620 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207003/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207003; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 58583 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207001/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207001; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 57012 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207002/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207002; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 56985 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1207000/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91207000; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 56083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206999; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 59953 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206997/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206997; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 54010 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206998; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 59842 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206996/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206996; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 59285 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206994; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 58931 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206995/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206995; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 57554 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206993; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 56423 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206991/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206991; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 57164 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206992/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206992; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 59411 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206990/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206990; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 55999 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206988/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206988; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 56440 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206989/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206989; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 55160 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206987/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206987; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 57081 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206985/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206985; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 59308 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206986/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206986; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 54579 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206984/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206984; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 57693 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206983/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206983; rev:1;) alert tcp $HOME_NET any -> [187.135.87.219] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206981/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206981; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 57508 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206982/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206982; rev:1;) alert tcp $HOME_NET any -> [187.135.87.219] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206980; rev:1;) alert tcp $HOME_NET any -> [187.135.87.219] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206978; rev:1;) alert tcp $HOME_NET any -> [187.135.87.219] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206979/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206979; rev:1;) alert tcp $HOME_NET any -> [187.135.87.219] 1729 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206977; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.estafetagoappb.vip"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206976/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206976; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"estafetagoappa.vip"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206974/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206974; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"estafetagoappb.vip"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206975; rev:1;) alert tcp $HOME_NET any -> [154.39.251.85] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206973/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206973; rev:1;) alert tcp $HOME_NET any -> [51.195.251.9] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206972/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206972; rev:1;) alert tcp $HOME_NET any -> [154.91.230.40] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206971; rev:1;) alert tcp $HOME_NET any -> [18.170.170.237] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206970/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206970; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"129.132.28.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206969/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206969; rev:1;) alert tcp $HOME_NET any -> [172.232.148.85] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206968; rev:1;) alert tcp $HOME_NET any -> [202.79.175.51] 7777 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206967; rev:1;) alert tcp $HOME_NET any -> [88.119.175.231] 3333 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206966; rev:1;) alert tcp $HOME_NET any -> [213.195.125.89] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206964/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206964; rev:1;) alert tcp $HOME_NET any -> [136.243.151.21] 81 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206965/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206965; rev:1;) alert tcp $HOME_NET any -> [213.195.125.89] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206963/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206963; rev:1;) alert tcp $HOME_NET any -> [213.195.125.89] 5003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206961/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206961; rev:1;) alert tcp $HOME_NET any -> [213.195.125.89] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206962/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206962; rev:1;) alert tcp $HOME_NET any -> [213.195.125.89] 4003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206960; rev:1;) alert tcp $HOME_NET any -> [213.195.125.89] 4002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206959; rev:1;) alert tcp $HOME_NET any -> [185.81.157.147] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206957; rev:1;) alert tcp $HOME_NET any -> [185.81.157.147] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206958/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206958; rev:1;) alert tcp $HOME_NET any -> [185.81.157.147] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206956; rev:1;) alert tcp $HOME_NET any -> [91.92.248.239] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206955; rev:1;) alert tcp $HOME_NET any -> [91.109.186.8] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206954/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206954; rev:1;) alert tcp $HOME_NET any -> [23.172.112.130] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206953/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206953; rev:1;) alert tcp $HOME_NET any -> [154.16.67.94] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206952/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206952; rev:1;) alert tcp $HOME_NET any -> [185.81.157.201] 5008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206950; rev:1;) alert tcp $HOME_NET any -> [194.213.3.100] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206951/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206951; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"contato8.appsysten.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206949; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-191-149-233.us-east-2.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206948; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nginx-typhoon.westeurope.cloudapp.azure.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206947/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206947; rev:1;) alert tcp $HOME_NET any -> [80.211.208.51] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.43.12.111"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206945/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"106.54.181.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206944/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.249.9.208"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206943/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"42.193.44.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206942/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.113.204.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206941/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206941; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aprettopizza.world"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206938/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206938; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peermangoz.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206939/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206939; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nimeklroboti.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206940/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"222.135.221.130"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206937/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_28; classtype:trojan-activity; sid:91206937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"beksystems.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206935/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"beksystems.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206934/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206934; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"beksystems.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206933/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/945f1075.php"; depth:13; nocase; http.host; content:"a0888880.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206928; rev:1;) alert tcp $HOME_NET any -> [185.192.111.195] 443 (msg:"ThreatFox ClearFake payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206925; rev:1;) alert tcp $HOME_NET any -> [185.192.111.201] 443 (msg:"ThreatFox ClearFake payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206926; rev:1;) alert tcp $HOME_NET any -> [62.182.156.148] 443 (msg:"ThreatFox ClearFake payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206923/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206923; rev:1;) alert tcp $HOME_NET any -> [185.192.111.199] 443 (msg:"ThreatFox ClearFake payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206924/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206924; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"concgc.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206922/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lander/hyk7789hgd/_cf.php"; depth:26; nocase; http.host; content:"concgc.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"concgc.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206920/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206920; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"concgc.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.184.4"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206918/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206918; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.72.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206917/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206917; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.30.118"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206916/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.30.118"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206915/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.130.188.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206914/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.184.78"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206913/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.243.145"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206912/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.108.57.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206911/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206911; rev:1;) alert tcp $HOME_NET any -> [94.130.188.133] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206908/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206908; rev:1;) alert tcp $HOME_NET any -> [95.217.30.118] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206909/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206909; rev:1;) alert tcp $HOME_NET any -> [116.202.184.4] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206910/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206910; rev:1;) alert tcp $HOME_NET any -> [65.108.57.141] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206905; rev:1;) alert tcp $HOME_NET any -> [95.217.243.145] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206906; rev:1;) alert tcp $HOME_NET any -> [116.203.184.78] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206907/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/togeoprocessorgame.php"; depth:23; nocase; http.host; content:"767241cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206904/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206904; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"20.97.19.69"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206903; rev:1;) alert tcp $HOME_NET any -> [91.215.85.23] 11836 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206902/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"64.225.108.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206900/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206900; rev:1;) alert tcp $HOME_NET any -> [64.225.108.159] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206901/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206901; rev:1;) alert tcp $HOME_NET any -> [176.97.65.35] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"176.97.65.35"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206898; rev:1;) alert tcp $HOME_NET any -> [91.92.244.203] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206897/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_28; classtype:trojan-activity; sid:91206897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmpipelongpollbigloadsqlgeneratordatalife.php"; depth:46; nocase; http.host; content:"249782m.dccrk.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s4p0g"; depth:6; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199575355834"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.130.188.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.30.118"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206892; rev:1;) alert tcp $HOME_NET any -> [94.130.188.133] 9000 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206891/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206891; rev:1;) alert tcp $HOME_NET any -> [95.217.30.118] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206890/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"alicortech.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206887/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206887; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"alicortech.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206886/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206886; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"alicortech.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206885/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206885; rev:1;) alert tcp $HOME_NET any -> [85.209.176.69] 57484 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206884/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_28; classtype:trojan-activity; sid:91206884; rev:1;) alert tcp $HOME_NET any -> [142.202.189.215] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206883/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206883; rev:1;) alert tcp $HOME_NET any -> [206.233.128.72] 8899 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206882/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206882; rev:1;) alert tcp $HOME_NET any -> [95.179.179.155] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206881/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_28; classtype:trojan-activity; sid:91206881; rev:1;) alert tcp $HOME_NET any -> [154.246.141.162] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206880/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_28; classtype:trojan-activity; sid:91206880; rev:1;) alert tcp $HOME_NET any -> [95.219.208.187] 2087 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206879/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_28; classtype:trojan-activity; sid:91206879; rev:1;) alert tcp $HOME_NET any -> [102.157.244.251] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206878/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_28; classtype:trojan-activity; sid:91206878; rev:1;) alert tcp $HOME_NET any -> [34.220.23.89] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206877/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_28; classtype:trojan-activity; sid:91206877; rev:1;) alert tcp $HOME_NET any -> [15.223.13.149] 443 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206876/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_28; classtype:trojan-activity; sid:91206876; rev:1;) alert tcp $HOME_NET any -> [62.84.116.13] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206874/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_28; classtype:trojan-activity; sid:91206874; rev:1;) alert tcp $HOME_NET any -> [62.84.116.13] 61237 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206875/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_28; classtype:trojan-activity; sid:91206875; rev:1;) alert tcp $HOME_NET any -> [45.15.159.79] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206873/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_28; classtype:trojan-activity; sid:91206873; rev:1;) alert tcp $HOME_NET any -> [45.76.80.199] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206872/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_28; classtype:trojan-activity; sid:91206872; rev:1;) alert tcp $HOME_NET any -> [164.92.111.233] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206871/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_28; classtype:trojan-activity; sid:91206871; rev:1;) alert tcp $HOME_NET any -> [170.130.55.117] 8080 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206869/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_28; classtype:trojan-activity; sid:91206869; rev:1;) alert tcp $HOME_NET any -> [170.130.55.46] 80 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206870/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_28; classtype:trojan-activity; sid:91206870; rev:1;) alert tcp $HOME_NET any -> [193.37.197.24] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206813/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206813; rev:1;) alert tcp $HOME_NET any -> [185.233.186.64] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206814/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206814; rev:1;) alert tcp $HOME_NET any -> [89.191.234.43] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rn72836.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206863/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206863; rev:1;) alert tcp $HOME_NET any -> [212.224.86.54] 58001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206816; rev:1;) alert tcp $HOME_NET any -> [91.92.248.204] 6696 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206862/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206862; rev:1;) alert tcp $HOME_NET any -> [91.92.249.176] 4285 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206868/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_28; classtype:trojan-activity; sid:91206868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"101.35.235.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206867; rev:1;) alert tcp $HOME_NET any -> [42.193.14.173] 3333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206866/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_28; classtype:trojan-activity; sid:91206866; rev:1;) alert tcp $HOME_NET any -> [43.198.94.41] 800 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206865/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_28; classtype:trojan-activity; sid:91206865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlepython/longpollpacket/base/low8voiddb/uploads/windows97/external50auth/defaultvmlongpollgame/test/externaltracklongpoll/datalife3multi/togeneratorbigloadtemp/wordpressdownloads/mariadbhttpauth/wordpressgamegeneratordefault/_packetprocessdatalife.php"; depth:253; nocase; http.host; content:"46.8.29.132"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_28; classtype:trojan-activity; sid:91206864; rev:1;) alert tcp $HOME_NET any -> [34.126.76.184] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206861/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_28; classtype:trojan-activity; sid:91206861; rev:1;) alert tcp $HOME_NET any -> [163.197.242.21] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206860/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_28; classtype:trojan-activity; sid:91206860; rev:1;) alert tcp $HOME_NET any -> [120.55.78.215] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206859/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206859; rev:1;) alert tcp $HOME_NET any -> [110.41.166.114] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206858/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206858; rev:1;) alert tcp $HOME_NET any -> [88.80.145.31] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206856/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206856; rev:1;) alert tcp $HOME_NET any -> [47.104.159.7] 8999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206857/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206857; rev:1;) alert tcp $HOME_NET any -> [43.138.65.90] 8008 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206855/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206855; rev:1;) alert tcp $HOME_NET any -> [34.67.197.93] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206854/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206854; rev:1;) alert tcp $HOME_NET any -> [159.65.213.26] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206853/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206853; rev:1;) alert tcp $HOME_NET any -> [47.113.191.88] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206852/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206852; rev:1;) alert tcp $HOME_NET any -> [64.94.95.141] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206851/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206851; rev:1;) alert tcp $HOME_NET any -> [95.141.32.133] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206850/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206850; rev:1;) alert tcp $HOME_NET any -> [187.135.84.85] 2055 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206849/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206849; rev:1;) alert tcp $HOME_NET any -> [187.135.84.85] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206848; rev:1;) alert tcp $HOME_NET any -> [187.135.84.85] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206847; rev:1;) alert tcp $HOME_NET any -> [187.135.84.85] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206846; rev:1;) alert tcp $HOME_NET any -> [80.208.221.140] 3048 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-194-229-219.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206844/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-83-75-196.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206843; rev:1;) alert tcp $HOME_NET any -> [116.203.221.205] 8890 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v63768.php-friends.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206841; rev:1;) alert tcp $HOME_NET any -> [34.212.248.231] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206840; rev:1;) alert tcp $HOME_NET any -> [194.49.94.126] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206839; rev:1;) alert tcp $HOME_NET any -> [191.19.176.126] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206838; rev:1;) alert tcp $HOME_NET any -> [202.79.175.67] 7777 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206837; rev:1;) alert tcp $HOME_NET any -> [91.109.186.8] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206836; rev:1;) alert tcp $HOME_NET any -> [5.249.161.42] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cputraffic.php"; depth:15; nocase; http.host; content:"306341cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loventi.fr"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206826/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"artofpinball.fr"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.profsiena.it"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.myoo.fr"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reservation-taxig7.fr"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.rocher-notaires.fr"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206831; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.electricite-carbonnier.fr"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sarl-walter.fr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206833; rev:1;) alert tcp $HOME_NET any -> [152.89.239.164] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206825/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_27; classtype:trojan-activity; sid:91206825; rev:1;) alert tcp $HOME_NET any -> [3.71.177.249] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206824/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_27; classtype:trojan-activity; sid:91206824; rev:1;) alert tcp $HOME_NET any -> [139.99.149.74] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206822/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_27; classtype:trojan-activity; sid:91206822; rev:1;) alert tcp $HOME_NET any -> [124.71.5.199] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206821/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_27; classtype:trojan-activity; sid:91206821; rev:1;) alert tcp $HOME_NET any -> [134.122.75.115] 26 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206820/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_27; classtype:trojan-activity; sid:91206820; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 25786 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206819; rev:1;) alert tcp $HOME_NET any -> [206.166.251.52] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206818/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_27; classtype:trojan-activity; sid:91206818; rev:1;) alert tcp $HOME_NET any -> [103.168.19.82] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206817/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"110.41.130.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206812/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206812; rev:1;) alert tcp $HOME_NET any -> [51.195.117.246] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206811/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_27; classtype:trojan-activity; sid:91206811; rev:1;) alert tcp $HOME_NET any -> [188.215.229.107] 1993 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206810; rev:1;) alert tcp $HOME_NET any -> [43.138.65.90] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206809/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_27; classtype:trojan-activity; sid:91206809; rev:1;) alert tcp $HOME_NET any -> [39.40.144.179] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206808/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_27; classtype:trojan-activity; sid:91206808; rev:1;) alert tcp $HOME_NET any -> [18.191.149.233] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206807/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_27; classtype:trojan-activity; sid:91206807; rev:1;) alert tcp $HOME_NET any -> [178.128.122.128] 40069 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206806/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_27; classtype:trojan-activity; sid:91206806; rev:1;) alert tcp $HOME_NET any -> [176.119.159.39] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206805/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_27; classtype:trojan-activity; sid:91206805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/axvqpsy6dt2"; depth:22; nocase; http.host; content:"178.128.238.137"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206804/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_27; classtype:trojan-activity; sid:91206804; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"musclefarelongea.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tirechinecarpett.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fanlumpactiras.pw"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freckletropsao.pw"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206796; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hemispheredonkkl.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ownerbuffersuperw.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ownerbuffersuperw.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"platteryippejkomaf.pw"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206794; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medicinebuckerrysa.pw"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206795; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"medicinebuckerrysa.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"freckletropsao.pw"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"hemispheredonkkl.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"mazdakrichest.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"riverhasus.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206788; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mraskopal.link"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206802; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"missisanjoup.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"combpoplaurap.pw"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mazdakrichest.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206785; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"riverhasus.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"178.20.41.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206784; rev:1;) alert tcp $HOME_NET any -> [95.214.26.17] 24714 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206740; rev:1;) alert tcp $HOME_NET any -> [124.221.183.95] 50515 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206783; rev:1;) alert tcp $HOME_NET any -> [175.178.166.157] 1111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206782; rev:1;) alert tcp $HOME_NET any -> [54.168.49.179] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206781; rev:1;) alert tcp $HOME_NET any -> [8.130.45.30] 18686 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206780; rev:1;) alert tcp $HOME_NET any -> [111.229.225.24] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206779; rev:1;) alert tcp $HOME_NET any -> [89.117.217.17] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206778; rev:1;) alert tcp $HOME_NET any -> [104.219.214.114] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206777; rev:1;) alert tcp $HOME_NET any -> [124.71.106.234] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206775/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206775; rev:1;) alert tcp $HOME_NET any -> [91.120.20.73] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206776; rev:1;) alert tcp $HOME_NET any -> [8.130.35.148] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206774; rev:1;) alert tcp $HOME_NET any -> [23.224.143.50] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206773; rev:1;) alert tcp $HOME_NET any -> [20.117.116.80] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206772; rev:1;) alert tcp $HOME_NET any -> [104.238.188.124] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206771; rev:1;) alert tcp $HOME_NET any -> [176.97.65.35] 5432 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206770/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206770; rev:1;) alert tcp $HOME_NET any -> [54.165.197.96] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206769/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206769; rev:1;) alert tcp $HOME_NET any -> [54.165.197.96] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206768; rev:1;) alert tcp $HOME_NET any -> [101.32.214.178] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206767; rev:1;) alert tcp $HOME_NET any -> [182.92.86.16] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206765; rev:1;) alert tcp $HOME_NET any -> [45.92.158.220] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206766/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206766; rev:1;) alert tcp $HOME_NET any -> [142.171.158.53] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206764; rev:1;) alert tcp $HOME_NET any -> [124.228.201.247] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206763; rev:1;) alert tcp $HOME_NET any -> [121.37.84.142] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206762/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206762; rev:1;) alert tcp $HOME_NET any -> [47.243.251.198] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206760; rev:1;) alert tcp $HOME_NET any -> [124.228.201.102] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206761/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206761; rev:1;) alert tcp $HOME_NET any -> [124.228.201.79] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206759; rev:1;) alert tcp $HOME_NET any -> [43.143.230.114] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206758; rev:1;) alert tcp $HOME_NET any -> [143.198.184.220] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206757/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_27; classtype:trojan-activity; sid:91206757; rev:1;) alert tcp $HOME_NET any -> [110.43.39.37] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206755; rev:1;) alert tcp $HOME_NET any -> [49.51.85.245] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206756/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206756; rev:1;) alert tcp $HOME_NET any -> [13.53.127.38] 2910 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206754; rev:1;) alert tcp $HOME_NET any -> [115.74.22.203] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206753; rev:1;) alert tcp $HOME_NET any -> [159.196.128.120] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206752; rev:1;) alert tcp $HOME_NET any -> [194.49.94.96] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206750; rev:1;) alert tcp $HOME_NET any -> [194.49.94.96] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206751; rev:1;) alert tcp $HOME_NET any -> [154.247.11.93] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206749; rev:1;) alert tcp $HOME_NET any -> [154.245.225.202] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206748; rev:1;) alert tcp $HOME_NET any -> [181.41.200.232] 3000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206747; rev:1;) alert tcp $HOME_NET any -> [136.243.151.21] 61 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206745; rev:1;) alert tcp $HOME_NET any -> [113.169.210.179] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206746; rev:1;) alert tcp $HOME_NET any -> [187.24.66.236] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206744; rev:1;) alert tcp $HOME_NET any -> [2.58.56.37] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206743; rev:1;) alert tcp $HOME_NET any -> [51.81.126.50] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206742; rev:1;) alert tcp $HOME_NET any -> [91.92.248.66] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206741; rev:1;) alert tcp $HOME_NET any -> [18.195.125.195] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206739/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_27; classtype:trojan-activity; sid:91206739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8d7eb205be988bbb.php"; depth:21; nocase; http.host; content:"bubbebottle.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"188.121.110.191"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"8.137.48.121"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"8.141.81.51"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206735; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"1.94.98.79"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"106.14.38.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206733; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"146.185.22.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/booking_information.exe"; depth:29; nocase; http.host; content:"88.198.194.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206723; rev:1;) alert tcp $HOME_NET any -> [193.233.132.35] 34990 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.153.206.194"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"60.204.223.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"content.microsoft.com.w.kunlunca.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"8.141.81.51"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"154.213.17.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"121.43.55.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206726/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.113.204.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/pdf.exe"; depth:13; nocase; http.host; content:"88.198.194.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206722; rev:1;) alert tcp $HOME_NET any -> [104.21.34.166] 80 (msg:"ThreatFox Lumma Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206721/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_27; classtype:trojan-activity; sid:91206721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"114.55.147.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"60.204.229.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-23oc1bm0-1322622051.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-23oc1bm0-1322622051.gz.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206718/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"social.soft-update.services"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206715/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"social.soft-update.services"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206716/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206716; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"170.64.210.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206714; rev:1;) alert tcp $HOME_NET any -> [165.169.94.43] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/___utm.gif"; depth:11; nocase; http.host; content:"s0.awsstatic.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206711/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/___utm.gif"; depth:11; nocase; http.host; content:"r0.awsstatic.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/___utm.gif"; depth:11; nocase; http.host; content:"l0.awsstatic.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206707/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206707; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/___utm.gif"; depth:11; nocase; http.host; content:"f0.awsstatic.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/___utm.gif"; depth:11; nocase; http.host; content:"d1.awsstatic.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206703/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/___utm.gif"; depth:11; nocase; http.host; content:"d0.awsstatic.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206701/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/___utm.gif"; depth:11; nocase; http.host; content:"cdn.t411.re"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206699; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.t411.re"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/___utm.gif"; depth:11; nocase; http.host; content:"cdn.spark.re"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"123.123.123.123"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"1.94.97.137"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compare/v1.44/vxk7p0gbe8"; depth:25; nocase; http.host; content:"85.209.176.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206693/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206693; rev:1;) alert tcp $HOME_NET any -> [85.209.176.30] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"47.115.203.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206692/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"168.235.82.192"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206691/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.137.50.154"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206690/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.98.135.236"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206689/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206689; rev:1;) alert tcp $HOME_NET any -> [38.180.37.113] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206688/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_27; classtype:trojan-activity; sid:91206688; rev:1;) alert tcp $HOME_NET any -> [217.76.59.48] 1981 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206687/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206687; rev:1;) alert tcp $HOME_NET any -> [185.254.37.184] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206686/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_27; classtype:trojan-activity; sid:91206686; rev:1;) alert tcp $HOME_NET any -> [194.147.140.186] 3636 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206685/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_27; classtype:trojan-activity; sid:91206685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"101.35.42.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206684/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fanlumpactiras.pw"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206683/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"111.67.197.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206681/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206681; rev:1;) alert tcp $HOME_NET any -> [111.67.197.58] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206682/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206682; rev:1;) alert tcp $HOME_NET any -> [173.82.219.5] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206680/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/level/ch/n08u2ysoiu"; depth:20; nocase; http.host; content:"api.officeserviced.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206678/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.officeserviced.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206679/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206679; rev:1;) alert tcp $HOME_NET any -> [94.156.67.247] 2402 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206677/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.6.4.min.js"; depth:20; nocase; http.host; content:"51.79.207.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206676/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"8.142.5.148"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206675/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.143.125.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ajax/jquery-3.3.1.js"; depth:21; nocase; http.host; content:"203.55.196.1"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.34.56.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206672/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"platteryippejkomaf.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/packetlowgeoprocessorlongpollservertestlocalprivatecentral.php"; depth:63; nocase; http.host; content:"766282cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206670; rev:1;) alert tcp $HOME_NET any -> [213.195.125.89] 5001 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206669/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_27; classtype:trojan-activity; sid:91206669; rev:1;) alert tcp $HOME_NET any -> [45.11.46.50] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206668/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_27; classtype:trojan-activity; sid:91206668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"archiefilmco.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206666/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_27; classtype:trojan-activity; sid:91206666; rev:1;) alert tcp $HOME_NET any -> [38.54.23.133] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206665/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_27; classtype:trojan-activity; sid:91206665; rev:1;) alert tcp $HOME_NET any -> [141.164.249.90] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206664/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_27; classtype:trojan-activity; sid:91206664; rev:1;) alert tcp $HOME_NET any -> [83.110.223.89] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206663/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_27; classtype:trojan-activity; sid:91206663; rev:1;) alert tcp $HOME_NET any -> [151.48.137.184] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206662/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_27; classtype:trojan-activity; sid:91206662; rev:1;) alert tcp $HOME_NET any -> [165.22.159.164] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206661/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_27; classtype:trojan-activity; sid:91206661; rev:1;) alert tcp $HOME_NET any -> [139.28.36.237] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206660/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_27; classtype:trojan-activity; sid:91206660; rev:1;) alert tcp $HOME_NET any -> [5.230.44.53] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206659/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_27; classtype:trojan-activity; sid:91206659; rev:1;) alert tcp $HOME_NET any -> [45.67.229.237] 12821 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206658/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_27; classtype:trojan-activity; sid:91206658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rufflesrefined.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hawkish.eu"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206657/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206657; rev:1;) alert tcp $HOME_NET any -> [150.158.176.236] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206656/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_27; classtype:trojan-activity; sid:91206656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"musclefarelongea.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"do.wtsserv.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wtsserv.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"do.wtsserv.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/"; depth:5; nocase; http.host; content:"do.wtsserv.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/"; depth:8; nocase; http.host; content:"do.wtsserv.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/-1001228456341"; depth:22; nocase; http.host; content:"do.wtsserv.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206647/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1001228456341"; depth:19; nocase; http.host; content:"do.wtsserv.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1001228456341"; depth:19; nocase; http.host; content:"do.wtsserv.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206645; rev:1;) alert tcp $HOME_NET any -> [45.138.74.48] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206644/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_27; classtype:trojan-activity; sid:91206644; rev:1;) alert tcp $HOME_NET any -> [194.26.229.219] 9191 (msg:"ThreatFox IRATA payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1775650fcb4243969"; depth:18; nocase; http.host; content:"194.26.229.219"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_27; classtype:trojan-activity; sid:91206642; rev:1;) alert tcp $HOME_NET any -> [193.149.190.15] 6443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206641/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_27; classtype:trojan-activity; sid:91206641; rev:1;) alert tcp $HOME_NET any -> [47.109.102.98] 1337 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206640/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_27; classtype:trojan-activity; sid:91206640; rev:1;) alert tcp $HOME_NET any -> [47.115.203.107] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206639/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_27; classtype:trojan-activity; sid:91206639; rev:1;) alert tcp $HOME_NET any -> [2.224.144.191] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206638/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_27; classtype:trojan-activity; sid:91206638; rev:1;) alert tcp $HOME_NET any -> [185.222.58.69] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206637; rev:1;) alert tcp $HOME_NET any -> [45.87.246.145] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206636/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_26; classtype:trojan-activity; sid:91206636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c4341/index.php"; depth:16; nocase; http.host; content:"gqc4.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206635; rev:1;) alert tcp $HOME_NET any -> [139.162.187.166] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206634/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"139.162.187.166"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206633/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206633; rev:1;) alert tcp $HOME_NET any -> [45.207.58.152] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"45.207.58.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206631; rev:1;) alert tcp $HOME_NET any -> [121.40.255.189] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wylns.matrika.cn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206629; rev:1;) alert tcp $HOME_NET any -> [194.5.249.103] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206627/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_26; classtype:trojan-activity; sid:91206627; rev:1;) alert tcp $HOME_NET any -> [91.92.244.84] 3232 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206626/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_26; classtype:trojan-activity; sid:91206626; rev:1;) alert tcp $HOME_NET any -> [194.87.31.20] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206625/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206625; rev:1;) alert tcp $HOME_NET any -> [172.233.154.179] 15478 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206624/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206624; rev:1;) alert tcp $HOME_NET any -> [134.122.75.115] 449 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206623/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_26; classtype:trojan-activity; sid:91206623; rev:1;) alert tcp $HOME_NET any -> [141.255.151.123] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206622/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206622; rev:1;) alert tcp $HOME_NET any -> [102.113.31.13] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206621/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206621; rev:1;) alert tcp $HOME_NET any -> [87.223.89.42] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206620/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206620; rev:1;) alert tcp $HOME_NET any -> [46.246.164.179] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206619/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206619; rev:1;) alert tcp $HOME_NET any -> [124.13.232.162] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206618/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206618; rev:1;) alert tcp $HOME_NET any -> [31.117.63.201] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206617/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206617; rev:1;) alert tcp $HOME_NET any -> [206.189.24.107] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206616/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206616; rev:1;) alert tcp $HOME_NET any -> [74.207.149.114] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206615/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206615; rev:1;) alert tcp $HOME_NET any -> [147.189.131.140] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206614/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206614; rev:1;) alert tcp $HOME_NET any -> [147.189.131.140] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206613/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206613; rev:1;) alert tcp $HOME_NET any -> [2.57.122.125] 36037 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206612/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206612; rev:1;) alert tcp $HOME_NET any -> [2.57.122.125] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206611/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206611; rev:1;) alert tcp $HOME_NET any -> [2.57.122.125] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206610/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206610; rev:1;) alert tcp $HOME_NET any -> [2.57.122.125] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206609/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206609; rev:1;) alert tcp $HOME_NET any -> [5.42.66.12] 47081 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206608/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206608; rev:1;) alert tcp $HOME_NET any -> [198.27.121.194] 2712 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206607/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_26; classtype:trojan-activity; sid:91206607; rev:1;) alert tcp $HOME_NET any -> [172.93.187.227] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206605/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_26; classtype:trojan-activity; sid:91206605; rev:1;) alert tcp $HOME_NET any -> [185.189.112.11] 9625 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206606/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_26; classtype:trojan-activity; sid:91206606; rev:1;) alert tcp $HOME_NET any -> [66.103.216.149] 8022 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206604/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_26; classtype:trojan-activity; sid:91206604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/720420a0.php"; depth:13; nocase; http.host; content:"a0887556.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206603/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206603; rev:1;) alert tcp $HOME_NET any -> [45.77.174.203] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206602/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206602; rev:1;) alert tcp $HOME_NET any -> [38.54.84.31] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206599/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206599; rev:1;) alert tcp $HOME_NET any -> [103.146.230.153] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206600/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206600; rev:1;) alert tcp $HOME_NET any -> [103.146.230.153] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206601/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206601; rev:1;) alert tcp $HOME_NET any -> [185.126.237.57] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206595/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206595; rev:1;) alert tcp $HOME_NET any -> [38.54.32.114] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206596/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206596; rev:1;) alert tcp $HOME_NET any -> [141.164.54.104] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206597/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206597; rev:1;) alert tcp $HOME_NET any -> [45.13.227.9] 9931 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206589/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_26; classtype:trojan-activity; sid:91206589; rev:1;) alert tcp $HOME_NET any -> [31.214.243.202] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206592/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3886d2276f6914c4.php"; depth:21; nocase; http.host; content:"florianhabeler.icu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206594/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206594; rev:1;) alert tcp $HOME_NET any -> [188.166.68.236] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206593/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_26; classtype:trojan-activity; sid:91206593; rev:1;) alert tcp $HOME_NET any -> [91.92.249.95] 7124 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206591/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206591; rev:1;) alert tcp $HOME_NET any -> [45.137.69.211] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206590/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.141.81.51"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panel.ceo-reputation.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206584/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceo-reputation.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206585/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0885630.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206587/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206587; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"content.microsoft.com.w.kunlunca.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206586/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"121.43.55.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206583/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"103.176.178.88"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206582/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"116.204.122.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206581/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"52.198.192.145"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206580/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"156.251.31.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206579/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"139.159.203.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206578/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40d570f44e84a454.php"; depth:21; nocase; http.host; content:"janmorath.icu"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206577/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sqlpacketprocessor/5/1low/apiwindows/geo/pythonpolllinux/httpjavascript/http_7/apiasync/voiddbdb/voiddbprocessorphp4/vmlinejspollpacketauthbigloadservercdndownloads.php"; depth:169; nocase; http.host; content:"83.147.245.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206576/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206576; rev:1;) alert tcp $HOME_NET any -> [5.161.108.75] 24668 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206575/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206575; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 11531 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206574/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206574; rev:1;) alert tcp $HOME_NET any -> [18.192.93.86] 11531 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206573; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 11531 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206572/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tools.3utilities.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206570/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tokyonights.pdns.stream"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206569/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"texeshserver.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206568/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serverguedin.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slava3257.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s7vety-47169.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206561/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s7vety-64001.portmap.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206562/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"richhost.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206560/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orcusratanondomain.sytes.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206557/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"island-households.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icontrolyou.servepics.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206554/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dailyupdates.theworkpc.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"distance-deutsche.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gerkadas.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gethack.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cedricklegends.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"colorfuldreams.hopto.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206547; rev:1;) alert tcp $HOME_NET any -> [68.219.181.16] 443 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"applications-tri.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cbm.adenz.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206545; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 18245 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206541; rev:1;) alert tcp $HOME_NET any -> [31.173.170.243] 7777 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206542; rev:1;) alert tcp $HOME_NET any -> [128.59.46.185] 1707 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206539; rev:1;) alert tcp $HOME_NET any -> [128.59.46.185] 44657 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yy3088429300.e2.luyouxia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"akinbo.ddns.net"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1206538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206538; rev:1;) alert tcp $HOME_NET any -> [45.95.147.204] 5555 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206534; rev:1;) alert tcp $HOME_NET any -> [103.29.2.134] 12345 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"q3472884397.e2.luyouxia.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206536; rev:1;) alert tcp $HOME_NET any -> [89.190.156.159] 671 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206533; rev:1;) alert tcp $HOME_NET any -> [18.169.37.17] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206532/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_26; classtype:trojan-activity; sid:91206532; rev:1;) alert tcp $HOME_NET any -> [8.141.146.84] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206531; rev:1;) alert tcp $HOME_NET any -> [20.15.227.53] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206530; rev:1;) alert tcp $HOME_NET any -> [116.204.122.201] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206528; rev:1;) alert tcp $HOME_NET any -> [124.221.183.95] 26445 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206529; rev:1;) alert tcp $HOME_NET any -> [5.230.40.20] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206527; rev:1;) alert tcp $HOME_NET any -> [156.232.11.248] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206525; rev:1;) alert tcp $HOME_NET any -> [111.231.16.164] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206526; rev:1;) alert tcp $HOME_NET any -> [35.78.243.22] 86 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206524; rev:1;) alert tcp $HOME_NET any -> [8.137.14.237] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206523; rev:1;) alert tcp $HOME_NET any -> [13.37.43.70] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206521; rev:1;) alert tcp $HOME_NET any -> [121.4.107.229] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206522; rev:1;) alert tcp $HOME_NET any -> [154.8.146.128] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206520; rev:1;) alert tcp $HOME_NET any -> [121.40.254.24] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206519; rev:1;) alert tcp $HOME_NET any -> [82.157.254.173] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206518; rev:1;) alert tcp $HOME_NET any -> [182.92.187.180] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206517; rev:1;) alert tcp $HOME_NET any -> [47.96.143.115] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206516; rev:1;) alert tcp $HOME_NET any -> [124.71.9.23] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206515; rev:1;) alert tcp $HOME_NET any -> [106.13.10.83] 10080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206514; rev:1;) alert tcp $HOME_NET any -> [8.137.48.121] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206513; rev:1;) alert tcp $HOME_NET any -> [111.230.8.147] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206512; rev:1;) alert tcp $HOME_NET any -> [57.128.141.12] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206510; rev:1;) alert tcp $HOME_NET any -> [121.5.129.43] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206511; rev:1;) alert tcp $HOME_NET any -> [116.196.65.32] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206509; rev:1;) alert tcp $HOME_NET any -> [101.33.221.102] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206508; rev:1;) alert tcp $HOME_NET any -> [43.143.155.57] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206506; rev:1;) alert tcp $HOME_NET any -> [103.24.93.151] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206507; rev:1;) alert tcp $HOME_NET any -> [121.196.200.178] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206505; rev:1;) alert tcp $HOME_NET any -> [45.144.29.113] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-44-204-120-159.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"painelbs22.lbss23.website"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206503; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"niuwxt.haowusong.com.cname.yunjiasu-cdn.net"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206501; rev:1;) alert tcp $HOME_NET any -> [62.234.36.13] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206500/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206500; rev:1;) alert tcp $HOME_NET any -> [172.245.159.154] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206498/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206498; rev:1;) alert tcp $HOME_NET any -> [45.61.131.166] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206499; rev:1;) alert tcp $HOME_NET any -> [47.92.165.226] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206497; rev:1;) alert tcp $HOME_NET any -> [101.132.146.237] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206496; rev:1;) alert tcp $HOME_NET any -> [8.218.173.44] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206495; rev:1;) alert tcp $HOME_NET any -> [142.171.160.113] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206494; rev:1;) alert tcp $HOME_NET any -> [192.99.15.120] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206492; rev:1;) alert tcp $HOME_NET any -> [58.215.252.234] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206493; rev:1;) alert tcp $HOME_NET any -> [13.53.127.38] 2919 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206491; rev:1;) alert tcp $HOME_NET any -> [172.233.214.141] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206490/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_26; classtype:trojan-activity; sid:91206490; rev:1;) alert tcp $HOME_NET any -> [206.233.132.110] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206489/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206489; rev:1;) alert tcp $HOME_NET any -> [154.204.181.197] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206488; rev:1;) alert tcp $HOME_NET any -> [206.233.132.92] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206486; rev:1;) alert tcp $HOME_NET any -> [154.39.255.191] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206487; rev:1;) alert tcp $HOME_NET any -> [154.39.255.199] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206485; rev:1;) alert tcp $HOME_NET any -> [199.195.248.122] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206484/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206484; rev:1;) alert tcp $HOME_NET any -> [52.136.206.183] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206483; rev:1;) alert tcp $HOME_NET any -> [139.144.117.63] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206482; rev:1;) alert tcp $HOME_NET any -> [194.49.94.184] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206480; rev:1;) alert tcp $HOME_NET any -> [194.49.94.184] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206481; rev:1;) alert tcp $HOME_NET any -> [171.41.251.170] 25565 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206479; rev:1;) alert tcp $HOME_NET any -> [77.232.132.25] 4999 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206477; rev:1;) alert tcp $HOME_NET any -> [202.79.175.110] 7777 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206478; rev:1;) alert tcp $HOME_NET any -> [191.82.208.212] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206476; rev:1;) alert tcp $HOME_NET any -> [20.198.253.168] 1337 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206475; rev:1;) alert tcp $HOME_NET any -> [78.161.26.61] 88 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206473; rev:1;) alert tcp $HOME_NET any -> [162.244.210.198] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206474; rev:1;) alert tcp $HOME_NET any -> [23.172.112.130] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206472; rev:1;) alert tcp $HOME_NET any -> [141.255.151.147] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.pwshrepo.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"59.166.202.35.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"124383.msk.web.highserver.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206468; rev:1;) alert tcp $HOME_NET any -> [198.176.59.64] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206467; rev:1;) alert tcp $HOME_NET any -> [101.34.56.61] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206466/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_26; classtype:trojan-activity; sid:91206466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"736626.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"736627.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"736628.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"736631.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"736632.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206465; rev:1;) alert tcp $HOME_NET any -> [95.216.123.81] 30829 (msg:"ThreatFox MetaStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tirechinecarpett.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206459; rev:1;) alert tcp $HOME_NET any -> [41.108.217.244] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206460/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_26; classtype:trojan-activity; sid:91206460; rev:1;) alert tcp $HOME_NET any -> [65.108.230.247] 10481 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"realinghuhuhmund.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"85.175.101.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"116.211.148.181"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206454; rev:1;) alert tcp $HOME_NET any -> [104.143.46.178] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"104.143.46.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-l3k4wvla-1322622051.gz.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206450; rev:1;) alert tcp $HOME_NET any -> [47.115.203.107] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206451; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"service-l3k4wvla-1322622051.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206449; rev:1;) alert tcp $HOME_NET any -> [13.36.137.110] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206448/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_26; classtype:trojan-activity; sid:91206448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.42.65.58"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206447; rev:1;) alert tcp $HOME_NET any -> [172.174.245.21] 5400 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206446/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_26; classtype:trojan-activity; sid:91206446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geoupdatelinuxgeneratortestwp.php"; depth:34; nocase; http.host; content:"078301cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daddygarages.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knockaddress.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206428; rev:1;) alert tcp $HOME_NET any -> [162.215.23.121] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206444/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206444; rev:1;) alert tcp $HOME_NET any -> [45.129.2.67] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206443/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206443; rev:1;) alert tcp $HOME_NET any -> [96.9.228.105] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206442/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206442; rev:1;) alert tcp $HOME_NET any -> [64.229.117.137] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206441/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206441; rev:1;) alert tcp $HOME_NET any -> [197.0.163.75] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206440/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206440; rev:1;) alert tcp $HOME_NET any -> [93.107.187.21] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206439/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206439; rev:1;) alert tcp $HOME_NET any -> [157.90.129.60] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206437/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206437; rev:1;) alert tcp $HOME_NET any -> [157.90.129.60] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206438/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_26; classtype:trojan-activity; sid:91206438; rev:1;) alert tcp $HOME_NET any -> [218.64.122.107] 8081 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206436/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_26; classtype:trojan-activity; sid:91206436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public4pipe/javascriptlinuxcentralgeo/protect/4/geopacketphpimage/4videowordpress4/gameserver/5/pythonwordpress/to3/9/provideruniversal/voiddb/centraldatalife4default/0php/downloadstest3/flower4video/535linux/vmprivatetemporary.php"; depth:232; nocase; http.host; content:"77.91.124.202"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206435; rev:1;) alert tcp $HOME_NET any -> [148.135.18.117] 110 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206434/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_26; classtype:trojan-activity; sid:91206434; rev:1;) alert tcp $HOME_NET any -> [132.232.113.242] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206433/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_26; classtype:trojan-activity; sid:91206433; rev:1;) alert tcp $HOME_NET any -> [51.79.207.53] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206432/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_26; classtype:trojan-activity; sid:91206432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"musicallyageop.pw"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ritzytaxypigefow.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206430; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binsupport/recordsearchercutcpu/django/poolpluginserver/cut/game/recordhtopscreen/scriptpoolrecord/local/cpu/django/auto/systemprefdemo/rulecpulocal/processorwpprivate.php"; depth:172; nocase; http.host; content:"82.146.59.131"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_26; classtype:trojan-activity; sid:91206429; rev:1;) alert tcp $HOME_NET any -> [43.143.171.134] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206427/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_26; classtype:trojan-activity; sid:91206427; rev:1;) alert tcp $HOME_NET any -> [152.228.244.80] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206426/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_26; classtype:trojan-activity; sid:91206426; rev:1;) alert tcp $HOME_NET any -> [194.49.94.121] 42918 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206425; rev:1;) alert tcp $HOME_NET any -> [50.114.242.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206424; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"50.114.242.15"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206423; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"114.115.159.80"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206421; rev:1;) alert tcp $HOME_NET any -> [114.115.159.80] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206422; rev:1;) alert tcp $HOME_NET any -> [47.111.65.37] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.onesdriveupdate.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.onesdriveupdate.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206418; rev:1;) alert tcp $HOME_NET any -> [114.115.157.144] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.vip404.eu.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206416; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.vip404.eu.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.vip404.eu.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206414; rev:1;) alert tcp $HOME_NET any -> [23.94.76.46] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206413; rev:1;) alert tcp $HOME_NET any -> [23.94.77.121] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.scalaganai.buzz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.scalaganai.buzz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206410; rev:1;) alert tcp $HOME_NET any -> [139.9.186.196] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.xtest.asia"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206408; rev:1;) alert tcp $HOME_NET any -> [213.139.205.149] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206407/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206407; rev:1;) alert tcp $HOME_NET any -> [34.239.8.158] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206405/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206405; rev:1;) alert tcp $HOME_NET any -> [3.71.6.139] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206404/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206404; rev:1;) alert tcp $HOME_NET any -> [108.181.24.49] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206403/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206403; rev:1;) alert tcp $HOME_NET any -> [104.248.229.181] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206402/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206402; rev:1;) alert tcp $HOME_NET any -> [162.215.23.128] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206401/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206401; rev:1;) alert tcp $HOME_NET any -> [162.215.23.165] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206400/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206400; rev:1;) alert tcp $HOME_NET any -> [162.215.23.129] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206399/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206399; rev:1;) alert tcp $HOME_NET any -> [162.215.23.155] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206398/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206398; rev:1;) alert tcp $HOME_NET any -> [162.215.23.216] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206397/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206397; rev:1;) alert tcp $HOME_NET any -> [162.215.23.160] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206396/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206396; rev:1;) alert tcp $HOME_NET any -> [162.215.23.136] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206395/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206395; rev:1;) alert tcp $HOME_NET any -> [162.215.23.226] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206394/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206394; rev:1;) alert tcp $HOME_NET any -> [162.215.23.172] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206393/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206393; rev:1;) alert tcp $HOME_NET any -> [162.215.23.141] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206392/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206392; rev:1;) alert tcp $HOME_NET any -> [162.215.23.197] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206391/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206391; rev:1;) alert tcp $HOME_NET any -> [162.215.23.214] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206390/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206390; rev:1;) alert tcp $HOME_NET any -> [162.215.23.123] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206389/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206389; rev:1;) alert tcp $HOME_NET any -> [162.215.23.227] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206388/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206388; rev:1;) alert tcp $HOME_NET any -> [162.215.23.185] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206387/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206387; rev:1;) alert tcp $HOME_NET any -> [162.215.23.115] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206386/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206386; rev:1;) alert tcp $HOME_NET any -> [162.215.23.145] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206385/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206385; rev:1;) alert tcp $HOME_NET any -> [162.215.23.191] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206384/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206384; rev:1;) alert tcp $HOME_NET any -> [162.215.23.202] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206383/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206383; rev:1;) alert tcp $HOME_NET any -> [162.215.23.133] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206382/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206382; rev:1;) alert tcp $HOME_NET any -> [162.215.23.182] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206381/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206381; rev:1;) alert tcp $HOME_NET any -> [162.215.23.188] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206380/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206380; rev:1;) alert tcp $HOME_NET any -> [162.215.23.111] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206379/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206379; rev:1;) alert tcp $HOME_NET any -> [162.215.23.108] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206378/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206378; rev:1;) alert tcp $HOME_NET any -> [162.215.23.139] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206377/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206377; rev:1;) alert tcp $HOME_NET any -> [162.215.23.221] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206376/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206376; rev:1;) alert tcp $HOME_NET any -> [162.215.23.159] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206375/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206375; rev:1;) alert tcp $HOME_NET any -> [162.215.23.211] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206374/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206374; rev:1;) alert tcp $HOME_NET any -> [162.215.23.152] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206373/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206373; rev:1;) alert tcp $HOME_NET any -> [162.215.23.194] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206372/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206372; rev:1;) alert tcp $HOME_NET any -> [162.215.23.198] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206371/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206371; rev:1;) alert tcp $HOME_NET any -> [162.215.23.207] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206370/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206370; rev:1;) alert tcp $HOME_NET any -> [82.157.80.216] 58888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206369/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206369; rev:1;) alert tcp $HOME_NET any -> [78.168.0.232] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206368/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206368; rev:1;) alert tcp $HOME_NET any -> [59.88.173.195] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206367/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206367; rev:1;) alert tcp $HOME_NET any -> [188.48.113.69] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206366/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206366; rev:1;) alert tcp $HOME_NET any -> [85.49.243.230] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206365/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206365; rev:1;) alert tcp $HOME_NET any -> [2.50.140.194] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206364/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206364; rev:1;) alert tcp $HOME_NET any -> [83.244.60.228] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206363/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206363; rev:1;) alert tcp $HOME_NET any -> [45.243.150.130] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206362/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206362; rev:1;) alert tcp $HOME_NET any -> [116.240.153.7] 6881 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206361/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206361; rev:1;) alert tcp $HOME_NET any -> [172.208.97.188] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206360/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206360; rev:1;) alert tcp $HOME_NET any -> [185.248.100.118] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206359/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206359; rev:1;) alert tcp $HOME_NET any -> [213.139.205.146] 6806 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206358/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"weareelight.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206357/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"trunk-co.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206356/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"piratia.pw"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206355/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"pirateking.online"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206354/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phplowupdatewindowsasyncgeneratortrackwordpressdletemp.php"; depth:59; nocase; http.host; content:"925823lm.nyashnyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"humydrole.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206353/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"go-piratia.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206351/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.20.16.40"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azzoodijdhgdr.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gqx21mcou.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rwoodrowyioay.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"methodalapaisdd.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nfyuabel.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fertikalossf.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206348; rev:1;) alert tcp $HOME_NET any -> [43.139.226.75] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206342/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206342; rev:1;) alert tcp $HOME_NET any -> [162.215.23.220] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206341/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206341; rev:1;) alert tcp $HOME_NET any -> [45.141.85.200] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206340/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"terierkorn.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206328/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"bobnoopopo.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206329/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"junggvrebvqqpo.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206330/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"junggpervbvqqqqqqpo.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206331/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"junggvbvqqgrouppo.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206332/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"junggvbvqqnetokpo.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206333/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"junggvbvq.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206334/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"junggvbvq5656.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206335/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"jungjunjunggvbvq.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206336/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cfk3ulgyps7nns81/"; depth:18; nocase; http.host; content:"91.92.244.80"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206337/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cfk3ulgyps7nns81/"; depth:18; nocase; http.host; content:"rootocto.com.tr"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206338/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cfk3ulgyps7nns81/"; depth:18; nocase; http.host; content:"toorocto.com.tr"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206339/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"89.116.227.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206312; rev:1;) alert tcp $HOME_NET any -> [194.49.94.77] 16339 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"whethergaseoatra.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206327; rev:1;) alert tcp $HOME_NET any -> [1.117.175.65] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206325/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206325; rev:1;) alert tcp $HOME_NET any -> [47.109.142.179] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206324/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3886d2276f6914c4.php"; depth:21; nocase; http.host; content:"raphaelbischoff.icu"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"1.94.98.79"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206322; rev:1;) alert tcp $HOME_NET any -> [47.92.53.65] 13155 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206320; rev:1;) alert tcp $HOME_NET any -> [60.204.227.242] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srns.matrika.cn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206318; rev:1;) alert tcp $HOME_NET any -> [60.204.208.32] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yyns.matrika.cn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206316; rev:1;) alert tcp $HOME_NET any -> [154.53.160.158] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206315/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206315; rev:1;) alert tcp $HOME_NET any -> [116.204.122.201] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206314/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206314; rev:1;) alert tcp $HOME_NET any -> [103.176.178.88] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206313/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"51.250.16.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206311; rev:1;) alert tcp $HOME_NET any -> [101.42.0.252] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206310/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206310; rev:1;) alert tcp $HOME_NET any -> [162.215.23.151] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206309/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206309; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/avatars"; depth:8; nocase; http.host; content:"62.234.54.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206308; rev:1;) alert tcp $HOME_NET any -> [195.25.243.89] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/getlast"; depth:15; nocase; http.host; content:"195.25.243.89"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206306; rev:1;) alert tcp $HOME_NET any -> [5.153.123.11] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206305/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206305; rev:1;) alert tcp $HOME_NET any -> [89.213.176.120] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206304/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"60.204.227.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206303; rev:1;) alert tcp $HOME_NET any -> [124.223.170.230] 9443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206302/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206302; rev:1;) alert tcp $HOME_NET any -> [185.198.57.117] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206272/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206272; rev:1;) alert tcp $HOME_NET any -> [185.183.96.10] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206270/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206270; rev:1;) alert tcp $HOME_NET any -> [185.198.57.70] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206271/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206271; rev:1;) alert tcp $HOME_NET any -> [185.82.200.15] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206266/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206266; rev:1;) alert tcp $HOME_NET any -> [185.82.202.126] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206268/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206268; rev:1;) alert tcp $HOME_NET any -> [185.117.75.107] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206269/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206269; rev:1;) alert tcp $HOME_NET any -> [185.45.193.182] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206265/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206265; rev:1;) alert tcp $HOME_NET any -> [185.82.200.93] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206267/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206267; rev:1;) alert tcp $HOME_NET any -> [185.45.192.107] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206263/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206263; rev:1;) alert tcp $HOME_NET any -> [185.45.192.112] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206264/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206264; rev:1;) alert tcp $HOME_NET any -> [185.45.192.74] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206262/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206262; rev:1;) alert tcp $HOME_NET any -> [5.181.80.59] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205316/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91205316; rev:1;) alert tcp $HOME_NET any -> [91.92.254.4] 38241 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205317/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91205317; rev:1;) alert tcp $HOME_NET any -> [185.45.192.24] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206261/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91206261; rev:1;) alert tcp $HOME_NET any -> [88.198.201.180] 1791 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205314/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_25; classtype:trojan-activity; sid:91205314; rev:1;) alert tcp $HOME_NET any -> [3.79.230.146] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206301/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206301; rev:1;) alert tcp $HOME_NET any -> [162.215.23.215] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206300/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206300; rev:1;) alert tcp $HOME_NET any -> [162.215.23.179] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206299/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206299; rev:1;) alert tcp $HOME_NET any -> [162.215.23.169] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206298/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206298; rev:1;) alert tcp $HOME_NET any -> [162.214.135.90] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206297/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206297; rev:1;) alert tcp $HOME_NET any -> [162.215.23.161] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206296/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206296; rev:1;) alert tcp $HOME_NET any -> [162.215.23.219] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206295/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206295; rev:1;) alert tcp $HOME_NET any -> [162.215.23.171] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206294/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206294; rev:1;) alert tcp $HOME_NET any -> [162.215.23.203] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206293/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206293; rev:1;) alert tcp $HOME_NET any -> [162.215.23.125] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206292/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206292; rev:1;) alert tcp $HOME_NET any -> [162.215.23.170] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206291/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206291; rev:1;) alert tcp $HOME_NET any -> [162.215.23.196] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206290/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206290; rev:1;) alert tcp $HOME_NET any -> [162.215.23.209] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206289/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206289; rev:1;) alert tcp $HOME_NET any -> [162.214.135.105] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206288/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206288; rev:1;) alert tcp $HOME_NET any -> [162.215.23.126] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206287/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206287; rev:1;) alert tcp $HOME_NET any -> [162.215.23.213] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206286/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206286; rev:1;) alert tcp $HOME_NET any -> [162.215.23.224] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206285/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206285; rev:1;) alert tcp $HOME_NET any -> [162.215.23.148] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206284/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206284; rev:1;) alert tcp $HOME_NET any -> [162.215.23.229] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206283/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206283; rev:1;) alert tcp $HOME_NET any -> [189.253.235.140] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206282/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206282; rev:1;) alert tcp $HOME_NET any -> [70.29.135.118] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206281/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206281; rev:1;) alert tcp $HOME_NET any -> [70.52.230.48] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206280/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206280; rev:1;) alert tcp $HOME_NET any -> [74.12.145.207] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206279/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206279; rev:1;) alert tcp $HOME_NET any -> [41.96.121.156] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206278/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206278; rev:1;) alert tcp $HOME_NET any -> [24.191.213.132] 2083 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206277/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206277; rev:1;) alert tcp $HOME_NET any -> [134.209.244.69] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206276/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206276; rev:1;) alert tcp $HOME_NET any -> [88.99.150.167] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206275/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206275; rev:1;) alert tcp $HOME_NET any -> [54.92.112.126] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206274/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206274; rev:1;) alert tcp $HOME_NET any -> [51.250.67.9] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206273/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_25; classtype:trojan-activity; sid:91206273; rev:1;) alert tcp $HOME_NET any -> [34.77.105.34] 6152 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206260; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fmmhia"; depth:7; nocase; http.host; content:"u.to"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206259/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1162483266733998151/1177573402060529695/hyperxsoft.zip"; depth:67; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asdasrqweq/congenial-goggles"; depth:29; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1206257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206257; rev:1;) alert tcp $HOME_NET any -> [124.70.87.2] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206256/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206256; rev:1;) alert tcp $HOME_NET any -> [124.70.87.2] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206254/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206254; rev:1;) alert tcp $HOME_NET any -> [124.70.87.2] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206255/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206255; rev:1;) alert tcp $HOME_NET any -> [124.70.87.2] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206253/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206253; rev:1;) alert tcp $HOME_NET any -> [124.70.87.2] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206251/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206251; rev:1;) alert tcp $HOME_NET any -> [124.70.87.2] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206252/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206252; rev:1;) alert tcp $HOME_NET any -> [124.70.87.2] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206250/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206250; rev:1;) alert tcp $HOME_NET any -> [124.70.87.2] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206249/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enouselr.pw"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"softonyxx.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helpfulsteepyi.pw"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206242/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mouseoiet.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206243/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"robolorunerushe.pw"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"livestream-ufc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taretool.pw"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zamesblack.fun"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206247; rev:1;) alert tcp $HOME_NET any -> [37.27.22.139] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206239; rev:1;) alert tcp $HOME_NET any -> [152.89.198.49] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206238; rev:1;) alert tcp $HOME_NET any -> [82.115.223.71] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206237; rev:1;) alert tcp $HOME_NET any -> [194.49.94.168] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206236; rev:1;) alert tcp $HOME_NET any -> [195.10.205.24] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206235; rev:1;) alert tcp $HOME_NET any -> [194.49.94.158] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206234/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206234; rev:1;) alert tcp $HOME_NET any -> [194.49.94.164] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206233; rev:1;) alert tcp $HOME_NET any -> [5.188.159.44] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206232; rev:1;) alert tcp $HOME_NET any -> [194.49.94.183] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206231; rev:1;) alert tcp $HOME_NET any -> [162.215.23.184] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206230/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91206230; rev:1;) alert tcp $HOME_NET any -> [47.92.67.152] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206229; rev:1;) alert tcp $HOME_NET any -> [111.229.75.150] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206228; rev:1;) alert tcp $HOME_NET any -> [154.9.253.136] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206227; rev:1;) alert tcp $HOME_NET any -> [121.43.55.16] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206226; rev:1;) alert tcp $HOME_NET any -> [103.234.97.74] 10013 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206225; rev:1;) alert tcp $HOME_NET any -> [185.186.76.159] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206224; rev:1;) alert tcp $HOME_NET any -> [13.115.199.179] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206222; rev:1;) alert tcp $HOME_NET any -> [185.186.76.159] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206223/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206223; rev:1;) alert tcp $HOME_NET any -> [47.236.119.60] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206221; rev:1;) alert tcp $HOME_NET any -> [175.27.159.169] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206219; rev:1;) alert tcp $HOME_NET any -> [47.236.119.60] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206220; rev:1;) alert tcp $HOME_NET any -> [101.34.8.18] 22226 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206218; rev:1;) alert tcp $HOME_NET any -> [43.139.140.85] 9443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206216/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206216; rev:1;) alert tcp $HOME_NET any -> [185.196.8.52] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206217; rev:1;) alert tcp $HOME_NET any -> [64.176.56.152] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206215; rev:1;) alert tcp $HOME_NET any -> [54.168.49.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206213; rev:1;) alert tcp $HOME_NET any -> [222.209.173.40] 9876 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206214; rev:1;) alert tcp $HOME_NET any -> [107.172.84.110] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206212; rev:1;) alert tcp $HOME_NET any -> [45.32.11.46] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206210; rev:1;) alert tcp $HOME_NET any -> [45.32.11.46] 2095 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206211; rev:1;) alert tcp $HOME_NET any -> [64.227.139.185] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206208; rev:1;) alert tcp $HOME_NET any -> [62.72.63.41] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206209; rev:1;) alert tcp $HOME_NET any -> [39.105.213.127] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206206; rev:1;) alert tcp $HOME_NET any -> [39.107.107.234] 18080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206207; rev:1;) alert tcp $HOME_NET any -> [43.136.38.59] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206204; rev:1;) alert tcp $HOME_NET any -> [114.96.104.240] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206205; rev:1;) alert tcp $HOME_NET any -> [103.234.97.73] 10013 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206202; rev:1;) alert tcp $HOME_NET any -> [101.36.122.248] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206203; rev:1;) alert tcp $HOME_NET any -> [31.172.66.71] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206200; rev:1;) alert tcp $HOME_NET any -> [115.159.50.50] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206201; rev:1;) alert tcp $HOME_NET any -> [47.96.229.84] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206199; rev:1;) alert tcp $HOME_NET any -> [43.143.125.110] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206198; rev:1;) alert tcp $HOME_NET any -> [162.14.73.248] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206197; rev:1;) alert tcp $HOME_NET any -> [175.178.166.157] 1144 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206195; rev:1;) alert tcp $HOME_NET any -> [87.249.53.167] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206196; rev:1;) alert tcp $HOME_NET any -> [159.203.120.79] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206194; rev:1;) alert tcp $HOME_NET any -> [101.201.57.173] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206192; rev:1;) alert tcp $HOME_NET any -> [8.134.197.94] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206193; rev:1;) alert tcp $HOME_NET any -> [3.72.24.250] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206190; rev:1;) alert tcp $HOME_NET any -> [103.30.77.47] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206191; rev:1;) alert tcp $HOME_NET any -> [149.28.37.137] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206188; rev:1;) alert tcp $HOME_NET any -> [149.28.37.137] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206189; rev:1;) alert tcp $HOME_NET any -> [121.40.151.228] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206187; rev:1;) alert tcp $HOME_NET any -> [46.29.163.56] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206186; rev:1;) alert tcp $HOME_NET any -> [147.139.212.210] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206185; rev:1;) alert tcp $HOME_NET any -> [107.172.99.33] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206183; rev:1;) alert tcp $HOME_NET any -> [156.67.217.144] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206184; rev:1;) alert tcp $HOME_NET any -> [182.92.170.181] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206182; rev:1;) alert tcp $HOME_NET any -> [43.138.46.20] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206181; rev:1;) alert tcp $HOME_NET any -> [192.144.219.118] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206179; rev:1;) alert tcp $HOME_NET any -> [103.234.97.72] 10013 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206180; rev:1;) alert tcp $HOME_NET any -> [43.138.50.182] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206178; rev:1;) alert tcp $HOME_NET any -> [106.75.141.95] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206177; rev:1;) alert tcp $HOME_NET any -> [101.35.141.80] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206175; rev:1;) alert tcp $HOME_NET any -> [101.35.141.80] 10088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206176; rev:1;) alert tcp $HOME_NET any -> [124.223.170.230] 9991 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206174/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206174; rev:1;) alert tcp $HOME_NET any -> [158.247.215.165] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206173; rev:1;) alert tcp $HOME_NET any -> [1.94.98.44] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"611671-cd69539.tmweb.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-86-45-171.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.txlu.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"host.laportgroup.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wss.guoyashuai.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"langchen.cn"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1206167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206167; rev:1;) alert tcp $HOME_NET any -> [194.107.126.87] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206164; rev:1;) alert tcp $HOME_NET any -> [172.98.22.67] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206165; rev:1;) alert tcp $HOME_NET any -> [49.113.79.160] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206163; rev:1;) alert tcp $HOME_NET any -> [124.228.203.90] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206162; rev:1;) alert tcp $HOME_NET any -> [39.108.110.213] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206160; rev:1;) alert tcp $HOME_NET any -> [43.138.28.143] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206161; rev:1;) alert tcp $HOME_NET any -> [8.217.7.168] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206159; rev:1;) alert tcp $HOME_NET any -> [103.231.15.104] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206158; rev:1;) alert tcp $HOME_NET any -> [124.228.201.162] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206157; rev:1;) alert tcp $HOME_NET any -> [124.228.203.32] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206155; rev:1;) alert tcp $HOME_NET any -> [192.3.128.153] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206156; rev:1;) alert tcp $HOME_NET any -> [92.118.188.195] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206154; rev:1;) alert tcp $HOME_NET any -> [39.105.38.7] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206152; rev:1;) alert tcp $HOME_NET any -> [124.228.200.182] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206153; rev:1;) alert tcp $HOME_NET any -> [51.250.67.9] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206151/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206151; rev:1;) alert tcp $HOME_NET any -> [119.28.129.176] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206150/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206150; rev:1;) alert tcp $HOME_NET any -> [213.139.205.146] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91206149; rev:1;) alert tcp $HOME_NET any -> [124.70.21.77] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206148/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206148; rev:1;) alert tcp $HOME_NET any -> [124.70.21.77] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206147/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206147; rev:1;) alert tcp $HOME_NET any -> [124.70.21.77] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206145/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206145; rev:1;) alert tcp $HOME_NET any -> [124.70.21.77] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206146/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206146; rev:1;) alert tcp $HOME_NET any -> [124.70.21.77] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206144/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206144; rev:1;) alert tcp $HOME_NET any -> [124.70.21.77] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206142/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206142; rev:1;) alert tcp $HOME_NET any -> [124.70.21.77] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206143/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206143; rev:1;) alert tcp $HOME_NET any -> [124.70.21.77] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206141/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206141; rev:1;) alert tcp $HOME_NET any -> [120.233.114.187] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206139/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206139; rev:1;) alert tcp $HOME_NET any -> [120.233.114.187] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206140/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206140; rev:1;) alert tcp $HOME_NET any -> [120.233.114.187] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206138/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206138; rev:1;) alert tcp $HOME_NET any -> [120.233.114.187] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206137/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206137; rev:1;) alert tcp $HOME_NET any -> [120.233.114.187] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206135/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206135; rev:1;) alert tcp $HOME_NET any -> [120.233.114.187] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206136/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206136; rev:1;) alert tcp $HOME_NET any -> [120.233.114.187] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206134/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206134; rev:1;) alert tcp $HOME_NET any -> [123.60.221.78] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206132/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206132; rev:1;) alert tcp $HOME_NET any -> [123.60.221.78] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206133/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206133; rev:1;) alert tcp $HOME_NET any -> [123.60.221.78] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206131/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206131; rev:1;) alert tcp $HOME_NET any -> [123.60.221.78] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206129/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206129; rev:1;) alert tcp $HOME_NET any -> [123.60.221.78] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206130/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206130; rev:1;) alert tcp $HOME_NET any -> [123.60.221.78] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206128/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206128; rev:1;) alert tcp $HOME_NET any -> [123.60.221.78] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206126/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206126; rev:1;) alert tcp $HOME_NET any -> [123.60.221.78] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206127/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206127; rev:1;) alert tcp $HOME_NET any -> [120.233.114.235] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206125/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206125; rev:1;) alert tcp $HOME_NET any -> [120.233.114.235] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206123/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206123; rev:1;) alert tcp $HOME_NET any -> [120.233.114.235] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206124/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206124; rev:1;) alert tcp $HOME_NET any -> [120.233.114.235] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206122/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206122; rev:1;) alert tcp $HOME_NET any -> [120.233.114.235] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206120/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206120; rev:1;) alert tcp $HOME_NET any -> [120.233.114.235] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206121/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206121; rev:1;) alert tcp $HOME_NET any -> [120.233.114.235] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206119/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206119; rev:1;) alert tcp $HOME_NET any -> [122.9.125.139] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206117/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206117; rev:1;) alert tcp $HOME_NET any -> [120.233.114.235] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206118/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206118; rev:1;) alert tcp $HOME_NET any -> [122.9.125.139] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206116/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206116; rev:1;) alert tcp $HOME_NET any -> [122.9.125.139] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206114/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206114; rev:1;) alert tcp $HOME_NET any -> [122.9.125.139] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206115/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206115; rev:1;) alert tcp $HOME_NET any -> [122.9.125.139] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206113/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206113; rev:1;) alert tcp $HOME_NET any -> [122.9.125.139] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206111/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206111; rev:1;) alert tcp $HOME_NET any -> [122.9.125.139] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206112/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206112; rev:1;) alert tcp $HOME_NET any -> [122.9.125.139] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206110/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206110; rev:1;) alert tcp $HOME_NET any -> [139.9.135.156] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206108/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206108; rev:1;) alert tcp $HOME_NET any -> [139.9.135.156] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206109/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206109; rev:1;) alert tcp $HOME_NET any -> [139.9.135.156] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206107/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206107; rev:1;) alert tcp $HOME_NET any -> [139.9.135.156] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206105/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206105; rev:1;) alert tcp $HOME_NET any -> [139.9.135.156] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206106/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206106; rev:1;) alert tcp $HOME_NET any -> [139.9.135.156] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206104/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206104; rev:1;) alert tcp $HOME_NET any -> [139.9.135.156] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206102/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206102; rev:1;) alert tcp $HOME_NET any -> [139.9.135.156] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206103/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206103; rev:1;) alert tcp $HOME_NET any -> [139.159.152.195] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206101/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206101; rev:1;) alert tcp $HOME_NET any -> [139.159.152.195] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206099/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206099; rev:1;) alert tcp $HOME_NET any -> [139.159.152.195] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206100/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206100; rev:1;) alert tcp $HOME_NET any -> [139.159.152.195] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206098/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206098; rev:1;) alert tcp $HOME_NET any -> [139.159.152.195] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206096/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206096; rev:1;) alert tcp $HOME_NET any -> [139.159.152.195] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206097/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206097; rev:1;) alert tcp $HOME_NET any -> [139.159.152.195] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206095/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206095; rev:1;) alert tcp $HOME_NET any -> [124.70.128.38] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206093/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206093; rev:1;) alert tcp $HOME_NET any -> [139.159.152.195] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206094/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206094; rev:1;) alert tcp $HOME_NET any -> [124.70.128.38] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206092/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206092; rev:1;) alert tcp $HOME_NET any -> [124.70.128.38] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206090/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206090; rev:1;) alert tcp $HOME_NET any -> [124.70.128.38] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206091/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206091; rev:1;) alert tcp $HOME_NET any -> [124.70.128.38] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206089/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206089; rev:1;) alert tcp $HOME_NET any -> [124.70.128.38] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206088/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206088; rev:1;) alert tcp $HOME_NET any -> [124.70.128.38] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206086/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206086; rev:1;) alert tcp $HOME_NET any -> [124.70.128.38] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206087/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206087; rev:1;) alert tcp $HOME_NET any -> [123.207.16.103] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206085/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206085; rev:1;) alert tcp $HOME_NET any -> [124.71.63.158] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206083/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206083; rev:1;) alert tcp $HOME_NET any -> [124.71.63.158] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206084/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206084; rev:1;) alert tcp $HOME_NET any -> [124.71.63.158] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206082/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206082; rev:1;) alert tcp $HOME_NET any -> [124.71.63.158] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206081/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206081; rev:1;) alert tcp $HOME_NET any -> [124.71.63.158] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206079/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206079; rev:1;) alert tcp $HOME_NET any -> [124.71.63.158] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206080/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206080; rev:1;) alert tcp $HOME_NET any -> [124.71.63.158] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206078/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206078; rev:1;) alert tcp $HOME_NET any -> [122.9.121.124] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206076/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206076; rev:1;) alert tcp $HOME_NET any -> [124.71.63.158] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206077/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206077; rev:1;) alert tcp $HOME_NET any -> [122.9.121.124] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206075/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206075; rev:1;) alert tcp $HOME_NET any -> [122.9.121.124] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206073/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206073; rev:1;) alert tcp $HOME_NET any -> [122.9.121.124] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206074/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206074; rev:1;) alert tcp $HOME_NET any -> [122.9.121.124] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206072/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206072; rev:1;) alert tcp $HOME_NET any -> [122.9.121.124] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206070/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206070; rev:1;) alert tcp $HOME_NET any -> [122.9.121.124] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206071/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206071; rev:1;) alert tcp $HOME_NET any -> [122.9.121.124] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206069/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206069; rev:1;) alert tcp $HOME_NET any -> [120.233.114.214] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206067/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206067; rev:1;) alert tcp $HOME_NET any -> [120.233.114.214] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206068/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206068; rev:1;) alert tcp $HOME_NET any -> [120.233.114.214] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206066/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206066; rev:1;) alert tcp $HOME_NET any -> [120.233.114.214] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206064/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206064; rev:1;) alert tcp $HOME_NET any -> [120.233.114.214] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206065/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206065; rev:1;) alert tcp $HOME_NET any -> [120.233.114.214] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206063/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206063; rev:1;) alert tcp $HOME_NET any -> [120.233.114.214] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206062/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206062; rev:1;) alert tcp $HOME_NET any -> [122.9.122.166] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206060/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206060; rev:1;) alert tcp $HOME_NET any -> [120.233.114.214] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206061/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206061; rev:1;) alert tcp $HOME_NET any -> [122.9.122.166] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206059/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206059; rev:1;) alert tcp $HOME_NET any -> [122.9.122.166] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206057/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206057; rev:1;) alert tcp $HOME_NET any -> [122.9.122.166] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206058/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206058; rev:1;) alert tcp $HOME_NET any -> [122.9.122.166] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206056/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206056; rev:1;) alert tcp $HOME_NET any -> [122.9.122.166] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206054/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206054; rev:1;) alert tcp $HOME_NET any -> [122.9.122.166] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206055/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206055; rev:1;) alert tcp $HOME_NET any -> [122.9.122.166] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206053/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206053; rev:1;) alert tcp $HOME_NET any -> [122.9.125.26] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206051/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206051; rev:1;) alert tcp $HOME_NET any -> [122.9.125.26] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206052/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206052; rev:1;) alert tcp $HOME_NET any -> [122.9.125.26] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206050/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206050; rev:1;) alert tcp $HOME_NET any -> [122.9.125.26] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206049/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206049; rev:1;) alert tcp $HOME_NET any -> [122.9.125.26] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206048/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206048; rev:1;) alert tcp $HOME_NET any -> [122.9.125.26] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206046/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206046; rev:1;) alert tcp $HOME_NET any -> [122.9.125.26] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206047/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206047; rev:1;) alert tcp $HOME_NET any -> [122.9.125.26] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206045/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206045; rev:1;) alert tcp $HOME_NET any -> [124.70.204.39] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206043/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206043; rev:1;) alert tcp $HOME_NET any -> [124.70.204.39] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206044/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206044; rev:1;) alert tcp $HOME_NET any -> [124.70.204.39] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206042/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206042; rev:1;) alert tcp $HOME_NET any -> [124.70.204.39] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206040/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206040; rev:1;) alert tcp $HOME_NET any -> [124.70.204.39] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206041/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206041; rev:1;) alert tcp $HOME_NET any -> [124.70.204.39] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206039/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206039; rev:1;) alert tcp $HOME_NET any -> [124.70.204.39] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206038/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206038; rev:1;) alert tcp $HOME_NET any -> [124.71.14.157] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206036/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206036; rev:1;) alert tcp $HOME_NET any -> [124.70.204.39] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206037/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206037; rev:1;) alert tcp $HOME_NET any -> [124.71.14.157] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206035/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206035; rev:1;) alert tcp $HOME_NET any -> [124.71.14.157] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206033/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206033; rev:1;) alert tcp $HOME_NET any -> [124.71.14.157] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206034/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206034; rev:1;) alert tcp $HOME_NET any -> [124.71.14.157] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206032/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206032; rev:1;) alert tcp $HOME_NET any -> [124.71.14.157] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206031/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206031; rev:1;) alert tcp $HOME_NET any -> [124.71.14.157] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206029/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206029; rev:1;) alert tcp $HOME_NET any -> [124.71.14.157] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206030/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206030; rev:1;) alert tcp $HOME_NET any -> [123.60.12.32] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206028/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206028; rev:1;) alert tcp $HOME_NET any -> [123.60.12.32] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206026/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206026; rev:1;) alert tcp $HOME_NET any -> [123.60.12.32] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206027/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206027; rev:1;) alert tcp $HOME_NET any -> [123.60.12.32] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206025/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206025; rev:1;) alert tcp $HOME_NET any -> [123.60.12.32] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206023/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206023; rev:1;) alert tcp $HOME_NET any -> [123.60.12.32] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206024/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206024; rev:1;) alert tcp $HOME_NET any -> [123.60.12.32] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206022/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206022; rev:1;) alert tcp $HOME_NET any -> [123.60.12.32] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206021/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206021; rev:1;) alert tcp $HOME_NET any -> [120.46.152.197] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206019/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206019; rev:1;) alert tcp $HOME_NET any -> [120.46.152.197] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206020/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206020; rev:1;) alert tcp $HOME_NET any -> [120.46.152.197] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206018/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206018; rev:1;) alert tcp $HOME_NET any -> [120.46.152.197] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206016/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206016; rev:1;) alert tcp $HOME_NET any -> [120.46.152.197] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206017/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206017; rev:1;) alert tcp $HOME_NET any -> [120.46.152.197] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206015/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206015; rev:1;) alert tcp $HOME_NET any -> [120.46.152.197] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206013/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206013; rev:1;) alert tcp $HOME_NET any -> [120.46.152.197] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206014/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206014; rev:1;) alert tcp $HOME_NET any -> [120.233.114.167] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206012/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206012; rev:1;) alert tcp $HOME_NET any -> [120.233.114.167] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206011/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206011; rev:1;) alert tcp $HOME_NET any -> [120.233.114.167] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206009/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206009; rev:1;) alert tcp $HOME_NET any -> [120.233.114.167] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206010/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206010; rev:1;) alert tcp $HOME_NET any -> [120.233.114.167] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206008/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206008; rev:1;) alert tcp $HOME_NET any -> [120.233.114.167] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206006/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206006; rev:1;) alert tcp $HOME_NET any -> [120.233.114.167] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206007/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206007; rev:1;) alert tcp $HOME_NET any -> [120.233.114.167] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206005/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206005; rev:1;) alert tcp $HOME_NET any -> [139.9.80.84] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206003/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206003; rev:1;) alert tcp $HOME_NET any -> [139.9.80.84] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206004/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206004; rev:1;) alert tcp $HOME_NET any -> [139.9.80.84] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206002/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206002; rev:1;) alert tcp $HOME_NET any -> [139.9.80.84] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206000/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206000; rev:1;) alert tcp $HOME_NET any -> [139.9.80.84] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1206001/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91206001; rev:1;) alert tcp $HOME_NET any -> [139.9.80.84] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205998/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205998; rev:1;) alert tcp $HOME_NET any -> [139.9.80.84] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205999/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205999; rev:1;) alert tcp $HOME_NET any -> [139.9.80.84] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205997/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205997; rev:1;) alert tcp $HOME_NET any -> [122.114.18.92] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205996/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205996; rev:1;) alert tcp $HOME_NET any -> [122.114.18.92] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205995/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205995; rev:1;) alert tcp $HOME_NET any -> [121.36.223.91] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205993/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205993; rev:1;) alert tcp $HOME_NET any -> [121.36.223.91] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205994/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205994; rev:1;) alert tcp $HOME_NET any -> [121.36.223.91] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205992/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205992; rev:1;) alert tcp $HOME_NET any -> [121.36.223.91] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205990/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205990; rev:1;) alert tcp $HOME_NET any -> [121.36.223.91] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205991/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205991; rev:1;) alert tcp $HOME_NET any -> [121.36.223.91] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205989/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205989; rev:1;) alert tcp $HOME_NET any -> [121.36.223.91] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205988/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205988; rev:1;) alert tcp $HOME_NET any -> [121.36.223.91] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205987/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205987; rev:1;) alert tcp $HOME_NET any -> [121.36.203.169] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205986/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205986; rev:1;) alert tcp $HOME_NET any -> [121.36.203.169] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205985/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205985; rev:1;) alert tcp $HOME_NET any -> [121.36.203.169] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205984/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205984; rev:1;) alert tcp $HOME_NET any -> [121.36.203.169] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205983/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205983; rev:1;) alert tcp $HOME_NET any -> [121.36.203.169] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205982/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205982; rev:1;) alert tcp $HOME_NET any -> [121.36.203.169] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205981/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205981; rev:1;) alert tcp $HOME_NET any -> [121.36.203.169] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205980/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205980; rev:1;) alert tcp $HOME_NET any -> [121.36.203.169] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205979/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205979; rev:1;) alert tcp $HOME_NET any -> [120.233.114.225] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205978/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205978; rev:1;) alert tcp $HOME_NET any -> [120.233.114.225] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205977/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205977; rev:1;) alert tcp $HOME_NET any -> [120.233.114.225] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205976/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205976; rev:1;) alert tcp $HOME_NET any -> [120.233.114.225] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205975/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205975; rev:1;) alert tcp $HOME_NET any -> [120.233.114.225] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205974/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205974; rev:1;) alert tcp $HOME_NET any -> [120.233.114.225] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205973/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205973; rev:1;) alert tcp $HOME_NET any -> [120.233.114.225] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205972/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205972; rev:1;) alert tcp $HOME_NET any -> [120.233.114.225] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205971/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205971; rev:1;) alert tcp $HOME_NET any -> [122.9.111.24] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205970/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205970; rev:1;) alert tcp $HOME_NET any -> [122.9.111.24] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205968/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205968; rev:1;) alert tcp $HOME_NET any -> [122.9.111.24] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205969/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205969; rev:1;) alert tcp $HOME_NET any -> [122.9.111.24] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205967/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205967; rev:1;) alert tcp $HOME_NET any -> [122.9.111.24] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205965/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205965; rev:1;) alert tcp $HOME_NET any -> [122.9.111.24] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205966/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205966; rev:1;) alert tcp $HOME_NET any -> [122.9.111.24] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205964/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205964; rev:1;) alert tcp $HOME_NET any -> [123.60.31.166] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205962/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205962; rev:1;) alert tcp $HOME_NET any -> [122.9.111.24] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205963/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205963; rev:1;) alert tcp $HOME_NET any -> [123.60.31.166] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205961/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205961; rev:1;) alert tcp $HOME_NET any -> [123.60.31.166] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205959/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205959; rev:1;) alert tcp $HOME_NET any -> [123.60.31.166] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205960/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205960; rev:1;) alert tcp $HOME_NET any -> [123.60.31.166] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205958/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205958; rev:1;) alert tcp $HOME_NET any -> [123.60.31.166] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205956/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205956; rev:1;) alert tcp $HOME_NET any -> [123.60.31.166] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205957/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205957; rev:1;) alert tcp $HOME_NET any -> [123.60.31.166] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205955/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205955; rev:1;) alert tcp $HOME_NET any -> [121.36.22.58] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205953/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205953; rev:1;) alert tcp $HOME_NET any -> [121.36.22.58] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205954/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205954; rev:1;) alert tcp $HOME_NET any -> [121.36.22.58] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205952/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205952; rev:1;) alert tcp $HOME_NET any -> [121.36.22.58] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205950/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205950; rev:1;) alert tcp $HOME_NET any -> [121.36.22.58] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205951/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205951; rev:1;) alert tcp $HOME_NET any -> [121.36.22.58] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205949/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205949; rev:1;) alert tcp $HOME_NET any -> [121.36.22.58] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205947/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205947; rev:1;) alert tcp $HOME_NET any -> [121.36.22.58] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205948/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205948; rev:1;) alert tcp $HOME_NET any -> [121.37.179.2] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205946/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205946; rev:1;) alert tcp $HOME_NET any -> [121.37.179.2] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205944/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205944; rev:1;) alert tcp $HOME_NET any -> [121.37.179.2] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205945/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205945; rev:1;) alert tcp $HOME_NET any -> [121.37.179.2] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205943/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205943; rev:1;) alert tcp $HOME_NET any -> [121.37.179.2] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205941/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205941; rev:1;) alert tcp $HOME_NET any -> [121.37.179.2] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205942/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205942; rev:1;) alert tcp $HOME_NET any -> [121.37.179.2] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205940/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205940; rev:1;) alert tcp $HOME_NET any -> [120.233.114.169] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205938/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205938; rev:1;) alert tcp $HOME_NET any -> [121.37.179.2] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205939/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205939; rev:1;) alert tcp $HOME_NET any -> [120.233.114.169] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205937/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205937; rev:1;) alert tcp $HOME_NET any -> [120.233.114.169] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205935/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205935; rev:1;) alert tcp $HOME_NET any -> [120.233.114.169] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205936/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205936; rev:1;) alert tcp $HOME_NET any -> [120.233.114.169] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205933/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205933; rev:1;) alert tcp $HOME_NET any -> [120.233.114.169] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205934/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205934; rev:1;) alert tcp $HOME_NET any -> [120.233.114.169] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205932/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205932; rev:1;) alert tcp $HOME_NET any -> [120.233.114.190] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205930/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205930; rev:1;) alert tcp $HOME_NET any -> [120.233.114.190] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205931/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205931; rev:1;) alert tcp $HOME_NET any -> [120.233.114.190] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205929/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205929; rev:1;) alert tcp $HOME_NET any -> [120.233.114.190] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205928/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205928; rev:1;) alert tcp $HOME_NET any -> [120.233.114.190] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205927/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205927; rev:1;) alert tcp $HOME_NET any -> [120.233.114.190] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205926/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205926; rev:1;) alert tcp $HOME_NET any -> [120.233.114.190] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205924/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205924; rev:1;) alert tcp $HOME_NET any -> [120.233.114.190] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205925/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205925; rev:1;) alert tcp $HOME_NET any -> [120.233.114.177] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205923/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205923; rev:1;) alert tcp $HOME_NET any -> [120.233.114.177] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205921/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205921; rev:1;) alert tcp $HOME_NET any -> [120.233.114.177] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205922/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205922; rev:1;) alert tcp $HOME_NET any -> [120.233.114.177] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205920/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205920; rev:1;) alert tcp $HOME_NET any -> [120.233.114.177] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205918/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205918; rev:1;) alert tcp $HOME_NET any -> [120.233.114.177] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205919/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205919; rev:1;) alert tcp $HOME_NET any -> [120.233.114.177] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205916/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205916; rev:1;) alert tcp $HOME_NET any -> [120.233.114.177] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205917/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205917; rev:1;) alert tcp $HOME_NET any -> [119.29.170.82] 1235 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205915/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205915; rev:1;) alert tcp $HOME_NET any -> [124.71.193.201] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205913/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205913; rev:1;) alert tcp $HOME_NET any -> [124.71.193.201] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205914/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205914; rev:1;) alert tcp $HOME_NET any -> [124.71.193.201] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205912/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205912; rev:1;) alert tcp $HOME_NET any -> [124.71.193.201] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205910/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205910; rev:1;) alert tcp $HOME_NET any -> [124.71.193.201] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205911/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205911; rev:1;) alert tcp $HOME_NET any -> [124.71.193.201] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205909/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205909; rev:1;) alert tcp $HOME_NET any -> [124.71.193.201] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205907/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205907; rev:1;) alert tcp $HOME_NET any -> [124.71.193.201] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205908/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205908; rev:1;) alert tcp $HOME_NET any -> [121.36.21.47] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205906/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205906; rev:1;) alert tcp $HOME_NET any -> [121.36.21.47] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205904/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205904; rev:1;) alert tcp $HOME_NET any -> [121.36.21.47] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205905/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205905; rev:1;) alert tcp $HOME_NET any -> [121.36.21.47] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205903/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205903; rev:1;) alert tcp $HOME_NET any -> [121.36.21.47] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205901/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205901; rev:1;) alert tcp $HOME_NET any -> [121.36.21.47] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205902/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205902; rev:1;) alert tcp $HOME_NET any -> [121.36.21.47] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205900/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205900; rev:1;) alert tcp $HOME_NET any -> [122.9.126.21] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205898/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205898; rev:1;) alert tcp $HOME_NET any -> [121.36.21.47] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205899/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205899; rev:1;) alert tcp $HOME_NET any -> [122.9.126.21] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205897/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205897; rev:1;) alert tcp $HOME_NET any -> [122.9.126.21] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205895/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205895; rev:1;) alert tcp $HOME_NET any -> [122.9.126.21] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205896/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205896; rev:1;) alert tcp $HOME_NET any -> [122.9.126.21] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205894/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205894; rev:1;) alert tcp $HOME_NET any -> [122.9.126.21] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205892/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205892; rev:1;) alert tcp $HOME_NET any -> [122.9.126.21] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205893/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205893; rev:1;) alert tcp $HOME_NET any -> [122.9.126.21] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205891/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205891; rev:1;) alert tcp $HOME_NET any -> [122.9.124.131] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205889/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205889; rev:1;) alert tcp $HOME_NET any -> [122.9.124.131] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205890/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205890; rev:1;) alert tcp $HOME_NET any -> [122.9.124.131] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205887/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205887; rev:1;) alert tcp $HOME_NET any -> [122.9.124.131] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205888/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205888; rev:1;) alert tcp $HOME_NET any -> [122.9.124.131] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205886/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205886; rev:1;) alert tcp $HOME_NET any -> [122.9.124.131] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205884/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205884; rev:1;) alert tcp $HOME_NET any -> [122.9.124.131] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205885/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205885; rev:1;) alert tcp $HOME_NET any -> [122.9.124.131] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205883/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205883; rev:1;) alert tcp $HOME_NET any -> [121.36.205.81] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205882/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205882; rev:1;) alert tcp $HOME_NET any -> [121.36.205.81] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205881/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205881; rev:1;) alert tcp $HOME_NET any -> [121.36.205.81] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205879/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205879; rev:1;) alert tcp $HOME_NET any -> [121.36.205.81] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205880/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205880; rev:1;) alert tcp $HOME_NET any -> [121.36.205.81] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205877/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205877; rev:1;) alert tcp $HOME_NET any -> [121.36.205.81] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205878/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205878; rev:1;) alert tcp $HOME_NET any -> [121.36.205.81] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205876/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205876; rev:1;) alert tcp $HOME_NET any -> [139.9.119.173] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205874/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205874; rev:1;) alert tcp $HOME_NET any -> [121.36.205.81] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205875/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205875; rev:1;) alert tcp $HOME_NET any -> [139.9.119.173] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205873/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205873; rev:1;) alert tcp $HOME_NET any -> [139.9.119.173] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205871/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205871; rev:1;) alert tcp $HOME_NET any -> [139.9.119.173] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205872/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205872; rev:1;) alert tcp $HOME_NET any -> [139.9.119.173] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205870/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205870; rev:1;) alert tcp $HOME_NET any -> [139.9.119.173] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205869/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205869; rev:1;) alert tcp $HOME_NET any -> [139.9.119.173] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205867/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205867; rev:1;) alert tcp $HOME_NET any -> [139.9.119.173] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205868/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205868; rev:1;) alert tcp $HOME_NET any -> [114.116.237.206] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205866/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205866; rev:1;) alert tcp $HOME_NET any -> [114.116.237.206] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205864/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205864; rev:1;) alert tcp $HOME_NET any -> [114.116.237.206] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205865/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205865; rev:1;) alert tcp $HOME_NET any -> [114.116.237.206] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205863/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205863; rev:1;) alert tcp $HOME_NET any -> [114.116.237.206] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205861/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205861; rev:1;) alert tcp $HOME_NET any -> [114.116.237.206] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205862/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205862; rev:1;) alert tcp $HOME_NET any -> [114.116.237.206] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205860/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205860; rev:1;) alert tcp $HOME_NET any -> [114.116.237.206] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205859/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205859; rev:1;) alert tcp $HOME_NET any -> [124.71.228.182] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205857/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205857; rev:1;) alert tcp $HOME_NET any -> [124.71.228.182] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205858/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205858; rev:1;) alert tcp $HOME_NET any -> [124.71.228.182] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205856/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205856; rev:1;) alert tcp $HOME_NET any -> [124.71.228.182] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205855/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205855; rev:1;) alert tcp $HOME_NET any -> [124.71.228.182] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205853/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205853; rev:1;) alert tcp $HOME_NET any -> [124.71.228.182] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205854/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205854; rev:1;) alert tcp $HOME_NET any -> [124.71.228.182] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205852/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205852; rev:1;) alert tcp $HOME_NET any -> [123.60.92.210] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205850/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205850; rev:1;) alert tcp $HOME_NET any -> [124.71.228.182] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205851/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205851; rev:1;) alert tcp $HOME_NET any -> [123.60.92.210] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205849/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205849; rev:1;) alert tcp $HOME_NET any -> [123.60.92.210] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205848/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205848; rev:1;) alert tcp $HOME_NET any -> [123.60.92.210] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205846/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205846; rev:1;) alert tcp $HOME_NET any -> [123.60.92.210] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205847/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205847; rev:1;) alert tcp $HOME_NET any -> [123.60.92.210] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205845/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205845; rev:1;) alert tcp $HOME_NET any -> [123.60.92.210] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205843/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205843; rev:1;) alert tcp $HOME_NET any -> [123.60.92.210] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205844/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205844; rev:1;) alert tcp $HOME_NET any -> [139.9.221.228] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205842/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205842; rev:1;) alert tcp $HOME_NET any -> [139.9.221.228] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205841/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205841; rev:1;) alert tcp $HOME_NET any -> [139.9.221.228] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205840/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205840; rev:1;) alert tcp $HOME_NET any -> [139.9.221.228] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205839/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205839; rev:1;) alert tcp $HOME_NET any -> [139.9.221.228] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205837/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205837; rev:1;) alert tcp $HOME_NET any -> [139.9.221.228] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205838/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205838; rev:1;) alert tcp $HOME_NET any -> [139.9.221.228] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205836/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205836; rev:1;) alert tcp $HOME_NET any -> [139.9.221.228] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205835/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205835; rev:1;) alert tcp $HOME_NET any -> [122.9.126.74] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205834/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205834; rev:1;) alert tcp $HOME_NET any -> [122.9.126.74] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205833/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205833; rev:1;) alert tcp $HOME_NET any -> [122.9.126.74] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205831/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205831; rev:1;) alert tcp $HOME_NET any -> [122.9.126.74] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205832/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205832; rev:1;) alert tcp $HOME_NET any -> [122.9.126.74] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205830/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205830; rev:1;) alert tcp $HOME_NET any -> [122.9.126.74] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205828/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205828; rev:1;) alert tcp $HOME_NET any -> [122.9.126.74] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205829/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205829; rev:1;) alert tcp $HOME_NET any -> [122.9.126.74] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205827/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205827; rev:1;) alert tcp $HOME_NET any -> [121.37.161.136] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205826/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205826; rev:1;) alert tcp $HOME_NET any -> [121.37.161.136] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205824/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205824; rev:1;) alert tcp $HOME_NET any -> [121.37.161.136] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205825/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205825; rev:1;) alert tcp $HOME_NET any -> [121.37.161.136] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205823/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205823; rev:1;) alert tcp $HOME_NET any -> [121.37.161.136] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205822/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205822; rev:1;) alert tcp $HOME_NET any -> [121.37.161.136] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205820/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205820; rev:1;) alert tcp $HOME_NET any -> [121.37.161.136] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205821/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205821; rev:1;) alert tcp $HOME_NET any -> [121.37.161.136] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205819/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205819; rev:1;) alert tcp $HOME_NET any -> [124.71.186.151] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205818/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205818; rev:1;) alert tcp $HOME_NET any -> [124.71.186.151] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205816/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205816; rev:1;) alert tcp $HOME_NET any -> [124.71.186.151] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205817/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205817; rev:1;) alert tcp $HOME_NET any -> [124.71.186.151] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205815/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205815; rev:1;) alert tcp $HOME_NET any -> [124.71.186.151] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205813/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205813; rev:1;) alert tcp $HOME_NET any -> [124.71.186.151] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205814/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205814; rev:1;) alert tcp $HOME_NET any -> [124.71.186.151] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205812/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205812; rev:1;) alert tcp $HOME_NET any -> [124.71.186.151] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205811/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205811; rev:1;) alert tcp $HOME_NET any -> [124.71.99.215] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205809/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205809; rev:1;) alert tcp $HOME_NET any -> [124.71.99.215] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205810/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205810; rev:1;) alert tcp $HOME_NET any -> [124.71.99.215] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205807/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205807; rev:1;) alert tcp $HOME_NET any -> [124.71.99.215] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205808/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205808; rev:1;) alert tcp $HOME_NET any -> [124.71.99.215] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205806/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205806; rev:1;) alert tcp $HOME_NET any -> [124.71.99.215] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205804/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205804; rev:1;) alert tcp $HOME_NET any -> [124.71.99.215] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205805/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205805; rev:1;) alert tcp $HOME_NET any -> [124.71.99.215] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205803/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205803; rev:1;) alert tcp $HOME_NET any -> [124.71.192.182] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205802/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205802; rev:1;) alert tcp $HOME_NET any -> [124.71.192.182] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205800/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205800; rev:1;) alert tcp $HOME_NET any -> [124.71.192.182] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205801/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205801; rev:1;) alert tcp $HOME_NET any -> [124.71.192.182] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205799/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205799; rev:1;) alert tcp $HOME_NET any -> [124.71.192.182] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205798/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205798; rev:1;) alert tcp $HOME_NET any -> [124.71.192.182] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205796/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205796; rev:1;) alert tcp $HOME_NET any -> [124.71.192.182] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205797/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205797; rev:1;) alert tcp $HOME_NET any -> [124.71.192.182] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205795/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205795; rev:1;) alert tcp $HOME_NET any -> [120.233.114.210] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205793/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205793; rev:1;) alert tcp $HOME_NET any -> [120.233.114.210] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205794/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205794; rev:1;) alert tcp $HOME_NET any -> [120.233.114.210] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205791/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205791; rev:1;) alert tcp $HOME_NET any -> [120.233.114.210] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205792/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205792; rev:1;) alert tcp $HOME_NET any -> [120.233.114.210] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205790/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205790; rev:1;) alert tcp $HOME_NET any -> [120.233.114.210] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205789/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205789; rev:1;) alert tcp $HOME_NET any -> [120.233.114.210] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205788/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205788; rev:1;) alert tcp $HOME_NET any -> [139.9.36.241] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205786/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205786; rev:1;) alert tcp $HOME_NET any -> [120.233.114.210] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205787/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205787; rev:1;) alert tcp $HOME_NET any -> [139.9.36.241] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205785/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205785; rev:1;) alert tcp $HOME_NET any -> [139.9.36.241] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205783/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205783; rev:1;) alert tcp $HOME_NET any -> [139.9.36.241] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205784/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205784; rev:1;) alert tcp $HOME_NET any -> [139.9.36.241] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205782/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205782; rev:1;) alert tcp $HOME_NET any -> [139.9.36.241] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205780/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205780; rev:1;) alert tcp $HOME_NET any -> [139.9.36.241] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205781/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205781; rev:1;) alert tcp $HOME_NET any -> [139.9.36.241] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205779/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205779; rev:1;) alert tcp $HOME_NET any -> [124.71.205.70] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205777/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205777; rev:1;) alert tcp $HOME_NET any -> [124.71.205.70] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205778/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205778; rev:1;) alert tcp $HOME_NET any -> [124.71.205.70] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205776/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205776; rev:1;) alert tcp $HOME_NET any -> [124.71.205.70] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205775/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205775; rev:1;) alert tcp $HOME_NET any -> [124.71.205.70] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205774/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205774; rev:1;) alert tcp $HOME_NET any -> [124.71.205.70] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205772/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205772; rev:1;) alert tcp $HOME_NET any -> [124.71.205.70] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205773/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205773; rev:1;) alert tcp $HOME_NET any -> [124.71.205.70] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205771/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205771; rev:1;) alert tcp $HOME_NET any -> [121.36.212.187] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205769/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205769; rev:1;) alert tcp $HOME_NET any -> [121.36.212.187] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205770/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205770; rev:1;) alert tcp $HOME_NET any -> [121.36.212.187] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205768/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205768; rev:1;) alert tcp $HOME_NET any -> [121.36.212.187] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205767/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205767; rev:1;) alert tcp $HOME_NET any -> [121.36.212.187] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205765/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205765; rev:1;) alert tcp $HOME_NET any -> [121.36.212.187] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205766/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205766; rev:1;) alert tcp $HOME_NET any -> [121.36.212.187] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205764/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205764; rev:1;) alert tcp $HOME_NET any -> [121.36.212.187] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205763/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205763; rev:1;) alert tcp $HOME_NET any -> [120.233.114.244] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205762/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205762; rev:1;) alert tcp $HOME_NET any -> [120.233.114.244] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205760/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205760; rev:1;) alert tcp $HOME_NET any -> [120.233.114.244] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205761/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205761; rev:1;) alert tcp $HOME_NET any -> [120.233.114.244] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205759/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205759; rev:1;) alert tcp $HOME_NET any -> [120.233.114.244] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205758/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205758; rev:1;) alert tcp $HOME_NET any -> [120.233.114.244] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205757/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205757; rev:1;) alert tcp $HOME_NET any -> [122.9.96.62] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205755/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205755; rev:1;) alert tcp $HOME_NET any -> [120.233.114.244] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205756/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205756; rev:1;) alert tcp $HOME_NET any -> [122.9.96.62] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205754/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205754; rev:1;) alert tcp $HOME_NET any -> [122.9.96.62] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205753/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205753; rev:1;) alert tcp $HOME_NET any -> [122.9.96.62] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205751/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205751; rev:1;) alert tcp $HOME_NET any -> [122.9.96.62] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205752/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205752; rev:1;) alert tcp $HOME_NET any -> [122.9.96.62] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205750/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205750; rev:1;) alert tcp $HOME_NET any -> [122.9.96.62] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205749/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205749; rev:1;) alert tcp $HOME_NET any -> [122.9.96.62] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205748/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205748; rev:1;) alert tcp $HOME_NET any -> [123.207.18.157] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205746/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205746; rev:1;) alert tcp $HOME_NET any -> [123.207.18.157] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205747/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205747; rev:1;) alert tcp $HOME_NET any -> [123.60.218.46] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205745/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205745; rev:1;) alert tcp $HOME_NET any -> [123.60.218.46] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205743/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205743; rev:1;) alert tcp $HOME_NET any -> [123.60.218.46] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205744/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205744; rev:1;) alert tcp $HOME_NET any -> [123.60.218.46] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205742/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205742; rev:1;) alert tcp $HOME_NET any -> [123.60.218.46] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205741/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205741; rev:1;) alert tcp $HOME_NET any -> [123.60.218.46] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205739/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205739; rev:1;) alert tcp $HOME_NET any -> [123.60.218.46] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205740/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205740; rev:1;) alert tcp $HOME_NET any -> [123.60.218.46] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205738/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205738; rev:1;) alert tcp $HOME_NET any -> [120.233.114.215] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205737/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205737; rev:1;) alert tcp $HOME_NET any -> [120.233.114.215] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205736/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205736; rev:1;) alert tcp $HOME_NET any -> [120.233.114.215] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205734/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205734; rev:1;) alert tcp $HOME_NET any -> [120.233.114.215] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205735/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205735; rev:1;) alert tcp $HOME_NET any -> [120.233.114.215] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205733/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205733; rev:1;) alert tcp $HOME_NET any -> [120.233.114.215] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205732/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205732; rev:1;) alert tcp $HOME_NET any -> [120.233.114.144] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205730/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205730; rev:1;) alert tcp $HOME_NET any -> [120.233.114.215] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205731/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205731; rev:1;) alert tcp $HOME_NET any -> [120.233.114.144] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205729/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205729; rev:1;) alert tcp $HOME_NET any -> [120.233.114.144] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205728/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205728; rev:1;) alert tcp $HOME_NET any -> [120.233.114.144] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205727/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205727; rev:1;) alert tcp $HOME_NET any -> [120.233.114.144] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205725/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205725; rev:1;) alert tcp $HOME_NET any -> [120.233.114.144] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205726/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205726; rev:1;) alert tcp $HOME_NET any -> [120.233.114.144] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205724/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205724; rev:1;) alert tcp $HOME_NET any -> [124.71.10.22] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205723/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205723; rev:1;) alert tcp $HOME_NET any -> [124.71.10.22] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205722/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205722; rev:1;) alert tcp $HOME_NET any -> [124.71.10.22] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205720/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205720; rev:1;) alert tcp $HOME_NET any -> [124.71.10.22] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205721/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205721; rev:1;) alert tcp $HOME_NET any -> [124.71.10.22] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205719/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205719; rev:1;) alert tcp $HOME_NET any -> [124.71.10.22] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205718/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205718; rev:1;) alert tcp $HOME_NET any -> [124.71.10.22] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205717/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205717; rev:1;) alert tcp $HOME_NET any -> [120.233.114.146] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205715/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205715; rev:1;) alert tcp $HOME_NET any -> [124.71.10.22] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205716/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205716; rev:1;) alert tcp $HOME_NET any -> [120.233.114.146] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205714/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205714; rev:1;) alert tcp $HOME_NET any -> [120.233.114.146] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205712/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205712; rev:1;) alert tcp $HOME_NET any -> [120.233.114.146] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205713/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205713; rev:1;) alert tcp $HOME_NET any -> [120.233.114.146] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205711/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205711; rev:1;) alert tcp $HOME_NET any -> [120.233.114.146] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205709/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205709; rev:1;) alert tcp $HOME_NET any -> [120.233.114.146] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205710/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205710; rev:1;) alert tcp $HOME_NET any -> [120.233.114.242] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205708/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205708; rev:1;) alert tcp $HOME_NET any -> [120.233.114.242] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205706/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205706; rev:1;) alert tcp $HOME_NET any -> [120.233.114.242] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205707/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205707; rev:1;) alert tcp $HOME_NET any -> [120.233.114.242] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205705/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205705; rev:1;) alert tcp $HOME_NET any -> [120.233.114.242] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205703/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205703; rev:1;) alert tcp $HOME_NET any -> [120.233.114.242] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205704/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205704; rev:1;) alert tcp $HOME_NET any -> [120.233.114.242] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205702/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205702; rev:1;) alert tcp $HOME_NET any -> [120.233.114.237] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205701/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205701; rev:1;) alert tcp $HOME_NET any -> [120.233.114.237] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205699/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205699; rev:1;) alert tcp $HOME_NET any -> [120.233.114.237] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205700/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205700; rev:1;) alert tcp $HOME_NET any -> [120.233.114.237] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205698/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205698; rev:1;) alert tcp $HOME_NET any -> [122.9.124.96] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205696/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205696; rev:1;) alert tcp $HOME_NET any -> [120.233.114.237] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205697/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205697; rev:1;) alert tcp $HOME_NET any -> [122.9.124.96] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205695/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205695; rev:1;) alert tcp $HOME_NET any -> [122.9.124.96] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205694/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205694; rev:1;) alert tcp $HOME_NET any -> [122.9.124.96] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205692/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205692; rev:1;) alert tcp $HOME_NET any -> [122.9.124.96] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205693/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205693; rev:1;) alert tcp $HOME_NET any -> [122.9.124.96] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205691/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205691; rev:1;) alert tcp $HOME_NET any -> [122.9.124.96] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205689/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205689; rev:1;) alert tcp $HOME_NET any -> [122.9.124.96] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205690/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205690; rev:1;) alert tcp $HOME_NET any -> [121.37.184.68] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205688/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205688; rev:1;) alert tcp $HOME_NET any -> [121.37.184.68] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205687/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205687; rev:1;) alert tcp $HOME_NET any -> [121.37.184.68] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205685/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205685; rev:1;) alert tcp $HOME_NET any -> [121.37.184.68] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205686/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205686; rev:1;) alert tcp $HOME_NET any -> [121.37.184.68] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205684/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205684; rev:1;) alert tcp $HOME_NET any -> [121.37.184.68] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205682/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205682; rev:1;) alert tcp $HOME_NET any -> [121.37.184.68] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205683/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205683; rev:1;) alert tcp $HOME_NET any -> [121.37.184.68] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205681/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205681; rev:1;) alert tcp $HOME_NET any -> [120.233.114.161] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205679/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205679; rev:1;) alert tcp $HOME_NET any -> [120.233.114.161] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205680/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205680; rev:1;) alert tcp $HOME_NET any -> [120.233.114.161] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205678/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205678; rev:1;) alert tcp $HOME_NET any -> [120.233.114.161] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205676/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205676; rev:1;) alert tcp $HOME_NET any -> [120.233.114.161] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205677/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205677; rev:1;) alert tcp $HOME_NET any -> [120.233.114.161] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205675/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205675; rev:1;) alert tcp $HOME_NET any -> [120.233.114.161] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205674/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205674; rev:1;) alert tcp $HOME_NET any -> [122.9.126.59] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205672/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205672; rev:1;) alert tcp $HOME_NET any -> [122.9.126.59] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205673/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205673; rev:1;) alert tcp $HOME_NET any -> [122.9.126.59] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205671/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205671; rev:1;) alert tcp $HOME_NET any -> [122.9.126.59] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205669/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205669; rev:1;) alert tcp $HOME_NET any -> [122.9.126.59] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205670/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205670; rev:1;) alert tcp $HOME_NET any -> [122.9.126.59] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205668/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205668; rev:1;) alert tcp $HOME_NET any -> [122.9.126.59] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205666/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205666; rev:1;) alert tcp $HOME_NET any -> [122.9.126.59] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205667/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205667; rev:1;) alert tcp $HOME_NET any -> [120.233.114.171] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205665/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205665; rev:1;) alert tcp $HOME_NET any -> [120.233.114.171] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205663/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205663; rev:1;) alert tcp $HOME_NET any -> [120.233.114.171] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205664/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205664; rev:1;) alert tcp $HOME_NET any -> [120.233.114.171] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205662/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205662; rev:1;) alert tcp $HOME_NET any -> [120.233.114.171] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205660/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205660; rev:1;) alert tcp $HOME_NET any -> [120.233.114.171] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205661/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205661; rev:1;) alert tcp $HOME_NET any -> [120.233.114.171] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205659/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205659; rev:1;) alert tcp $HOME_NET any -> [122.9.112.171] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205657/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205657; rev:1;) alert tcp $HOME_NET any -> [120.233.114.171] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205658/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205658; rev:1;) alert tcp $HOME_NET any -> [122.9.112.171] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205656/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205656; rev:1;) alert tcp $HOME_NET any -> [122.9.112.171] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205654/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205654; rev:1;) alert tcp $HOME_NET any -> [122.9.112.171] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205655/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205655; rev:1;) alert tcp $HOME_NET any -> [122.9.112.171] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205653/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205653; rev:1;) alert tcp $HOME_NET any -> [122.9.112.171] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205652/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205652; rev:1;) alert tcp $HOME_NET any -> [122.9.112.171] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205650/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205650; rev:1;) alert tcp $HOME_NET any -> [122.9.112.171] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205651/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205651; rev:1;) alert tcp $HOME_NET any -> [122.9.122.105] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205649/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205649; rev:1;) alert tcp $HOME_NET any -> [122.9.122.105] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205647/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205647; rev:1;) alert tcp $HOME_NET any -> [122.9.122.105] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205648/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205648; rev:1;) alert tcp $HOME_NET any -> [122.9.122.105] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205646/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205646; rev:1;) alert tcp $HOME_NET any -> [122.9.122.105] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205644/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205644; rev:1;) alert tcp $HOME_NET any -> [122.9.122.105] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205645/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205645; rev:1;) alert tcp $HOME_NET any -> [122.9.122.105] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205643/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205643; rev:1;) alert tcp $HOME_NET any -> [122.9.126.235] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205641/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205641; rev:1;) alert tcp $HOME_NET any -> [122.9.122.105] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205642/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205642; rev:1;) alert tcp $HOME_NET any -> [122.9.126.235] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205640/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205640; rev:1;) alert tcp $HOME_NET any -> [122.9.126.235] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205638/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205638; rev:1;) alert tcp $HOME_NET any -> [122.9.126.235] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205639/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205639; rev:1;) alert tcp $HOME_NET any -> [122.9.126.235] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205637/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205637; rev:1;) alert tcp $HOME_NET any -> [122.9.126.235] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205636/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205636; rev:1;) alert tcp $HOME_NET any -> [122.9.126.235] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205634/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205634; rev:1;) alert tcp $HOME_NET any -> [122.9.126.235] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205635/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205635; rev:1;) alert tcp $HOME_NET any -> [120.233.114.156] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205633/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205633; rev:1;) alert tcp $HOME_NET any -> [120.233.114.156] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205632/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205632; rev:1;) alert tcp $HOME_NET any -> [120.233.114.156] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205631/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205631; rev:1;) alert tcp $HOME_NET any -> [120.233.114.156] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205629/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205629; rev:1;) alert tcp $HOME_NET any -> [120.233.114.156] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205630/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205630; rev:1;) alert tcp $HOME_NET any -> [120.233.114.156] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205628/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205628; rev:1;) alert tcp $HOME_NET any -> [120.233.114.156] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205626/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205626; rev:1;) alert tcp $HOME_NET any -> [120.233.114.156] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205627/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205627; rev:1;) alert tcp $HOME_NET any -> [123.60.94.121] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205625/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205625; rev:1;) alert tcp $HOME_NET any -> [123.60.94.121] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205624/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205624; rev:1;) alert tcp $HOME_NET any -> [123.60.94.121] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205622/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205622; rev:1;) alert tcp $HOME_NET any -> [123.60.94.121] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205623/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205623; rev:1;) alert tcp $HOME_NET any -> [123.60.94.121] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205621/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205621; rev:1;) alert tcp $HOME_NET any -> [123.60.94.121] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205619/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205619; rev:1;) alert tcp $HOME_NET any -> [123.60.94.121] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205620/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205620; rev:1;) alert tcp $HOME_NET any -> [123.60.94.121] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205618/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205618; rev:1;) alert tcp $HOME_NET any -> [121.36.43.95] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205616/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205616; rev:1;) alert tcp $HOME_NET any -> [121.36.43.95] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205617/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205617; rev:1;) alert tcp $HOME_NET any -> [121.36.43.95] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205615/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205615; rev:1;) alert tcp $HOME_NET any -> [121.36.43.95] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205613/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205613; rev:1;) alert tcp $HOME_NET any -> [121.36.43.95] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205614/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205614; rev:1;) alert tcp $HOME_NET any -> [121.36.43.95] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205612/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205612; rev:1;) alert tcp $HOME_NET any -> [121.36.43.95] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205611/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205611; rev:1;) alert tcp $HOME_NET any -> [121.36.200.164] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205609/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205609; rev:1;) alert tcp $HOME_NET any -> [121.36.43.95] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205610/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205610; rev:1;) alert tcp $HOME_NET any -> [121.36.200.164] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205607/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205607; rev:1;) alert tcp $HOME_NET any -> [121.36.200.164] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205608/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205608; rev:1;) alert tcp $HOME_NET any -> [121.36.200.164] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205606/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205606; rev:1;) alert tcp $HOME_NET any -> [121.36.200.164] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205605/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205605; rev:1;) alert tcp $HOME_NET any -> [121.36.200.164] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205603/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205603; rev:1;) alert tcp $HOME_NET any -> [121.36.200.164] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205604/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205604; rev:1;) alert tcp $HOME_NET any -> [121.36.200.164] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205602/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205602; rev:1;) alert tcp $HOME_NET any -> [120.233.114.226] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205600/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205600; rev:1;) alert tcp $HOME_NET any -> [120.233.114.226] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205601/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205601; rev:1;) alert tcp $HOME_NET any -> [120.233.114.226] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205599/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205599; rev:1;) alert tcp $HOME_NET any -> [120.233.114.226] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205598/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205598; rev:1;) alert tcp $HOME_NET any -> [120.233.114.226] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205596/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205596; rev:1;) alert tcp $HOME_NET any -> [120.233.114.226] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205597/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205597; rev:1;) alert tcp $HOME_NET any -> [120.233.114.226] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205595/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205595; rev:1;) alert tcp $HOME_NET any -> [124.70.29.43] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205593/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205593; rev:1;) alert tcp $HOME_NET any -> [124.70.29.43] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205594/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205594; rev:1;) alert tcp $HOME_NET any -> [124.70.29.43] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205592/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205592; rev:1;) alert tcp $HOME_NET any -> [124.70.29.43] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205590/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205590; rev:1;) alert tcp $HOME_NET any -> [124.70.29.43] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205591/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205591; rev:1;) alert tcp $HOME_NET any -> [124.70.29.43] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205589/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205589; rev:1;) alert tcp $HOME_NET any -> [124.70.29.43] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205587/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205587; rev:1;) alert tcp $HOME_NET any -> [124.70.29.43] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205588/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205588; rev:1;) alert tcp $HOME_NET any -> [120.233.114.243] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205586/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205586; rev:1;) alert tcp $HOME_NET any -> [120.233.114.243] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205584/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205584; rev:1;) alert tcp $HOME_NET any -> [120.233.114.243] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205585/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205585; rev:1;) alert tcp $HOME_NET any -> [120.233.114.243] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205583/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205583; rev:1;) alert tcp $HOME_NET any -> [120.233.114.243] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205581/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205581; rev:1;) alert tcp $HOME_NET any -> [120.233.114.243] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205582/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205582; rev:1;) alert tcp $HOME_NET any -> [120.233.114.243] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205580/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205580; rev:1;) alert tcp $HOME_NET any -> [117.78.9.251] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205578/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205578; rev:1;) alert tcp $HOME_NET any -> [117.78.9.251] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205579/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205579; rev:1;) alert tcp $HOME_NET any -> [117.78.9.251] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205577/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205577; rev:1;) alert tcp $HOME_NET any -> [117.78.9.251] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205576/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205576; rev:1;) alert tcp $HOME_NET any -> [117.78.9.251] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205574/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205574; rev:1;) alert tcp $HOME_NET any -> [117.78.9.251] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205575/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205575; rev:1;) alert tcp $HOME_NET any -> [117.78.9.251] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205573/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205573; rev:1;) alert tcp $HOME_NET any -> [117.78.9.251] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205572/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205572; rev:1;) alert tcp $HOME_NET any -> [122.9.126.138] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205571/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205571; rev:1;) alert tcp $HOME_NET any -> [122.9.126.138] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205569/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205569; rev:1;) alert tcp $HOME_NET any -> [122.9.126.138] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205570/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205570; rev:1;) alert tcp $HOME_NET any -> [122.9.126.138] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205568/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205568; rev:1;) alert tcp $HOME_NET any -> [122.9.126.138] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205567/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205567; rev:1;) alert tcp $HOME_NET any -> [122.9.126.138] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205566/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205566; rev:1;) alert tcp $HOME_NET any -> [122.9.126.138] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205565/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205565; rev:1;) alert tcp $HOME_NET any -> [122.9.126.138] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205564/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205564; rev:1;) alert tcp $HOME_NET any -> [120.46.141.88] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205563/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205563; rev:1;) alert tcp $HOME_NET any -> [120.46.141.88] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205562/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205562; rev:1;) alert tcp $HOME_NET any -> [120.46.141.88] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205561/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205561; rev:1;) alert tcp $HOME_NET any -> [120.46.141.88] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205560/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205560; rev:1;) alert tcp $HOME_NET any -> [120.46.141.88] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205559/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205559; rev:1;) alert tcp $HOME_NET any -> [120.46.141.88] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205558/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205558; rev:1;) alert tcp $HOME_NET any -> [120.46.141.88] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205557/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205557; rev:1;) alert tcp $HOME_NET any -> [122.9.125.184] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205555/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205555; rev:1;) alert tcp $HOME_NET any -> [120.46.141.88] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205556/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205556; rev:1;) alert tcp $HOME_NET any -> [122.9.125.184] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205554/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205554; rev:1;) alert tcp $HOME_NET any -> [122.9.125.184] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205552/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205552; rev:1;) alert tcp $HOME_NET any -> [122.9.125.184] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205553/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205553; rev:1;) alert tcp $HOME_NET any -> [122.9.125.184] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205551/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205551; rev:1;) alert tcp $HOME_NET any -> [122.9.125.184] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205549/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205549; rev:1;) alert tcp $HOME_NET any -> [122.9.125.184] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205550/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205550; rev:1;) alert tcp $HOME_NET any -> [122.9.125.184] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205548/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205548; rev:1;) alert tcp $HOME_NET any -> [122.9.123.90] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205546/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205546; rev:1;) alert tcp $HOME_NET any -> [122.9.123.90] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205547/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205547; rev:1;) alert tcp $HOME_NET any -> [122.9.123.90] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205545/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205545; rev:1;) alert tcp $HOME_NET any -> [122.9.123.90] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205543/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205543; rev:1;) alert tcp $HOME_NET any -> [122.9.123.90] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205544/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205544; rev:1;) alert tcp $HOME_NET any -> [122.9.123.90] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205542/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205542; rev:1;) alert tcp $HOME_NET any -> [122.9.123.90] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205541/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205541; rev:1;) alert tcp $HOME_NET any -> [122.9.98.121] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205539/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205539; rev:1;) alert tcp $HOME_NET any -> [122.9.123.90] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205540/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205540; rev:1;) alert tcp $HOME_NET any -> [122.9.98.121] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205537/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205537; rev:1;) alert tcp $HOME_NET any -> [122.9.98.121] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205538/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205538; rev:1;) alert tcp $HOME_NET any -> [122.9.98.121] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205536/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205536; rev:1;) alert tcp $HOME_NET any -> [122.9.98.121] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205535/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205535; rev:1;) alert tcp $HOME_NET any -> [122.9.98.121] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205533/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205533; rev:1;) alert tcp $HOME_NET any -> [122.9.98.121] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205534/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205534; rev:1;) alert tcp $HOME_NET any -> [122.9.98.121] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205532/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205532; rev:1;) alert tcp $HOME_NET any -> [123.60.31.114] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205530/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205530; rev:1;) alert tcp $HOME_NET any -> [123.60.31.114] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205531/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205531; rev:1;) alert tcp $HOME_NET any -> [123.60.31.114] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205529/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205529; rev:1;) alert tcp $HOME_NET any -> [123.60.31.114] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205527/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205527; rev:1;) alert tcp $HOME_NET any -> [123.60.31.114] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205528/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205528; rev:1;) alert tcp $HOME_NET any -> [123.60.31.114] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205526/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205526; rev:1;) alert tcp $HOME_NET any -> [123.60.31.114] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205524/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205524; rev:1;) alert tcp $HOME_NET any -> [123.60.31.114] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205525/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205525; rev:1;) alert tcp $HOME_NET any -> [120.46.157.112] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205523/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205523; rev:1;) alert tcp $HOME_NET any -> [120.46.157.112] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205522/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205522; rev:1;) alert tcp $HOME_NET any -> [120.46.157.112] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205520/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205520; rev:1;) alert tcp $HOME_NET any -> [120.46.157.112] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205521/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205521; rev:1;) alert tcp $HOME_NET any -> [120.46.157.112] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205519/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205519; rev:1;) alert tcp $HOME_NET any -> [120.46.157.112] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205517/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205517; rev:1;) alert tcp $HOME_NET any -> [120.46.157.112] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205518/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205518; rev:1;) alert tcp $HOME_NET any -> [120.46.157.112] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205516/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205516; rev:1;) alert tcp $HOME_NET any -> [124.70.186.208] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205515/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205515; rev:1;) alert tcp $HOME_NET any -> [124.70.186.208] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205513/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205513; rev:1;) alert tcp $HOME_NET any -> [124.70.186.208] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205514/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205514; rev:1;) alert tcp $HOME_NET any -> [124.70.186.208] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205512/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205512; rev:1;) alert tcp $HOME_NET any -> [124.70.186.208] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205511/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205511; rev:1;) alert tcp $HOME_NET any -> [124.70.186.208] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205509/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205509; rev:1;) alert tcp $HOME_NET any -> [124.70.186.208] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205510/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205510; rev:1;) alert tcp $HOME_NET any -> [124.70.186.208] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205508/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205508; rev:1;) alert tcp $HOME_NET any -> [121.37.136.145] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205506/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205506; rev:1;) alert tcp $HOME_NET any -> [121.37.136.145] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205507/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205507; rev:1;) alert tcp $HOME_NET any -> [121.37.136.145] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205505/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205505; rev:1;) alert tcp $HOME_NET any -> [121.37.136.145] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205503/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205503; rev:1;) alert tcp $HOME_NET any -> [121.37.136.145] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205504/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205504; rev:1;) alert tcp $HOME_NET any -> [121.37.136.145] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205502/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205502; rev:1;) alert tcp $HOME_NET any -> [121.37.136.145] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205501/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205501; rev:1;) alert tcp $HOME_NET any -> [139.9.37.126] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205499/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205499; rev:1;) alert tcp $HOME_NET any -> [121.37.136.145] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205500/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205500; rev:1;) alert tcp $HOME_NET any -> [139.9.37.126] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205497/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205497; rev:1;) alert tcp $HOME_NET any -> [139.9.37.126] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205498/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205498; rev:1;) alert tcp $HOME_NET any -> [139.9.37.126] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205496/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205496; rev:1;) alert tcp $HOME_NET any -> [139.9.37.126] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205494/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205494; rev:1;) alert tcp $HOME_NET any -> [139.9.37.126] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205495/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205495; rev:1;) alert tcp $HOME_NET any -> [139.9.37.126] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205493/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205493; rev:1;) alert tcp $HOME_NET any -> [139.9.138.15] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205491/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205491; rev:1;) alert tcp $HOME_NET any -> [139.9.37.126] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205492/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205492; rev:1;) alert tcp $HOME_NET any -> [139.9.138.15] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205490/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205490; rev:1;) alert tcp $HOME_NET any -> [139.9.138.15] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205488/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205488; rev:1;) alert tcp $HOME_NET any -> [139.9.138.15] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205489/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205489; rev:1;) alert tcp $HOME_NET any -> [139.9.138.15] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205487/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205487; rev:1;) alert tcp $HOME_NET any -> [139.9.138.15] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205485/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205485; rev:1;) alert tcp $HOME_NET any -> [139.9.138.15] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205486/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205486; rev:1;) alert tcp $HOME_NET any -> [139.9.138.15] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205484/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205484; rev:1;) alert tcp $HOME_NET any -> [119.3.164.101] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205482/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205482; rev:1;) alert tcp $HOME_NET any -> [119.3.164.101] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205483/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205483; rev:1;) alert tcp $HOME_NET any -> [119.3.164.101] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205481/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205481; rev:1;) alert tcp $HOME_NET any -> [119.3.164.101] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205479/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205479; rev:1;) alert tcp $HOME_NET any -> [119.3.164.101] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205480/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205480; rev:1;) alert tcp $HOME_NET any -> [119.3.164.101] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205478/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205478; rev:1;) alert tcp $HOME_NET any -> [119.3.164.101] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205476/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205476; rev:1;) alert tcp $HOME_NET any -> [119.3.164.101] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205477/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205477; rev:1;) alert tcp $HOME_NET any -> [121.36.241.218] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205475/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205475; rev:1;) alert tcp $HOME_NET any -> [121.36.241.218] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205473/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205473; rev:1;) alert tcp $HOME_NET any -> [121.36.241.218] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205474/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205474; rev:1;) alert tcp $HOME_NET any -> [121.36.241.218] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205472/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205472; rev:1;) alert tcp $HOME_NET any -> [121.36.241.218] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205471/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205471; rev:1;) alert tcp $HOME_NET any -> [121.36.241.218] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205470/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205470; rev:1;) alert tcp $HOME_NET any -> [121.36.241.218] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205469/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205469; rev:1;) alert tcp $HOME_NET any -> [123.207.12.142] 1235 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205467/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205467; rev:1;) alert tcp $HOME_NET any -> [121.36.241.218] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205468/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205468; rev:1;) alert tcp $HOME_NET any -> [119.3.157.2] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205466/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205466; rev:1;) alert tcp $HOME_NET any -> [119.3.157.2] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205464/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205464; rev:1;) alert tcp $HOME_NET any -> [119.3.157.2] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205465/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205465; rev:1;) alert tcp $HOME_NET any -> [119.3.157.2] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205463/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205463; rev:1;) alert tcp $HOME_NET any -> [119.3.157.2] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205461/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205461; rev:1;) alert tcp $HOME_NET any -> [119.3.157.2] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205462/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205462; rev:1;) alert tcp $HOME_NET any -> [119.3.157.2] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205460/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205460; rev:1;) alert tcp $HOME_NET any -> [139.9.86.92] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205458/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205458; rev:1;) alert tcp $HOME_NET any -> [119.3.157.2] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205459/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205459; rev:1;) alert tcp $HOME_NET any -> [139.9.86.92] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205457/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205457; rev:1;) alert tcp $HOME_NET any -> [139.9.86.92] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205456/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205456; rev:1;) alert tcp $HOME_NET any -> [139.9.86.92] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205455/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205455; rev:1;) alert tcp $HOME_NET any -> [139.9.86.92] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205453/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205453; rev:1;) alert tcp $HOME_NET any -> [139.9.86.92] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205454/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205454; rev:1;) alert tcp $HOME_NET any -> [139.9.86.92] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205452/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205452; rev:1;) alert tcp $HOME_NET any -> [121.36.64.43] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205450/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205450; rev:1;) alert tcp $HOME_NET any -> [139.9.86.92] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205451/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205451; rev:1;) alert tcp $HOME_NET any -> [121.36.64.43] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205449/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205449; rev:1;) alert tcp $HOME_NET any -> [121.36.64.43] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205448/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205448; rev:1;) alert tcp $HOME_NET any -> [121.36.64.43] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205446/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205446; rev:1;) alert tcp $HOME_NET any -> [121.36.64.43] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205447/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205447; rev:1;) alert tcp $HOME_NET any -> [121.36.64.43] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205445/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205445; rev:1;) alert tcp $HOME_NET any -> [121.36.64.43] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205443/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205443; rev:1;) alert tcp $HOME_NET any -> [121.36.64.43] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205444/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205444; rev:1;) alert tcp $HOME_NET any -> [120.233.114.218] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205442/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205442; rev:1;) alert tcp $HOME_NET any -> [120.233.114.218] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205440/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205440; rev:1;) alert tcp $HOME_NET any -> [120.233.114.218] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205441/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205441; rev:1;) alert tcp $HOME_NET any -> [120.233.114.218] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205439/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205439; rev:1;) alert tcp $HOME_NET any -> [120.233.114.218] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205437/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205437; rev:1;) alert tcp $HOME_NET any -> [120.233.114.218] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205438/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205438; rev:1;) alert tcp $HOME_NET any -> [120.233.114.218] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205436/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205436; rev:1;) alert tcp $HOME_NET any -> [120.233.114.141] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205435/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205435; rev:1;) alert tcp $HOME_NET any -> [120.233.114.141] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205433/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205433; rev:1;) alert tcp $HOME_NET any -> [120.233.114.141] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205434/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205434; rev:1;) alert tcp $HOME_NET any -> [120.233.114.141] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205432/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205432; rev:1;) alert tcp $HOME_NET any -> [120.233.114.141] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205430/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205430; rev:1;) alert tcp $HOME_NET any -> [120.233.114.141] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205431/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205431; rev:1;) alert tcp $HOME_NET any -> [120.233.114.141] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205429/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205429; rev:1;) alert tcp $HOME_NET any -> [120.233.114.204] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205427/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205427; rev:1;) alert tcp $HOME_NET any -> [120.233.114.204] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205428/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205428; rev:1;) alert tcp $HOME_NET any -> [120.233.114.204] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205426/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205426; rev:1;) alert tcp $HOME_NET any -> [120.233.114.204] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205425/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205425; rev:1;) alert tcp $HOME_NET any -> [120.233.114.204] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205423/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205423; rev:1;) alert tcp $HOME_NET any -> [120.233.114.204] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205424/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205424; rev:1;) alert tcp $HOME_NET any -> [120.233.114.182] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205421/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205421; rev:1;) alert tcp $HOME_NET any -> [120.233.114.182] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205422/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205422; rev:1;) alert tcp $HOME_NET any -> [120.233.114.182] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205420/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205420; rev:1;) alert tcp $HOME_NET any -> [120.233.114.182] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205419/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205419; rev:1;) alert tcp $HOME_NET any -> [120.233.114.182] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205417/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205417; rev:1;) alert tcp $HOME_NET any -> [120.233.114.182] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205418/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205418; rev:1;) alert tcp $HOME_NET any -> [106.14.196.21] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205416/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205416; rev:1;) alert tcp $HOME_NET any -> [106.14.196.21] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205414/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205414; rev:1;) alert tcp $HOME_NET any -> [106.14.196.21] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205415/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205415; rev:1;) alert tcp $HOME_NET any -> [106.14.196.21] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205413/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205413; rev:1;) alert tcp $HOME_NET any -> [122.114.18.13] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205411/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205411; rev:1;) alert tcp $HOME_NET any -> [193.112.241.118] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205412/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205412; rev:1;) alert tcp $HOME_NET any -> [122.114.18.13] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205410/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205410; rev:1;) alert tcp $HOME_NET any -> [111.230.31.215] 1235 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205408/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205408; rev:1;) alert tcp $HOME_NET any -> [118.89.62.61] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205409/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205409; rev:1;) alert tcp $HOME_NET any -> [122.114.18.86] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205407/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205407; rev:1;) alert tcp $HOME_NET any -> [37.120.247.29] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205406/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205406; rev:1;) alert tcp $HOME_NET any -> [189.250.54.96] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205405; rev:1;) alert tcp $HOME_NET any -> [189.250.54.96] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205404; rev:1;) alert tcp $HOME_NET any -> [91.92.242.233] 56297 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205402; rev:1;) alert tcp $HOME_NET any -> [189.250.54.96] 2252 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205403; rev:1;) alert tcp $HOME_NET any -> [73.170.133.26] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205401/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_25; classtype:trojan-activity; sid:91205401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smtp12.smtplab.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.44.244.217.95.clients.your-server.de"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205400; rev:1;) alert tcp $HOME_NET any -> [54.83.75.196] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205398; rev:1;) alert tcp $HOME_NET any -> [23.133.216.212] 54696 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205397; rev:1;) alert tcp $HOME_NET any -> [45.88.180.23] 6000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205396; rev:1;) alert tcp $HOME_NET any -> [154.39.254.124] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205395; rev:1;) alert tcp $HOME_NET any -> [154.39.251.113] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205393; rev:1;) alert tcp $HOME_NET any -> [154.39.251.32] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205394; rev:1;) alert tcp $HOME_NET any -> [154.39.251.210] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205392; rev:1;) alert tcp $HOME_NET any -> [206.233.132.41] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205390; rev:1;) alert tcp $HOME_NET any -> [154.39.251.52] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205391; rev:1;) alert tcp $HOME_NET any -> [154.39.254.70] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205389; rev:1;) alert tcp $HOME_NET any -> [154.39.251.246] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205388; rev:1;) alert tcp $HOME_NET any -> [154.39.255.111] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205386; rev:1;) alert tcp $HOME_NET any -> [154.39.255.89] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205387; rev:1;) alert tcp $HOME_NET any -> [91.92.249.88] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205385; rev:1;) alert tcp $HOME_NET any -> [154.39.255.94] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205383; rev:1;) alert tcp $HOME_NET any -> [154.39.255.156] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205384; rev:1;) alert tcp $HOME_NET any -> [154.39.255.141] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205382; rev:1;) alert tcp $HOME_NET any -> [206.233.132.27] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205381; rev:1;) alert tcp $HOME_NET any -> [154.39.255.152] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205379; rev:1;) alert tcp $HOME_NET any -> [206.233.132.250] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205380; rev:1;) alert tcp $HOME_NET any -> [88.99.214.187] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205378; rev:1;) alert tcp $HOME_NET any -> [154.39.250.214] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205376; rev:1;) alert tcp $HOME_NET any -> [158.220.89.102] 8940 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205377; rev:1;) alert tcp $HOME_NET any -> [154.39.255.109] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205375; rev:1;) alert tcp $HOME_NET any -> [154.39.255.211] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205373; rev:1;) alert tcp $HOME_NET any -> [154.39.250.52] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205374; rev:1;) alert tcp $HOME_NET any -> [154.39.255.81] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205372; rev:1;) alert tcp $HOME_NET any -> [154.39.255.210] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205370; rev:1;) alert tcp $HOME_NET any -> [206.233.132.67] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205371; rev:1;) alert tcp $HOME_NET any -> [154.39.255.54] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205369; rev:1;) alert tcp $HOME_NET any -> [154.39.255.95] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205367; rev:1;) alert tcp $HOME_NET any -> [206.233.132.84] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205368; rev:1;) alert tcp $HOME_NET any -> [162.215.23.205] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205366; rev:1;) alert tcp $HOME_NET any -> [162.215.23.132] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205364; rev:1;) alert tcp $HOME_NET any -> [162.215.23.144] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205365; rev:1;) alert tcp $HOME_NET any -> [162.215.23.117] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205363; rev:1;) alert tcp $HOME_NET any -> [162.215.23.218] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205361; rev:1;) alert tcp $HOME_NET any -> [162.215.23.104] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205362; rev:1;) alert tcp $HOME_NET any -> [162.215.23.109] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205359; rev:1;) alert tcp $HOME_NET any -> [162.215.23.158] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205360; rev:1;) alert tcp $HOME_NET any -> [162.215.23.195] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205358; rev:1;) alert tcp $HOME_NET any -> [162.215.23.137] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205357; rev:1;) alert tcp $HOME_NET any -> [162.215.23.119] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205356; rev:1;) alert tcp $HOME_NET any -> [162.215.23.217] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205355; rev:1;) alert tcp $HOME_NET any -> [162.215.23.120] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205354; rev:1;) alert tcp $HOME_NET any -> [162.215.23.153] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205353; rev:1;) alert tcp $HOME_NET any -> [162.215.23.206] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205352; rev:1;) alert tcp $HOME_NET any -> [162.215.23.181] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205351; rev:1;) alert tcp $HOME_NET any -> [162.215.23.193] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205350; rev:1;) alert tcp $HOME_NET any -> [88.208.100.189] 8443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205349; rev:1;) alert tcp $HOME_NET any -> [52.136.206.142] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205348; rev:1;) alert tcp $HOME_NET any -> [52.136.206.130] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205347; rev:1;) alert tcp $HOME_NET any -> [74.234.222.211] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205345; rev:1;) alert tcp $HOME_NET any -> [34.41.225.176] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205346; rev:1;) alert tcp $HOME_NET any -> [52.136.206.169] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205344; rev:1;) alert tcp $HOME_NET any -> [52.136.206.160] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205343; rev:1;) alert tcp $HOME_NET any -> [51.144.234.167] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205342; rev:1;) alert tcp $HOME_NET any -> [194.49.94.183] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205341; rev:1;) alert tcp $HOME_NET any -> [103.243.26.65] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205340; rev:1;) alert tcp $HOME_NET any -> [197.115.207.45] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205339; rev:1;) alert tcp $HOME_NET any -> [223.155.16.120] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205338; rev:1;) alert tcp $HOME_NET any -> [191.82.205.52] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205336; rev:1;) alert tcp $HOME_NET any -> [85.209.176.33] 1337 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205337; rev:1;) alert tcp $HOME_NET any -> [162.244.210.198] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205335/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205335; rev:1;) alert tcp $HOME_NET any -> [213.195.120.176] 5003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205333; rev:1;) alert tcp $HOME_NET any -> [194.213.3.100] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205334; rev:1;) alert tcp $HOME_NET any -> [186.170.115.82] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205332; rev:1;) alert tcp $HOME_NET any -> [51.38.57.226] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205331/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205331; rev:1;) alert tcp $HOME_NET any -> [194.33.127.198] 10000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205330; rev:1;) alert tcp $HOME_NET any -> [45.138.16.48] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205328; rev:1;) alert tcp $HOME_NET any -> [95.214.26.58] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205329; rev:1;) alert tcp $HOME_NET any -> [45.138.16.48] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205327; rev:1;) alert tcp $HOME_NET any -> [187.24.1.26] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205325; rev:1;) alert tcp $HOME_NET any -> [187.24.1.26] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205326; rev:1;) alert tcp $HOME_NET any -> [181.90.42.189] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205324; rev:1;) alert tcp $HOME_NET any -> [81.214.139.34] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205322; rev:1;) alert tcp $HOME_NET any -> [23.172.112.130] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"62-210-207-211.rev.poneytelecom.eu"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sd-50950.dedibox.fr"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205320; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn-eu.dsikw.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_25; classtype:trojan-activity; sid:91205319; rev:1;) alert tcp $HOME_NET any -> [1.54.107.33] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205318/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_25; classtype:trojan-activity; sid:91205318; rev:1;) alert tcp $HOME_NET any -> [35.203.102.20] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205315/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_24; classtype:trojan-activity; sid:91205315; rev:1;) alert tcp $HOME_NET any -> [45.55.98.245] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"159.203.120.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205312; rev:1;) alert tcp $HOME_NET any -> [162.215.23.135] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205310/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_24; classtype:trojan-activity; sid:91205310; rev:1;) alert tcp $HOME_NET any -> [95.142.40.54] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205309/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_24; classtype:trojan-activity; sid:91205309; rev:1;) alert tcp $HOME_NET any -> [3.125.8.28] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205308/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_24; classtype:trojan-activity; sid:91205308; rev:1;) alert tcp $HOME_NET any -> [193.42.36.174] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205307/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205307; rev:1;) alert tcp $HOME_NET any -> [45.129.199.250] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205306/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205306; rev:1;) alert tcp $HOME_NET any -> [45.129.199.15] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205305/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alevkx42.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205303; rev:1;) alert tcp $HOME_NET any -> [46.246.80.7] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205304; rev:1;) alert tcp $HOME_NET any -> [34.100.137.129] 80 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205302/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_24; classtype:trojan-activity; sid:91205302; rev:1;) alert tcp $HOME_NET any -> [43.143.125.110] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205301/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_24; classtype:trojan-activity; sid:91205301; rev:1;) alert tcp $HOME_NET any -> [38.47.221.193] 39163 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205299/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wdb.life"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205300; rev:1;) alert tcp $HOME_NET any -> [162.215.23.147] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205298/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205298; rev:1;) alert tcp $HOME_NET any -> [162.215.23.157] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205297/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205297; rev:1;) alert tcp $HOME_NET any -> [162.215.23.228] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205296/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205296; rev:1;) alert tcp $HOME_NET any -> [162.215.23.130] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205295/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205295; rev:1;) alert tcp $HOME_NET any -> [162.215.23.201] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205294/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205294; rev:1;) alert tcp $HOME_NET any -> [162.215.23.140] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205293/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205293; rev:1;) alert tcp $HOME_NET any -> [162.215.23.131] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205292/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205292; rev:1;) alert tcp $HOME_NET any -> [162.215.23.138] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205291/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205291; rev:1;) alert tcp $HOME_NET any -> [162.215.23.113] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205290/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205290; rev:1;) alert tcp $HOME_NET any -> [162.215.23.190] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205289/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205289; rev:1;) alert tcp $HOME_NET any -> [162.215.23.212] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205288/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205288; rev:1;) alert tcp $HOME_NET any -> [162.215.23.127] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205287/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205287; rev:1;) alert tcp $HOME_NET any -> [162.215.23.180] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205286/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205286; rev:1;) alert tcp $HOME_NET any -> [162.215.23.116] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205285/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205285; rev:1;) alert tcp $HOME_NET any -> [162.215.23.150] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205284/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205284; rev:1;) alert tcp $HOME_NET any -> [162.215.23.176] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205283/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205283; rev:1;) alert tcp $HOME_NET any -> [162.215.23.156] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205282/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205282; rev:1;) alert tcp $HOME_NET any -> [162.215.23.164] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205281/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205281; rev:1;) alert tcp $HOME_NET any -> [162.215.23.189] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205280/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205280; rev:1;) alert tcp $HOME_NET any -> [162.215.23.163] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205279/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205279; rev:1;) alert tcp $HOME_NET any -> [162.215.23.174] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205278/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205278; rev:1;) alert tcp $HOME_NET any -> [162.215.23.107] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205277/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205277; rev:1;) alert tcp $HOME_NET any -> [162.215.23.225] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205276/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205276; rev:1;) alert tcp $HOME_NET any -> [162.215.23.173] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205275/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205275; rev:1;) alert tcp $HOME_NET any -> [162.215.23.204] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205274/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205274; rev:1;) alert tcp $HOME_NET any -> [162.215.23.223] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205273/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205273; rev:1;) alert tcp $HOME_NET any -> [162.215.23.200] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205272/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205272; rev:1;) alert tcp $HOME_NET any -> [162.215.23.142] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205271/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205271; rev:1;) alert tcp $HOME_NET any -> [162.215.23.162] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205270/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205270; rev:1;) alert tcp $HOME_NET any -> [162.215.23.154] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205269/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205269; rev:1;) alert tcp $HOME_NET any -> [162.215.23.167] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205268/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205268; rev:1;) alert tcp $HOME_NET any -> [162.215.23.112] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205267/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205267; rev:1;) alert tcp $HOME_NET any -> [162.215.23.166] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205266/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205266; rev:1;) alert tcp $HOME_NET any -> [162.215.23.134] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205265/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205265; rev:1;) alert tcp $HOME_NET any -> [162.215.23.208] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205264/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205264; rev:1;) alert tcp $HOME_NET any -> [162.215.23.105] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205263/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205263; rev:1;) alert tcp $HOME_NET any -> [162.215.23.199] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205262/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205262; rev:1;) alert tcp $HOME_NET any -> [162.215.23.192] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205261/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205261; rev:1;) alert tcp $HOME_NET any -> [162.215.23.110] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205260/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205260; rev:1;) alert tcp $HOME_NET any -> [162.215.23.114] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205259/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205259; rev:1;) alert tcp $HOME_NET any -> [162.215.23.122] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205258/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205258; rev:1;) alert tcp $HOME_NET any -> [162.215.23.177] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205257/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205257; rev:1;) alert tcp $HOME_NET any -> [162.215.23.210] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205256/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205256; rev:1;) alert tcp $HOME_NET any -> [162.215.23.146] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205255/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205255; rev:1;) alert tcp $HOME_NET any -> [162.215.23.186] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205254/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205254; rev:1;) alert tcp $HOME_NET any -> [162.215.23.149] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205253/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205253; rev:1;) alert tcp $HOME_NET any -> [162.215.23.118] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205252/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205252; rev:1;) alert tcp $HOME_NET any -> [162.215.23.106] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205251/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205251; rev:1;) alert tcp $HOME_NET any -> [162.215.23.168] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205250/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205250; rev:1;) alert tcp $HOME_NET any -> [124.223.197.230] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205249/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205249; rev:1;) alert tcp $HOME_NET any -> [162.215.23.178] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205248/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205248; rev:1;) alert tcp $HOME_NET any -> [162.215.23.222] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205247/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205247; rev:1;) alert tcp $HOME_NET any -> [162.215.23.175] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205246/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205246; rev:1;) alert tcp $HOME_NET any -> [162.215.23.143] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205245/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205245; rev:1;) alert tcp $HOME_NET any -> [162.214.135.94] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205244/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205244; rev:1;) alert tcp $HOME_NET any -> [162.215.23.183] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205243/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205243; rev:1;) alert tcp $HOME_NET any -> [197.114.177.145] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205242/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205242; rev:1;) alert tcp $HOME_NET any -> [102.158.208.118] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205241/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205241; rev:1;) alert tcp $HOME_NET any -> [78.169.185.62] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205240/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205240; rev:1;) alert tcp $HOME_NET any -> [5.14.206.125] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205239/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205239; rev:1;) alert tcp $HOME_NET any -> [87.223.88.217] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205238/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205238; rev:1;) alert tcp $HOME_NET any -> [39.40.170.3] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205237/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205237; rev:1;) alert tcp $HOME_NET any -> [90.4.74.222] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205236/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205236; rev:1;) alert tcp $HOME_NET any -> [80.78.22.93] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205235/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205235; rev:1;) alert tcp $HOME_NET any -> [37.187.176.161] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205234/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205234; rev:1;) alert tcp $HOME_NET any -> [85.209.176.146] 8088 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205233/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205233; rev:1;) alert tcp $HOME_NET any -> [172.105.66.217] 23966 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205232/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205232; rev:1;) alert tcp $HOME_NET any -> [64.176.164.107] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205231/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"79.137.207.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205230; rev:1;) alert tcp $HOME_NET any -> [91.92.241.178] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205229/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_24; classtype:trojan-activity; sid:91205229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.153.206.194"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"1.116.144.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"10.101.171.76"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"101.43.165.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"8.141.81.51"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"8.141.81.51"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205223/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"95.214.25.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"124.71.46.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205221; rev:1;) alert tcp $HOME_NET any -> [107.150.18.214] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205220/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205220; rev:1;) alert tcp $HOME_NET any -> [3.12.56.125] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205219/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_24; classtype:trojan-activity; sid:91205219; rev:1;) alert tcp $HOME_NET any -> [109.248.206.159] 443 (msg:"ThreatFox ClearFake payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.222.236.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205216/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javascriptdle.php"; depth:18; nocase; http.host; content:"12112.ru.swtest.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205217; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 10759 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205215; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 10759 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205214; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 10759 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40d570f44e84a454.php"; depth:21; nocase; http.host; content:"finnmanninger.icu"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205212; rev:1;) alert tcp $HOME_NET any -> [151.80.38.159] 53 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205211; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b2.rainbowl.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205208; rev:1;) alert tcp $HOME_NET any -> [46.4.10.254] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/videopipepacketprotectwindowsflowerdlecentral.php"; depth:50; nocase; http.host; content:"598194cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205210; rev:1;) alert tcp $HOME_NET any -> [162.215.23.124] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205207/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_24; classtype:trojan-activity; sid:91205207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"athwartchannelly.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205205; rev:1;) alert tcp $HOME_NET any -> [79.174.80.54] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205206/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_24; classtype:trojan-activity; sid:91205206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"103.116.245.130"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ddm/fls/i/src"; depth:14; nocase; http.host; content:"51.79.230.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205203; rev:1;) alert tcp $HOME_NET any -> [49.13.22.82] 8056 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205202/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"8.141.81.51"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"95.214.25.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205197; rev:1;) alert tcp $HOME_NET any -> [109.248.206.49] 443 (msg:"ThreatFox ClearFake botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205178/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205178; rev:1;) alert tcp $HOME_NET any -> [109.248.206.83] 443 (msg:"ThreatFox ClearFake botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205179/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205179; rev:1;) alert tcp $HOME_NET any -> [109.248.206.101] 443 (msg:"ThreatFox ClearFake botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205180/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205180; rev:1;) alert tcp $HOME_NET any -> [109.248.206.118] 443 (msg:"ThreatFox ClearFake botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205181/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205181; rev:1;) alert tcp $HOME_NET any -> [109.248.206.122] 443 (msg:"ThreatFox ClearFake botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205182/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205182; rev:1;) alert tcp $HOME_NET any -> [109.248.206.138] 443 (msg:"ThreatFox ClearFake botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205183/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205183; rev:1;) alert tcp $HOME_NET any -> [109.248.206.153] 443 (msg:"ThreatFox ClearFake botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205184/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205184; rev:1;) alert tcp $HOME_NET any -> [109.248.206.157] 443 (msg:"ThreatFox ClearFake botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205185/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205185; rev:1;) alert tcp $HOME_NET any -> [109.248.206.159] 443 (msg:"ThreatFox ClearFake botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205186/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205186; rev:1;) alert tcp $HOME_NET any -> [109.248.206.196] 443 (msg:"ThreatFox ClearFake botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205187/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205187; rev:1;) alert tcp $HOME_NET any -> [189.250.54.96] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205188/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"60.204.223.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.113.204.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"121.40.151.228"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205194; rev:1;) alert tcp $HOME_NET any -> [3.72.24.250] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watch"; depth:6; nocase; http.host; content:"3.72.24.250"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"1.94.10.2"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205191; rev:1;) alert tcp $HOME_NET any -> [162.215.23.187] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205190/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_24; classtype:trojan-activity; sid:91205190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"43.156.2.29"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205189; rev:1;) alert tcp $HOME_NET any -> [185.47.174.59] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205177/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_24; classtype:trojan-activity; sid:91205177; rev:1;) alert tcp $HOME_NET any -> [51.222.104.17] 21 (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205168/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ftp.siscop.com.co"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205169/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205169; rev:1;) alert tcp $HOME_NET any -> [170.130.55.150] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205174/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205174; rev:1;) alert tcp $HOME_NET any -> [91.92.242.192] 6390 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"akinbo.ddns.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205175; rev:1;) alert tcp $HOME_NET any -> [109.248.206.106] 443 (msg:"ThreatFox ClearFake botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205172; rev:1;) alert tcp $HOME_NET any -> [109.248.206.160] 443 (msg:"ThreatFox ClearFake botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205173; rev:1;) alert tcp $HOME_NET any -> [109.248.206.51] 443 (msg:"ThreatFox ClearFake botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dfjoiners.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"techsyscloud.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205166/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205166; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yify88.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205167/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205167; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sunwu.world"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205165/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205165; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"americcorp.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205164/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_24; classtype:trojan-activity; sid:91205164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/plugmanzx.exe"; depth:26; nocase; http.host; content:"zang1.almashreaq.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"dfjoiners.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"dfjoiners.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205111; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205112; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tenselwhoevery.pw"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.255.35"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lander/hyk7789hgd/_cf.php"; depth:26; nocase; http.host; content:"excellentpatterns.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"excellentpatterns.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"excellentpatterns.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"excellentpatterns.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205160; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"partner-infoservice.online"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205159; rev:1;) alert tcp $HOME_NET any -> [107.148.47.5] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205157/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205157; rev:1;) alert tcp $HOME_NET any -> [45.11.46.72] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205158/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205158; rev:1;) alert tcp $HOME_NET any -> [107.175.111.241] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205156/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205156; rev:1;) alert tcp $HOME_NET any -> [141.255.152.24] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205155/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205155; rev:1;) alert tcp $HOME_NET any -> [197.113.236.128] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205154/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205154; rev:1;) alert tcp $HOME_NET any -> [167.58.248.182] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205153/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205153; rev:1;) alert tcp $HOME_NET any -> [85.209.11.185] 8443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205152/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205152; rev:1;) alert tcp $HOME_NET any -> [81.151.251.196] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205151/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205151; rev:1;) alert tcp $HOME_NET any -> [35.160.176.170] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205150/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205150; rev:1;) alert tcp $HOME_NET any -> [170.64.194.59] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205149/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205149; rev:1;) alert tcp $HOME_NET any -> [165.227.45.0] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205148/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205148; rev:1;) alert tcp $HOME_NET any -> [104.237.11.5] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205147/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205147; rev:1;) alert tcp $HOME_NET any -> [64.176.164.107] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205146/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205146; rev:1;) alert tcp $HOME_NET any -> [46.101.1.45] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205145/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205145; rev:1;) alert tcp $HOME_NET any -> [36.139.110.150] 3389 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205144/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_24; classtype:trojan-activity; sid:91205144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/topythongameasynctemporary.php"; depth:31; nocase; http.host; content:"217196cm.nyashcrack.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205142; rev:1;) alert tcp $HOME_NET any -> [103.97.209.13] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205141/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_24; classtype:trojan-activity; sid:91205141; rev:1;) alert tcp $HOME_NET any -> [195.178.121.53] 6604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205140; rev:1;) alert tcp $HOME_NET any -> [78.47.204.96] 3306 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205139; rev:1;) alert tcp $HOME_NET any -> [45.61.171.47] 8901 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205138; rev:1;) alert tcp $HOME_NET any -> [103.122.244.101] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205137/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_24; classtype:trojan-activity; sid:91205137; rev:1;) alert tcp $HOME_NET any -> [189.250.54.96] 1926 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205136/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_24; classtype:trojan-activity; sid:91205136; rev:1;) alert tcp $HOME_NET any -> [187.24.1.26] 9443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205135/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_24; classtype:trojan-activity; sid:91205135; rev:1;) alert tcp $HOME_NET any -> [189.250.54.96] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205134/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_24; classtype:trojan-activity; sid:91205134; rev:1;) alert tcp $HOME_NET any -> [47.241.186.240] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205133/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_24; classtype:trojan-activity; sid:91205133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gj341/index.php"; depth:16; nocase; http.host; content:"d4gj.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205132; rev:1;) alert tcp $HOME_NET any -> [139.84.139.29] 1620 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_24; classtype:trojan-activity; sid:91205131; rev:1;) alert tcp $HOME_NET any -> [54.237.143.242] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205130/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205130; rev:1;) alert tcp $HOME_NET any -> [47.101.148.200] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205129/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205129; rev:1;) alert tcp $HOME_NET any -> [3.67.62.142] 14794 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205127; rev:1;) alert tcp $HOME_NET any -> [166.1.18.197] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205126/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/add/contact-us/u0tej4uo"; depth:24; nocase; http.host; content:"166.1.18.197"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/add/contact-us/u0tej4uo"; depth:24; nocase; http.host; content:"166.1.18.197"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trackasyncbase7/defaultvm/publicprotonprovider/voiddbsqlpollbetter/03temporaryeternal/server/9wp1wordpress/updatedatalife2/private/javascript/publicgeo2/externallinesecureprocesslongpolllinuxwppublicdownloads.php"; depth:213; nocase; http.host; content:"82.146.33.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205123; rev:1;) alert tcp $HOME_NET any -> [43.206.102.244] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nsff.aallianz.com.tw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205121; rev:1;) alert tcp $HOME_NET any -> [3.113.212.171] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns.grp.jpn.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205119; rev:1;) alert tcp $HOME_NET any -> [5.180.114.165] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205118/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_23; classtype:trojan-activity; sid:91205118; rev:1;) alert tcp $HOME_NET any -> [193.233.255.11] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205116; rev:1;) alert tcp $HOME_NET any -> [5.42.92.55] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.233.255.11"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205114; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.42.92.55"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205115; rev:1;) alert tcp $HOME_NET any -> [103.97.209.13] 1313 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205113; rev:1;) alert tcp $HOME_NET any -> [31.172.83.208] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205110/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205110; rev:1;) alert tcp $HOME_NET any -> [35.203.105.134] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205109/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205109; rev:1;) alert tcp $HOME_NET any -> [149.28.42.7] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205106/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205106; rev:1;) alert tcp $HOME_NET any -> [142.171.151.18] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205105/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205105; rev:1;) alert tcp $HOME_NET any -> [87.223.86.85] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205104/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205104; rev:1;) alert tcp $HOME_NET any -> [190.133.137.223] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205103/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205103; rev:1;) alert tcp $HOME_NET any -> [156.196.229.230] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205102/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205102; rev:1;) alert tcp $HOME_NET any -> [85.110.189.214] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205101/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205101; rev:1;) alert tcp $HOME_NET any -> [102.159.6.140] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205100/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205100; rev:1;) alert tcp $HOME_NET any -> [102.113.71.59] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205099/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205099; rev:1;) alert tcp $HOME_NET any -> [41.62.28.127] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205098/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205098; rev:1;) alert tcp $HOME_NET any -> [74.12.147.59] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205097/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205097; rev:1;) alert tcp $HOME_NET any -> [124.13.232.239] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205096/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205096; rev:1;) alert tcp $HOME_NET any -> [86.97.84.192] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205095/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205095; rev:1;) alert tcp $HOME_NET any -> [161.35.194.138] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205094/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205094; rev:1;) alert tcp $HOME_NET any -> [45.78.58.175] 6379 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205093/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205093; rev:1;) alert tcp $HOME_NET any -> [209.250.248.246] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205092/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205092; rev:1;) alert tcp $HOME_NET any -> [213.139.205.146] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205091/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205091; rev:1;) alert tcp $HOME_NET any -> [213.139.205.146] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205090/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205090; rev:1;) alert tcp $HOME_NET any -> [104.238.60.64] 3971 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205089/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205089; rev:1;) alert tcp $HOME_NET any -> [173.254.235.30] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205088/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205088; rev:1;) alert tcp $HOME_NET any -> [128.140.41.99] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205087/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205087; rev:1;) alert tcp $HOME_NET any -> [47.96.188.106] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205086/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205086; rev:1;) alert tcp $HOME_NET any -> [65.20.81.156] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205085/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205085; rev:1;) alert tcp $HOME_NET any -> [65.20.81.156] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205084/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205084; rev:1;) alert tcp $HOME_NET any -> [94.98.183.32] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205083/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205083; rev:1;) alert tcp $HOME_NET any -> [66.85.173.48] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205082/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205082; rev:1;) alert tcp $HOME_NET any -> [15.236.140.116] 9000 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205081/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205081; rev:1;) alert tcp $HOME_NET any -> [52.7.198.19] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205080/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205080; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"prime.topendpower.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205079/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/prime/five/fre.php"; depth:31; nocase; http.host; content:"prime.topendpower.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205077/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_23; classtype:trojan-activity; sid:91205077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zh341/index.php"; depth:16; nocase; http.host; content:"blazh.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205076/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205076; rev:1;) alert tcp $HOME_NET any -> [91.92.249.11] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205075/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"ck53254.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205074/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205074; rev:1;) alert tcp $HOME_NET any -> [1.92.76.153] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205073; rev:1;) alert tcp $HOME_NET any -> [175.27.159.169] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205072/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"178.128.123.154"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"121.43.55.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"1.92.76.153"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.35.141.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205068; rev:1;) alert tcp $HOME_NET any -> [109.111.185.225] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205065/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205065; rev:1;) alert tcp $HOME_NET any -> [35.154.199.120] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205064/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205064; rev:1;) alert tcp $HOME_NET any -> [103.116.245.130] 8087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205062/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_7/geoautheternal/externalphpwpserver/temporary/vmprocess/multidbrequest/phpsecureprocessorprotectdefaultflower.php"; depth:116; nocase; http.host; content:"193.37.71.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205061; rev:1;) alert tcp $HOME_NET any -> [173.254.235.30] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205060/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205060; rev:1;) alert tcp $HOME_NET any -> [91.113.48.177] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205059/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205059; rev:1;) alert tcp $HOME_NET any -> [166.1.18.197] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205058/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"104.245.213.48"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205057/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hgfdytrywq.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"121.41.2.26"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205056/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"95.214.25.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205055/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"110.42.249.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205054/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.138.118.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"106.75.162.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205052/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.96.229.84"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205050/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"101.201.50.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"45.32.8.42"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205048/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205048; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-ndozu6av-1308639534.sh.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-ndozu6av-1308639534.sh.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205046/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"121.5.195.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"121.5.195.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205043/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"124.221.178.17"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205042/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"193.201.9.82"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205041/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"60.204.223.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"49.232.34.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205039/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"106.14.143.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205038/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205037/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"8.137.48.121"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"39.101.77.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"114.132.238.70"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"8.141.81.51"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"154.211.15.205"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205032; rev:1;) alert tcp $HOME_NET any -> [38.46.8.12] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.46.8.10"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"1.92.76.153"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"172.105.235.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"1.94.98.79"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"132.232.113.242"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"8.141.81.51"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205024; rev:1;) alert tcp $HOME_NET any -> [121.41.107.20] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205023/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"helpfulsteepyi.pw"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205018/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"codeofconducrasa.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"175.178.3.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"188.166.148.25"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205020; rev:1;) alert tcp $HOME_NET any -> [45.137.22.110] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205017/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205017; rev:1;) alert tcp $HOME_NET any -> [129.153.80.87] 8855 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205016/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205016; rev:1;) alert tcp $HOME_NET any -> [91.92.242.5] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205015/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asyncuniversallow/servertraffic1datalife/serverlow/universaltrackbigload/temppacket1/datalifeupdate62/providerdump/php_httpmultiuploads.php"; depth:140; nocase; http.host; content:"188.120.235.51"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205014/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"howmuchtimeuneed.online"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205011/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"howmuchtimeuneed.online"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205012/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205012; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"howmuchtimeuneed.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205013/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205013; rev:1;) alert tcp $HOME_NET any -> [114.132.238.70] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205010/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"175.107.0.220"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1205009/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91205009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jonathanbonnici.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205005/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"konstanzkom.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205006/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205006; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mcguffinboots.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205007/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"theoptimistfirst.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1205008/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"178.250.186.15"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"178.250.186.15"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204340; rev:1;) alert tcp $HOME_NET any -> [194.49.94.181] 40264 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204834; rev:1;) alert tcp $HOME_NET any -> [82.115.223.128] 9081 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.15.156.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204902/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"theoptimistfirst.site"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204914/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"theoptimistfirst.site"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204915/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204915; rev:1;) alert tcp $HOME_NET any -> [45.142.182.103] 36063 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204916/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_23; classtype:trojan-activity; sid:91204916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dotnet-outlawz.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204917/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_23; classtype:trojan-activity; sid:91204917; rev:1;) alert tcp $HOME_NET any -> [8.141.81.51] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205004/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91205004; rev:1;) alert tcp $HOME_NET any -> [128.199.87.103] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205003/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205003; rev:1;) alert tcp $HOME_NET any -> [101.200.37.16] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205001/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205001; rev:1;) alert tcp $HOME_NET any -> [168.235.82.192] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205002/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205002; rev:1;) alert tcp $HOME_NET any -> [62.234.55.111] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1205000/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91205000; rev:1;) alert tcp $HOME_NET any -> [121.36.111.48] 90 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204999; rev:1;) alert tcp $HOME_NET any -> [156.251.31.75] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204998; rev:1;) alert tcp $HOME_NET any -> [8.210.114.200] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204997/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204997; rev:1;) alert tcp $HOME_NET any -> [8.137.50.154] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204996/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204996; rev:1;) alert tcp $HOME_NET any -> [110.42.249.222] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204994; rev:1;) alert tcp $HOME_NET any -> [64.226.68.136] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204995/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204995; rev:1;) alert tcp $HOME_NET any -> [8.140.135.23] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204993; rev:1;) alert tcp $HOME_NET any -> [1.94.32.153] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204992/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204992; rev:1;) alert tcp $HOME_NET any -> [47.106.67.138] 50001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204990/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204990; rev:1;) alert tcp $HOME_NET any -> [45.8.229.29] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204991/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204991; rev:1;) alert tcp $HOME_NET any -> [111.230.242.229] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204989/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204989; rev:1;) alert tcp $HOME_NET any -> [188.166.148.25] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204988/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204988; rev:1;) alert tcp $HOME_NET any -> [175.178.215.222] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204987/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204987; rev:1;) alert tcp $HOME_NET any -> [49.113.73.245] 20080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204986/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204986; rev:1;) alert tcp $HOME_NET any -> [15.235.130.6] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204985/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204985; rev:1;) alert tcp $HOME_NET any -> [167.56.67.143] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204984/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204984; rev:1;) alert tcp $HOME_NET any -> [139.59.40.48] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204983/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204983; rev:1;) alert tcp $HOME_NET any -> [173.254.235.30] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204982/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204982; rev:1;) alert tcp $HOME_NET any -> [173.254.235.30] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204981/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204981; rev:1;) alert tcp $HOME_NET any -> [2.58.14.41] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204980; rev:1;) alert tcp $HOME_NET any -> [110.43.39.79] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204979/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204979; rev:1;) alert tcp $HOME_NET any -> [122.114.18.112] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204978/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204978; rev:1;) alert tcp $HOME_NET any -> [122.114.18.112] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204977/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204977; rev:1;) alert tcp $HOME_NET any -> [120.233.114.212] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204976/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204976; rev:1;) alert tcp $HOME_NET any -> [120.233.114.212] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204974/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204974; rev:1;) alert tcp $HOME_NET any -> [120.233.114.212] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204975/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204975; rev:1;) alert tcp $HOME_NET any -> [120.233.114.212] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204973/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204973; rev:1;) alert tcp $HOME_NET any -> [120.233.114.212] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204971/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204971; rev:1;) alert tcp $HOME_NET any -> [120.233.114.212] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204972/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204972; rev:1;) alert tcp $HOME_NET any -> [120.233.114.212] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204970/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204970; rev:1;) alert tcp $HOME_NET any -> [122.114.18.85] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204968/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204968; rev:1;) alert tcp $HOME_NET any -> [120.233.114.212] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204969/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204969; rev:1;) alert tcp $HOME_NET any -> [122.114.18.85] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204967/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204967; rev:1;) alert tcp $HOME_NET any -> [122.114.18.22] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204965/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204965; rev:1;) alert tcp $HOME_NET any -> [118.126.107.95] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204966/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204966; rev:1;) alert tcp $HOME_NET any -> [122.114.18.22] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204964/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204964; rev:1;) alert tcp $HOME_NET any -> [122.114.18.98] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204963/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204963; rev:1;) alert tcp $HOME_NET any -> [122.114.18.98] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204962/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204962; rev:1;) alert tcp $HOME_NET any -> [139.199.166.208] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204960/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204960; rev:1;) alert tcp $HOME_NET any -> [139.199.166.208] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204961/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204961; rev:1;) alert tcp $HOME_NET any -> [139.199.83.96] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204959/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204959; rev:1;) alert tcp $HOME_NET any -> [122.114.18.64] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204957/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204957; rev:1;) alert tcp $HOME_NET any -> [122.114.18.64] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204958/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204958; rev:1;) alert tcp $HOME_NET any -> [122.114.18.106] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204956/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204956; rev:1;) alert tcp $HOME_NET any -> [122.114.18.38] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204954/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204954; rev:1;) alert tcp $HOME_NET any -> [122.114.18.106] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204955/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204955; rev:1;) alert tcp $HOME_NET any -> [122.114.18.38] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204953/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204953; rev:1;) alert tcp $HOME_NET any -> [122.114.18.31] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204951/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204951; rev:1;) alert tcp $HOME_NET any -> [122.114.18.31] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204952/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204952; rev:1;) alert tcp $HOME_NET any -> [122.114.18.87] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204950/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204950; rev:1;) alert tcp $HOME_NET any -> [122.114.18.35] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204948/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204948; rev:1;) alert tcp $HOME_NET any -> [122.114.18.87] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204949/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204949; rev:1;) alert tcp $HOME_NET any -> [122.114.18.35] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204947/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204947; rev:1;) alert tcp $HOME_NET any -> [122.114.18.27] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204945/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204945; rev:1;) alert tcp $HOME_NET any -> [122.114.18.27] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204946/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204946; rev:1;) alert tcp $HOME_NET any -> [122.114.18.7] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204944/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204944; rev:1;) alert tcp $HOME_NET any -> [122.114.18.62] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204942/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204942; rev:1;) alert tcp $HOME_NET any -> [122.114.18.7] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204943/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204943; rev:1;) alert tcp $HOME_NET any -> [122.114.18.62] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204941/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204941; rev:1;) alert tcp $HOME_NET any -> [122.114.18.119] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204939/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204939; rev:1;) alert tcp $HOME_NET any -> [122.114.18.119] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204940/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204940; rev:1;) alert tcp $HOME_NET any -> [122.114.18.90] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204938/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204938; rev:1;) alert tcp $HOME_NET any -> [122.114.18.57] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204936/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204936; rev:1;) alert tcp $HOME_NET any -> [122.114.18.90] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204937/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204937; rev:1;) alert tcp $HOME_NET any -> [122.114.18.57] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204935/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204935; rev:1;) alert tcp $HOME_NET any -> [122.114.18.32] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204933/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204933; rev:1;) alert tcp $HOME_NET any -> [122.114.18.32] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204934/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204934; rev:1;) alert tcp $HOME_NET any -> [139.199.155.188] 1235 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204932/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204932; rev:1;) alert tcp $HOME_NET any -> [43.153.63.174] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204931/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_23; classtype:trojan-activity; sid:91204931; rev:1;) alert tcp $HOME_NET any -> [189.250.48.13] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204929/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204929; rev:1;) alert tcp $HOME_NET any -> [189.250.48.13] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204930/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204930; rev:1;) alert tcp $HOME_NET any -> [189.250.48.13] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204928; rev:1;) alert tcp $HOME_NET any -> [189.250.48.13] 1883 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204927/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204927; rev:1;) alert tcp $HOME_NET any -> [189.250.48.13] 1723 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204926; rev:1;) alert tcp $HOME_NET any -> [14.225.206.107] 8080 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204925; rev:1;) alert tcp $HOME_NET any -> [176.96.136.233] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204924/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204924; rev:1;) alert tcp $HOME_NET any -> [154.39.254.105] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204923/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204923; rev:1;) alert tcp $HOME_NET any -> [195.133.11.42] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204922/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204922; rev:1;) alert tcp $HOME_NET any -> [82.147.85.227] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204921; rev:1;) alert tcp $HOME_NET any -> [194.33.191.141] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204920/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204920; rev:1;) alert tcp $HOME_NET any -> [45.92.1.15] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204918/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204918; rev:1;) alert tcp $HOME_NET any -> [179.13.2.132] 8020 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204919; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"freepalestine.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204911/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91204911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pushpointdelivery.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204912/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91204912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"alpha.twinsources.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204913/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_23; classtype:trojan-activity; sid:91204913; rev:1;) alert tcp $HOME_NET any -> [189.250.48.13] 2096 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204910/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91204910; rev:1;) alert tcp $HOME_NET any -> [49.247.42.245] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204909/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91204909; rev:1;) alert tcp $HOME_NET any -> [190.232.148.150] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204908/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91204908; rev:1;) alert tcp $HOME_NET any -> [39.101.77.24] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204907/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91204907; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/-1002006205199"; depth:22; nocase; http.host; content:"jkishere.site"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1002006205199"; depth:19; nocase; http.host; content:"jkishere.site"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1002006205199"; depth:19; nocase; http.host; content:"jkishere.site"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204904/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_23; classtype:trojan-activity; sid:91204904; rev:1;) alert tcp $HOME_NET any -> [168.235.82.192] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204903/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_23; classtype:trojan-activity; sid:91204903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"iranme.nitrocp.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iranme.nitrocp.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204900/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nitrocp.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204901/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/remote"; depth:7; nocase; http.host; content:"iranme.nitrocp.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1002134250337"; depth:19; nocase; http.host; content:"jkishere.site"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/-1002134250337"; depth:22; nocase; http.host; content:"jkishere.site"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1002134250337"; depth:19; nocase; http.host; content:"jkishere.site"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkishere.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webestblack.cloud"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"webestblack.cloud"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sna.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204865/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rvc.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ebd.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204867; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"acm.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204868/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"edv.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204869/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"esv.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204870/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"acm.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204871/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"abn.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204872/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eb.dns05.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204873/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"esm.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204874/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"efa.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tsm.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204876/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cfc.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204877/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204877; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tmc.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204878/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"enc.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204879/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"efs.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204880/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"arb.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204881/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"arm.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204882/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204882; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"arv.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204883/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"erc.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204861/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cmc.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204862/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204862; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"arm.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204863/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"arc.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204864; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"staircompletemil.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204852/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"45.137.148.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204851/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204851; rev:1;) alert tcp $HOME_NET any -> [154.213.17.156] 999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204850/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204850; rev:1;) alert tcp $HOME_NET any -> [47.232.145.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204849/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204849; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.232.145.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204848; rev:1;) alert tcp $HOME_NET any -> [154.213.17.187] 999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204847; rev:1;) alert tcp $HOME_NET any -> [154.213.17.138] 999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204846; rev:1;) alert tcp $HOME_NET any -> [189.250.54.132] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204845/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204845; rev:1;) alert tcp $HOME_NET any -> [3.79.120.25] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204844/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204844; rev:1;) alert tcp $HOME_NET any -> [8.141.15.227] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204841; rev:1;) alert tcp $HOME_NET any -> [121.43.188.26] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204842; rev:1;) alert tcp $HOME_NET any -> [8.134.192.169] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204840; rev:1;) alert tcp $HOME_NET any -> [195.49.210.154] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204839; rev:1;) alert tcp $HOME_NET any -> [42.192.40.114] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204838; rev:1;) alert tcp $HOME_NET any -> [202.182.119.214] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204837; rev:1;) alert tcp $HOME_NET any -> [218.204.141.228] 2030 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204836/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204836; rev:1;) alert tcp $HOME_NET any -> [38.46.8.10] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204835/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204835; rev:1;) alert tcp $HOME_NET any -> [149.88.75.181] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204833; rev:1;) alert tcp $HOME_NET any -> [60.204.208.32] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204832; rev:1;) alert tcp $HOME_NET any -> [1.94.98.79] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204830; rev:1;) alert tcp $HOME_NET any -> [60.204.208.32] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204831; rev:1;) alert tcp $HOME_NET any -> [123.60.10.196] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204829; rev:1;) alert tcp $HOME_NET any -> [120.89.68.51] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204828; rev:1;) alert tcp $HOME_NET any -> [114.132.158.218] 8896 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204827; rev:1;) alert tcp $HOME_NET any -> [8.134.71.235] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204826/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204826; rev:1;) alert tcp $HOME_NET any -> [47.100.59.47] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204825/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204825; rev:1;) alert tcp $HOME_NET any -> [176.113.80.108] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204823/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204823; rev:1;) alert tcp $HOME_NET any -> [176.113.80.108] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204824/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204824; rev:1;) alert tcp $HOME_NET any -> [185.196.8.52] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204822; rev:1;) alert tcp $HOME_NET any -> [185.196.8.52] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204820; rev:1;) alert tcp $HOME_NET any -> [185.196.8.52] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204821/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204821; rev:1;) alert tcp $HOME_NET any -> [95.183.13.221] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204819; rev:1;) alert tcp $HOME_NET any -> [172.233.46.130] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204818/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204818; rev:1;) alert tcp $HOME_NET any -> [114.55.251.194] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204817/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204817; rev:1;) alert tcp $HOME_NET any -> [114.55.251.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204816; rev:1;) alert tcp $HOME_NET any -> [1.14.192.93] 8091 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204815; rev:1;) alert tcp $HOME_NET any -> [1.94.11.140] 33443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204814/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204814; rev:1;) alert tcp $HOME_NET any -> [60.247.148.113] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204812/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204812; rev:1;) alert tcp $HOME_NET any -> [60.247.148.113] 20000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204813/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204813; rev:1;) alert tcp $HOME_NET any -> [45.77.204.42] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204811/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204811; rev:1;) alert tcp $HOME_NET any -> [124.220.189.137] 46666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204809; rev:1;) alert tcp $HOME_NET any -> [122.51.109.151] 18080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204810; rev:1;) alert tcp $HOME_NET any -> [119.3.156.55] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204808; rev:1;) alert tcp $HOME_NET any -> [60.204.227.242] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204806; rev:1;) alert tcp $HOME_NET any -> [119.3.156.55] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204807; rev:1;) alert tcp $HOME_NET any -> [91.229.133.77] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204805; rev:1;) alert tcp $HOME_NET any -> [116.62.206.19] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204804/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204804; rev:1;) alert tcp $HOME_NET any -> [116.62.206.19] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204803; rev:1;) alert tcp $HOME_NET any -> [154.91.229.239] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204802; rev:1;) alert tcp $HOME_NET any -> [134.175.92.214] 3306 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204801; rev:1;) alert tcp $HOME_NET any -> [47.120.40.3] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204800; rev:1;) alert tcp $HOME_NET any -> [142.171.44.185] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204799; rev:1;) alert tcp $HOME_NET any -> [101.201.37.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204797; rev:1;) alert tcp $HOME_NET any -> [121.43.188.26] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204798; rev:1;) alert tcp $HOME_NET any -> [154.91.196.158] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204796; rev:1;) alert tcp $HOME_NET any -> [154.91.196.158] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204795; rev:1;) alert tcp $HOME_NET any -> [52.198.192.145] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204794; rev:1;) alert tcp $HOME_NET any -> [39.107.123.144] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204792; rev:1;) alert tcp $HOME_NET any -> [18.237.114.146] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204793; rev:1;) alert tcp $HOME_NET any -> [62.234.15.160] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204791; rev:1;) alert tcp $HOME_NET any -> [103.93.78.135] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204790; rev:1;) alert tcp $HOME_NET any -> [47.99.66.205] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204789; rev:1;) alert tcp $HOME_NET any -> [144.202.105.14] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204788; rev:1;) alert tcp $HOME_NET any -> [8.142.5.148] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204786; rev:1;) alert tcp $HOME_NET any -> [8.142.5.148] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204787; rev:1;) alert tcp $HOME_NET any -> [101.43.175.148] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204784; rev:1;) alert tcp $HOME_NET any -> [110.41.134.233] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204785; rev:1;) alert tcp $HOME_NET any -> [45.77.172.226] 60005 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204783; rev:1;) alert tcp $HOME_NET any -> [119.45.181.134] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204781; rev:1;) alert tcp $HOME_NET any -> [170.64.210.127] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204782; rev:1;) alert tcp $HOME_NET any -> [47.101.181.195] 50052 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204780; rev:1;) alert tcp $HOME_NET any -> [154.8.146.128] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204778; rev:1;) alert tcp $HOME_NET any -> [154.8.146.128] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204779; rev:1;) alert tcp $HOME_NET any -> [118.31.8.186] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204777; rev:1;) alert tcp $HOME_NET any -> [123.60.80.246] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204775/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204775; rev:1;) alert tcp $HOME_NET any -> [35.194.140.246] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204776; rev:1;) alert tcp $HOME_NET any -> [120.89.68.50] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204774; rev:1;) alert tcp $HOME_NET any -> [34.70.139.94] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204773; rev:1;) alert tcp $HOME_NET any -> [65.108.20.39] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204772; rev:1;) alert tcp $HOME_NET any -> [139.155.96.79] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204771; rev:1;) alert tcp $HOME_NET any -> [47.92.170.122] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204770/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204770; rev:1;) alert tcp $HOME_NET any -> [103.234.72.93] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204769/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204769; rev:1;) alert tcp $HOME_NET any -> [8.134.219.77] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204767; rev:1;) alert tcp $HOME_NET any -> [42.192.114.48] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204768; rev:1;) alert tcp $HOME_NET any -> [101.200.37.16] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204766/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204766; rev:1;) alert tcp $HOME_NET any -> [142.171.2.168] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204765; rev:1;) alert tcp $HOME_NET any -> [156.232.11.248] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204763; rev:1;) alert tcp $HOME_NET any -> [154.91.229.227] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204764; rev:1;) alert tcp $HOME_NET any -> [111.230.104.164] 3000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204762/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204762; rev:1;) alert tcp $HOME_NET any -> [45.137.148.114] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204761/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204761; rev:1;) alert tcp $HOME_NET any -> [160.181.181.82] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204760; rev:1;) alert tcp $HOME_NET any -> [58.53.128.67] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204759; rev:1;) alert tcp $HOME_NET any -> [8.222.237.128] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204758; rev:1;) alert tcp $HOME_NET any -> [116.62.197.217] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204757/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204757; rev:1;) alert tcp $HOME_NET any -> [52.86.45.171] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204756/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204756; rev:1;) alert tcp $HOME_NET any -> [182.92.216.47] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204755; rev:1;) alert tcp $HOME_NET any -> [123.207.74.43] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204754; rev:1;) alert tcp $HOME_NET any -> [101.43.64.49] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204753; rev:1;) alert tcp $HOME_NET any -> [138.68.248.4] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204752; rev:1;) alert tcp $HOME_NET any -> [107.151.247.171] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204751; rev:1;) alert tcp $HOME_NET any -> [115.159.50.50] 8880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204750; rev:1;) alert tcp $HOME_NET any -> [172.203.240.179] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204749; rev:1;) alert tcp $HOME_NET any -> [193.134.209.143] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204748; rev:1;) alert tcp $HOME_NET any -> [3.72.82.142] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204747; rev:1;) alert tcp $HOME_NET any -> [124.71.188.139] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204746; rev:1;) alert tcp $HOME_NET any -> [124.222.170.30] 33890 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204745; rev:1;) alert tcp $HOME_NET any -> [49.232.34.39] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204744; rev:1;) alert tcp $HOME_NET any -> [34.89.201.155] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204742; rev:1;) alert tcp $HOME_NET any -> [47.95.37.191] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204743; rev:1;) alert tcp $HOME_NET any -> [182.92.212.95] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204741; rev:1;) alert tcp $HOME_NET any -> [8.134.130.147] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204739; rev:1;) alert tcp $HOME_NET any -> [141.164.60.2] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204740; rev:1;) alert tcp $HOME_NET any -> [20.48.42.49] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204738; rev:1;) alert tcp $HOME_NET any -> [118.24.24.120] 20020 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204737; rev:1;) alert tcp $HOME_NET any -> [120.89.68.52] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204736; rev:1;) alert tcp $HOME_NET any -> [43.163.194.174] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204734; rev:1;) alert tcp $HOME_NET any -> [120.89.68.52] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204735; rev:1;) alert tcp $HOME_NET any -> [123.60.162.164] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204733; rev:1;) alert tcp $HOME_NET any -> [1.94.97.137] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204731; rev:1;) alert tcp $HOME_NET any -> [118.195.247.129] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204732; rev:1;) alert tcp $HOME_NET any -> [120.89.68.54] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204730; rev:1;) alert tcp $HOME_NET any -> [75.60.22.100] 2 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204728; rev:1;) alert tcp $HOME_NET any -> [120.89.68.54] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204729; rev:1;) alert tcp $HOME_NET any -> [140.143.147.251] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204727; rev:1;) alert tcp $HOME_NET any -> [47.113.219.96] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204726/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204726; rev:1;) alert tcp $HOME_NET any -> [124.220.101.231] 50001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204724; rev:1;) alert tcp $HOME_NET any -> [1.94.10.2] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204725; rev:1;) alert tcp $HOME_NET any -> [60.204.229.189] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204723; rev:1;) alert tcp $HOME_NET any -> [47.113.204.90] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204722; rev:1;) alert tcp $HOME_NET any -> [47.113.204.90] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204721; rev:1;) alert tcp $HOME_NET any -> [124.71.165.5] 33889 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204719; rev:1;) alert tcp $HOME_NET any -> [47.115.220.101] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204720; rev:1;) alert tcp $HOME_NET any -> [8.141.1.243] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204717; rev:1;) alert tcp $HOME_NET any -> [101.35.42.157] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204718/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204718; rev:1;) alert tcp $HOME_NET any -> [91.92.251.25] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204716/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204716; rev:1;) alert tcp $HOME_NET any -> [154.91.229.234] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204714; rev:1;) alert tcp $HOME_NET any -> [8.141.13.130] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204715/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204715; rev:1;) alert tcp $HOME_NET any -> [47.98.135.236] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204713; rev:1;) alert tcp $HOME_NET any -> [106.14.143.151] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204712/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204712; rev:1;) alert tcp $HOME_NET any -> [47.236.37.24] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204710/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204710; rev:1;) alert tcp $HOME_NET any -> [107.148.54.94] 8886 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204711/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204711; rev:1;) alert tcp $HOME_NET any -> [148.135.116.42] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204709; rev:1;) alert tcp $HOME_NET any -> [110.41.134.155] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204708/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204708; rev:1;) alert tcp $HOME_NET any -> [141.164.37.240] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204706/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204706; rev:1;) alert tcp $HOME_NET any -> [8.130.81.170] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204707/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204707; rev:1;) alert tcp $HOME_NET any -> [8.219.177.40] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204705; rev:1;) alert tcp $HOME_NET any -> [121.40.255.189] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204703/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204703; rev:1;) alert tcp $HOME_NET any -> [3.123.26.168] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204704/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204704; rev:1;) alert tcp $HOME_NET any -> [154.211.15.205] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204701/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204701; rev:1;) alert tcp $HOME_NET any -> [159.223.6.128] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204702/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204702; rev:1;) alert tcp $HOME_NET any -> [120.89.68.53] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204699; rev:1;) alert tcp $HOME_NET any -> [39.100.181.249] 60000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204700; rev:1;) alert tcp $HOME_NET any -> [120.89.68.53] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204698/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204698; rev:1;) alert tcp $HOME_NET any -> [45.8.229.29] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204696; rev:1;) alert tcp $HOME_NET any -> [47.236.13.182] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204697; rev:1;) alert tcp $HOME_NET any -> [121.36.224.175] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204695; rev:1;) alert tcp $HOME_NET any -> [1.94.31.74] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204693/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204693; rev:1;) alert tcp $HOME_NET any -> [47.120.48.10] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204694; rev:1;) alert tcp $HOME_NET any -> [8.130.43.95] 7000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204692/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iuuvv.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204690/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204690; rev:1;) alert tcp $HOME_NET any -> [45.207.53.113] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204691/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204691; rev:1;) alert tcp $HOME_NET any -> [108.160.138.240] 8866 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204689/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204689; rev:1;) alert tcp $HOME_NET any -> [194.32.149.239] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204688/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204688; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laportgroup.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204686/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204686; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2.txlu.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204687/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tech-guard.vguard.tech"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204685/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204685; rev:1;) alert tcp $HOME_NET any -> [44.204.120.159] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204683/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204683; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manager.moonlighter.space"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204684/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204684; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gzh.qijingonline.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204682/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.marssagroup.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204681/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hongtong502.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204679/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204679; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"host.marssagroup.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204680/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.laportgroup.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204677/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clients.edge-akadns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204678/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204678; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hongtong502.cn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204675/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"copperpeace.optumshadow.info"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204676/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-35-78-243-22.ap-northeast-1.compute.amazonaws.com"; depth:53; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.laportgroup.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204673; rev:1;) alert tcp $HOME_NET any -> [43.248.137.153] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204672/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_22; classtype:trojan-activity; sid:91204672; rev:1;) alert tcp $HOME_NET any -> [124.71.129.251] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204671; rev:1;) alert tcp $HOME_NET any -> [101.43.162.6] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204670; rev:1;) alert tcp $HOME_NET any -> [124.228.202.130] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204669/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204669; rev:1;) alert tcp $HOME_NET any -> [5.181.132.208] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204667; rev:1;) alert tcp $HOME_NET any -> [146.56.190.235] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204668; rev:1;) alert tcp $HOME_NET any -> [49.113.74.76] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204666/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204666; rev:1;) alert tcp $HOME_NET any -> [116.11.199.109] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204665/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204665; rev:1;) alert tcp $HOME_NET any -> [104.171.160.229] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204664; rev:1;) alert tcp $HOME_NET any -> [123.57.174.20] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204663; rev:1;) alert tcp $HOME_NET any -> [103.106.190.156] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204661; rev:1;) alert tcp $HOME_NET any -> [221.150.78.228] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204662/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204662; rev:1;) alert tcp $HOME_NET any -> [103.234.72.88] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204660/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204660; rev:1;) alert tcp $HOME_NET any -> [116.204.107.102] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204659/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204659; rev:1;) alert tcp $HOME_NET any -> [154.8.146.128] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204657/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204657; rev:1;) alert tcp $HOME_NET any -> [192.74.226.138] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204658; rev:1;) alert tcp $HOME_NET any -> [27.124.4.114] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204656; rev:1;) alert tcp $HOME_NET any -> [124.228.200.69] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204655; rev:1;) alert tcp $HOME_NET any -> [118.24.118.118] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204653; rev:1;) alert tcp $HOME_NET any -> [180.112.71.85] 8008 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204654/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204654; rev:1;) alert tcp $HOME_NET any -> [8.130.81.170] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204652; rev:1;) alert tcp $HOME_NET any -> [101.42.22.120] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204651; rev:1;) alert tcp $HOME_NET any -> [121.37.229.107] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204649; rev:1;) alert tcp $HOME_NET any -> [146.190.109.208] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204650; rev:1;) alert tcp $HOME_NET any -> [43.143.239.81] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204648; rev:1;) alert tcp $HOME_NET any -> [47.243.95.246] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204646; rev:1;) alert tcp $HOME_NET any -> [101.34.15.90] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204647/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204647; rev:1;) alert tcp $HOME_NET any -> [101.35.217.117] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204645; rev:1;) alert tcp $HOME_NET any -> [124.222.227.236] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204644; rev:1;) alert tcp $HOME_NET any -> [85.209.176.146] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204643/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204643; rev:1;) alert tcp $HOME_NET any -> [147.78.47.241] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204642/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204642; rev:1;) alert tcp $HOME_NET any -> [172.104.212.245] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204641/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204641; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4.90.223.87.dynamic.jazztel.es"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204640/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d50-99-8-5.abhsia.telus.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"host186.190-137-188.telecom.net.ar"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bba-217-165-233-123.alshamil.net.ae"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204639; rev:1;) alert tcp $HOME_NET any -> [101.201.50.90] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204636/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204636; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"us.1co.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.117.166.109.65.clients.your-server.de"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204633/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srv82054434.ultasrv.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204634/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.162-33-179-116.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"as-fall.quarantine-pnap-vlan51.web-hosting.com"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-215-227-78.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-59-168-154.us-east-2.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.luxspal.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-215-228-73.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ptkick.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204626/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"luxspal.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204625/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-219-121-232.us-west-2.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204624/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204624; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conflictt.almostmy.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204623/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plasmans.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204622/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yksdemg.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204621/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-207-174-202.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204620/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hwsrv-1091010.hostwindsdns.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204619/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204619; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rob-135.mailempower.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204618/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ptkick.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"162-33-179-116.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204616/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204616; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v3.aria21.pw"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204615/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-76-100-131.eu-central-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204613/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-193-91-232.us-west-1.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m.1co.net"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204612/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.americanauth0.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204611; rev:1;) alert tcp $HOME_NET any -> [47.96.229.84] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204610/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"platform.awards2go.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204609/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip54.ip-162-19-175.eu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204608/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204608; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.yksdemg.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204607/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204607; rev:1;) alert tcp $HOME_NET any -> [8.222.212.126] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204606; rev:1;) alert tcp $HOME_NET any -> [3.125.130.75] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204605/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204605; rev:1;) alert tcp $HOME_NET any -> [122.114.18.88] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204604/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204604; rev:1;) alert tcp $HOME_NET any -> [120.233.114.145] 22005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204602/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204602; rev:1;) alert tcp $HOME_NET any -> [122.114.18.88] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204603/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204603; rev:1;) alert tcp $HOME_NET any -> [120.233.114.145] 22004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204601/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204601; rev:1;) alert tcp $HOME_NET any -> [120.233.114.145] 22002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204599/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204599; rev:1;) alert tcp $HOME_NET any -> [120.233.114.145] 22003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204600/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204600; rev:1;) alert tcp $HOME_NET any -> [120.233.114.145] 22001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204598/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204598; rev:1;) alert tcp $HOME_NET any -> [120.233.114.145] 22007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204596/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204596; rev:1;) alert tcp $HOME_NET any -> [120.233.114.145] 22000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204597/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204597; rev:1;) alert tcp $HOME_NET any -> [120.233.114.145] 22006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204595/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204595; rev:1;) alert tcp $HOME_NET any -> [122.114.18.68] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204593/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204593; rev:1;) alert tcp $HOME_NET any -> [122.114.18.68] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204594/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204594; rev:1;) alert tcp $HOME_NET any -> [122.114.18.49] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204592/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204592; rev:1;) alert tcp $HOME_NET any -> [122.114.18.49] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204591/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204591; rev:1;) alert tcp $HOME_NET any -> [122.114.18.25] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204589/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204589; rev:1;) alert tcp $HOME_NET any -> [122.114.18.25] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204590/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204590; rev:1;) alert tcp $HOME_NET any -> [122.9.125.150] 8005 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204587/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204587; rev:1;) alert tcp $HOME_NET any -> [123.207.16.103] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204588/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204588; rev:1;) alert tcp $HOME_NET any -> [122.9.125.150] 8004 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204586/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204586; rev:1;) alert tcp $HOME_NET any -> [122.9.125.150] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204584/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204584; rev:1;) alert tcp $HOME_NET any -> [122.9.125.150] 8003 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204585/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204585; rev:1;) alert tcp $HOME_NET any -> [122.9.125.150] 8001 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204583/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204583; rev:1;) alert tcp $HOME_NET any -> [122.9.125.150] 8007 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204581/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204581; rev:1;) alert tcp $HOME_NET any -> [122.9.125.150] 8000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204582/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204582; rev:1;) alert tcp $HOME_NET any -> [122.9.125.150] 8006 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204580/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204580; rev:1;) alert tcp $HOME_NET any -> [122.114.18.47] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204579/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204579; rev:1;) alert tcp $HOME_NET any -> [122.114.18.47] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204578/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204578; rev:1;) alert tcp $HOME_NET any -> [122.114.18.65] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204576/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204576; rev:1;) alert tcp $HOME_NET any -> [122.114.18.65] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204577/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204577; rev:1;) alert tcp $HOME_NET any -> [122.114.18.103] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204575/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204575; rev:1;) alert tcp $HOME_NET any -> [122.114.18.107] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204573/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204573; rev:1;) alert tcp $HOME_NET any -> [122.114.18.103] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204574/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204574; rev:1;) alert tcp $HOME_NET any -> [122.114.18.107] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204572/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204572; rev:1;) alert tcp $HOME_NET any -> [122.114.18.50] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204570/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204570; rev:1;) alert tcp $HOME_NET any -> [122.114.18.50] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204571/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204571; rev:1;) alert tcp $HOME_NET any -> [122.114.18.78] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204568/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204568; rev:1;) alert tcp $HOME_NET any -> [122.114.18.78] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204569/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204569; rev:1;) alert tcp $HOME_NET any -> [122.114.18.55] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204567/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204567; rev:1;) alert tcp $HOME_NET any -> [122.114.18.55] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204566/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204566; rev:1;) alert tcp $HOME_NET any -> [122.114.18.124] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204564/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204564; rev:1;) alert tcp $HOME_NET any -> [122.114.18.124] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204565/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204565; rev:1;) alert tcp $HOME_NET any -> [122.114.18.75] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204563/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204563; rev:1;) alert tcp $HOME_NET any -> [119.29.8.235] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204561/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204561; rev:1;) alert tcp $HOME_NET any -> [122.114.18.75] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204562/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204562; rev:1;) alert tcp $HOME_NET any -> [119.29.8.235] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204560/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204560; rev:1;) alert tcp $HOME_NET any -> [122.114.18.115] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204558/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204558; rev:1;) alert tcp $HOME_NET any -> [122.114.18.115] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204559/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204559; rev:1;) alert tcp $HOME_NET any -> [122.114.18.79] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204557/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204557; rev:1;) alert tcp $HOME_NET any -> [122.114.18.26] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204555/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204555; rev:1;) alert tcp $HOME_NET any -> [122.114.18.79] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204556/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204556; rev:1;) alert tcp $HOME_NET any -> [122.114.18.26] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204554/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204554; rev:1;) alert tcp $HOME_NET any -> [122.114.18.30] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204553/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204553; rev:1;) alert tcp $HOME_NET any -> [122.114.18.89] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204551/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204551; rev:1;) alert tcp $HOME_NET any -> [122.114.18.30] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204552/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204552; rev:1;) alert tcp $HOME_NET any -> [122.114.18.89] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204550/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204550; rev:1;) alert tcp $HOME_NET any -> [122.114.18.77] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204548/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204548; rev:1;) alert tcp $HOME_NET any -> [122.114.18.77] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204549/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204549; rev:1;) alert tcp $HOME_NET any -> [122.114.18.46] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204546/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204546; rev:1;) alert tcp $HOME_NET any -> [122.114.18.46] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204547/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204547; rev:1;) alert tcp $HOME_NET any -> [122.114.18.113] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204545/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204545; rev:1;) alert tcp $HOME_NET any -> [119.29.165.74] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204543/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204543; rev:1;) alert tcp $HOME_NET any -> [122.114.18.113] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204544/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204544; rev:1;) alert tcp $HOME_NET any -> [119.29.165.74] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204542/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204542; rev:1;) alert tcp $HOME_NET any -> [122.114.18.44] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204540/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204540; rev:1;) alert tcp $HOME_NET any -> [122.114.18.44] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204541/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204541; rev:1;) alert tcp $HOME_NET any -> [122.114.18.74] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204539/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204539; rev:1;) alert tcp $HOME_NET any -> [106.52.128.236] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204537/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204537; rev:1;) alert tcp $HOME_NET any -> [122.114.18.74] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204538/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204538; rev:1;) alert tcp $HOME_NET any -> [106.52.128.236] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204536/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204536; rev:1;) alert tcp $HOME_NET any -> [122.114.18.43] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204534/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204534; rev:1;) alert tcp $HOME_NET any -> [122.114.18.43] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204535/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204535; rev:1;) alert tcp $HOME_NET any -> [122.114.18.76] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204533/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204533; rev:1;) alert tcp $HOME_NET any -> [119.29.143.243] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204531/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204531; rev:1;) alert tcp $HOME_NET any -> [122.114.18.76] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204532/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204532; rev:1;) alert tcp $HOME_NET any -> [119.29.143.243] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204530/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204530; rev:1;) alert tcp $HOME_NET any -> [119.29.84.169] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204529/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204529; rev:1;) alert tcp $HOME_NET any -> [122.114.18.94] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204527/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204527; rev:1;) alert tcp $HOME_NET any -> [122.114.18.94] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204528/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204528; rev:1;) alert tcp $HOME_NET any -> [122.114.18.120] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204526/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204526; rev:1;) alert tcp $HOME_NET any -> [122.114.18.123] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204524/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204524; rev:1;) alert tcp $HOME_NET any -> [122.114.18.120] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204525/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204525; rev:1;) alert tcp $HOME_NET any -> [122.114.18.123] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204523/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204523; rev:1;) alert tcp $HOME_NET any -> [119.29.73.94] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204522/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204522; rev:1;) alert tcp $HOME_NET any -> [122.114.18.39] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204520/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204520; rev:1;) alert tcp $HOME_NET any -> [119.29.73.94] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204521/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204521; rev:1;) alert tcp $HOME_NET any -> [122.114.18.39] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204519/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204519; rev:1;) alert tcp $HOME_NET any -> [122.114.18.58] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204517/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204517; rev:1;) alert tcp $HOME_NET any -> [122.114.18.58] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204518/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204518; rev:1;) alert tcp $HOME_NET any -> [122.114.18.97] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204516/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204516; rev:1;) alert tcp $HOME_NET any -> [122.114.18.116] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204514/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204514; rev:1;) alert tcp $HOME_NET any -> [122.114.18.97] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204515/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204515; rev:1;) alert tcp $HOME_NET any -> [122.114.18.116] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204513/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204513; rev:1;) alert tcp $HOME_NET any -> [119.29.249.227] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204511/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204511; rev:1;) alert tcp $HOME_NET any -> [119.29.249.227] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204512/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204512; rev:1;) alert tcp $HOME_NET any -> [122.114.18.83] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204510/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204510; rev:1;) alert tcp $HOME_NET any -> [122.114.18.52] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204508/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204508; rev:1;) alert tcp $HOME_NET any -> [122.114.18.83] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204509/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204509; rev:1;) alert tcp $HOME_NET any -> [122.114.18.52] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204507/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204507; rev:1;) alert tcp $HOME_NET any -> [122.114.18.59] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204505/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204505; rev:1;) alert tcp $HOME_NET any -> [122.114.18.59] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204506/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204506; rev:1;) alert tcp $HOME_NET any -> [122.114.18.111] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204504/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204504; rev:1;) alert tcp $HOME_NET any -> [122.114.18.53] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204502/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204502; rev:1;) alert tcp $HOME_NET any -> [122.114.18.111] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204503/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204503; rev:1;) alert tcp $HOME_NET any -> [122.114.18.53] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204501/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204501; rev:1;) alert tcp $HOME_NET any -> [122.114.18.96] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204499/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204499; rev:1;) alert tcp $HOME_NET any -> [122.114.18.96] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204500/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204500; rev:1;) alert tcp $HOME_NET any -> [122.114.18.91] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204498/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204498; rev:1;) alert tcp $HOME_NET any -> [122.114.18.91] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204497/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204497; rev:1;) alert tcp $HOME_NET any -> [122.114.18.109] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204495/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204495; rev:1;) alert tcp $HOME_NET any -> [122.114.18.109] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204496/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204496; rev:1;) alert tcp $HOME_NET any -> [122.114.18.66] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204494/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204494; rev:1;) alert tcp $HOME_NET any -> [122.114.18.19] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204492/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204492; rev:1;) alert tcp $HOME_NET any -> [122.114.18.66] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204493/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204493; rev:1;) alert tcp $HOME_NET any -> [122.114.18.19] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204491/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204491; rev:1;) alert tcp $HOME_NET any -> [122.114.18.108] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204489/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204489; rev:1;) alert tcp $HOME_NET any -> [122.114.18.108] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204490/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204490; rev:1;) alert tcp $HOME_NET any -> [122.114.18.42] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204488/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204488; rev:1;) alert tcp $HOME_NET any -> [122.114.18.114] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204487/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204487; rev:1;) alert tcp $HOME_NET any -> [139.199.72.163] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204485/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204485; rev:1;) alert tcp $HOME_NET any -> [139.199.72.163] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204486/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204486; rev:1;) alert tcp $HOME_NET any -> [122.114.18.54] 22350 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204484/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204484; rev:1;) alert tcp $HOME_NET any -> [122.114.18.104] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204482/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204482; rev:1;) alert tcp $HOME_NET any -> [122.114.18.54] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204483/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204483; rev:1;) alert tcp $HOME_NET any -> [129.204.202.169] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204481/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204481; rev:1;) alert tcp $HOME_NET any -> [122.114.18.100] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204479/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204479; rev:1;) alert tcp $HOME_NET any -> [106.52.243.150] 12340 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204480/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204480; rev:1;) alert tcp $HOME_NET any -> [192.109.119.100] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204478/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204478; rev:1;) alert tcp $HOME_NET any -> [37.120.247.29] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204476/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204476; rev:1;) alert tcp $HOME_NET any -> [37.120.247.29] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204477/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204477; rev:1;) alert tcp $HOME_NET any -> [37.120.247.29] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204475/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204475; rev:1;) alert tcp $HOME_NET any -> [193.200.16.184] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204474/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204474; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 47263 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204473; rev:1;) alert tcp $HOME_NET any -> [189.250.24.94] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204471; rev:1;) alert tcp $HOME_NET any -> [189.250.24.94] 2077 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204472; rev:1;) alert tcp $HOME_NET any -> [189.250.24.94] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204470; rev:1;) alert tcp $HOME_NET any -> [91.92.240.182] 2301 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204468; rev:1;) alert tcp $HOME_NET any -> [92.159.236.33] 1716 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204469; rev:1;) alert tcp $HOME_NET any -> [167.235.143.166] 1021 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.211.7.203.116.clients.your-server.de"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.231.204.132.142.clients.your-server.de"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.148.119.12.49.clients.your-server.de"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204464; rev:1;) alert tcp $HOME_NET any -> [195.201.46.42] 10200 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.136.152.108.65.clients.your-server.de"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.153.94.13.49.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204461; rev:1;) alert tcp $HOME_NET any -> [34.224.9.208] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204459; rev:1;) alert tcp $HOME_NET any -> [52.206.84.200] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204460; rev:1;) alert tcp $HOME_NET any -> [34.199.174.236] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204458; rev:1;) alert tcp $HOME_NET any -> [3.235.216.198] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204457; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-227-200-25.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-199-174-236.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-211-111-68.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-55-23-101.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204453; rev:1;) alert tcp $HOME_NET any -> [194.9.172.60] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204451; rev:1;) alert tcp $HOME_NET any -> [172.93.110.114] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204452; rev:1;) alert tcp $HOME_NET any -> [206.233.132.208] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204450; rev:1;) alert tcp $HOME_NET any -> [154.204.181.22] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204449; rev:1;) alert tcp $HOME_NET any -> [154.204.181.53] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204447; rev:1;) alert tcp $HOME_NET any -> [154.204.181.116] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204448; rev:1;) alert tcp $HOME_NET any -> [154.204.181.88] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204446; rev:1;) alert tcp $HOME_NET any -> [154.204.181.208] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204445; rev:1;) alert tcp $HOME_NET any -> [154.204.181.114] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204443; rev:1;) alert tcp $HOME_NET any -> [154.204.181.71] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204444; rev:1;) alert tcp $HOME_NET any -> [154.204.181.33] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204442; rev:1;) alert tcp $HOME_NET any -> [123.99.200.184] 2139 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204440; rev:1;) alert tcp $HOME_NET any -> [154.204.181.228] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204441; rev:1;) alert tcp $HOME_NET any -> [154.204.181.93] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204439; rev:1;) alert tcp $HOME_NET any -> [154.204.181.137] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204437; rev:1;) alert tcp $HOME_NET any -> [154.204.181.15] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204438; rev:1;) alert tcp $HOME_NET any -> [154.204.181.188] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204436; rev:1;) alert tcp $HOME_NET any -> [154.39.250.229] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204434; rev:1;) alert tcp $HOME_NET any -> [154.204.181.94] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204435; rev:1;) alert tcp $HOME_NET any -> [91.92.241.80] 5000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204433; rev:1;) alert tcp $HOME_NET any -> [95.214.25.144] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204432; rev:1;) alert tcp $HOME_NET any -> [45.207.27.4] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204431; rev:1;) alert tcp $HOME_NET any -> [103.245.236.118] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204430; rev:1;) alert tcp $HOME_NET any -> [154.39.250.38] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204428; rev:1;) alert tcp $HOME_NET any -> [154.39.250.234] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204429; rev:1;) alert tcp $HOME_NET any -> [103.82.26.41] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204427; rev:1;) alert tcp $HOME_NET any -> [154.39.250.85] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204426; rev:1;) alert tcp $HOME_NET any -> [74.234.222.210] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204425; rev:1;) alert tcp $HOME_NET any -> [20.61.184.114] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip14.ip-51-254-53.eu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204423; rev:1;) alert tcp $HOME_NET any -> [34.70.168.68] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204422; rev:1;) alert tcp $HOME_NET any -> [34.67.177.99] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pwndrop.aptiv-hr.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204420; rev:1;) alert tcp $HOME_NET any -> [51.124.39.181] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204419; rev:1;) alert tcp $HOME_NET any -> [34.69.229.157] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204418; rev:1;) alert tcp $HOME_NET any -> [74.234.222.214] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204417; rev:1;) alert tcp $HOME_NET any -> [184.75.254.203] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204416; rev:1;) alert tcp $HOME_NET any -> [46.4.10.254] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204415; rev:1;) alert tcp $HOME_NET any -> [194.49.94.166] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204413; rev:1;) alert tcp $HOME_NET any -> [194.49.94.152] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204414; rev:1;) alert tcp $HOME_NET any -> [194.49.94.164] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204412; rev:1;) alert tcp $HOME_NET any -> [195.10.205.24] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204411; rev:1;) alert tcp $HOME_NET any -> [194.49.94.158] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204409; rev:1;) alert tcp $HOME_NET any -> [5.188.159.44] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204410; rev:1;) alert tcp $HOME_NET any -> [194.49.94.172] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204408; rev:1;) alert tcp $HOME_NET any -> [51.255.78.213] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204406; rev:1;) alert tcp $HOME_NET any -> [194.49.94.171] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204407; rev:1;) alert tcp $HOME_NET any -> [82.115.223.71] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204405; rev:1;) alert tcp $HOME_NET any -> [194.49.94.168] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204404; rev:1;) alert tcp $HOME_NET any -> [194.49.94.126] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204403; rev:1;) alert tcp $HOME_NET any -> [42.114.153.115] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204402; rev:1;) alert tcp $HOME_NET any -> [104.168.163.193] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204401; rev:1;) alert tcp $HOME_NET any -> [154.245.132.20] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204400; rev:1;) alert tcp $HOME_NET any -> [194.195.90.102] 587 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1501059.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204398; rev:1;) alert tcp $HOME_NET any -> [223.155.16.118] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204397; rev:1;) alert tcp $HOME_NET any -> [107.148.58.236] 4783 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204396; rev:1;) alert tcp $HOME_NET any -> [43.154.232.190] 8441 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204395; rev:1;) alert tcp $HOME_NET any -> [191.205.93.92] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204393; rev:1;) alert tcp $HOME_NET any -> [139.99.80.193] 9999 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204394; rev:1;) alert tcp $HOME_NET any -> [91.92.246.130] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"172-232-134-145.ip.linodeusercontent.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204392; rev:1;) alert tcp $HOME_NET any -> [223.155.16.128] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204390; rev:1;) alert tcp $HOME_NET any -> [191.82.220.234] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204389; rev:1;) alert tcp $HOME_NET any -> [223.155.16.139] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204388; rev:1;) alert tcp $HOME_NET any -> [194.49.94.45] 4789 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204387; rev:1;) alert tcp $HOME_NET any -> [156.96.154.217] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204386; rev:1;) alert tcp $HOME_NET any -> [223.155.16.140] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204385; rev:1;) alert tcp $HOME_NET any -> [107.148.58.234] 4783 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204384; rev:1;) alert tcp $HOME_NET any -> [193.149.176.5] 4443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204383; rev:1;) alert tcp $HOME_NET any -> [95.214.25.72] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204382; rev:1;) alert tcp $HOME_NET any -> [185.81.157.24] 7007 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204380; rev:1;) alert tcp $HOME_NET any -> [144.126.159.54] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204381; rev:1;) alert tcp $HOME_NET any -> [162.244.210.198] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204379; rev:1;) alert tcp $HOME_NET any -> [185.25.51.99] 3333 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204377; rev:1;) alert tcp $HOME_NET any -> [173.212.250.19] 1997 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204378; rev:1;) alert tcp $HOME_NET any -> [45.88.186.47] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204375; rev:1;) alert tcp $HOME_NET any -> [45.88.186.47] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204376; rev:1;) alert tcp $HOME_NET any -> [91.92.242.246] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204374; rev:1;) alert tcp $HOME_NET any -> [51.38.57.226] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204373; rev:1;) alert tcp $HOME_NET any -> [78.161.26.61] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204371; rev:1;) alert tcp $HOME_NET any -> [78.161.26.61] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204372; rev:1;) alert tcp $HOME_NET any -> [190.28.170.122] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204370; rev:1;) alert tcp $HOME_NET any -> [193.23.3.37] 4002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204368; rev:1;) alert tcp $HOME_NET any -> [187.24.70.150] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204369; rev:1;) alert tcp $HOME_NET any -> [181.214.240.179] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204367; rev:1;) alert tcp $HOME_NET any -> [181.214.240.179] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204365; rev:1;) alert tcp $HOME_NET any -> [181.214.240.179] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204366; rev:1;) alert tcp $HOME_NET any -> [149.0.234.87] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204364; rev:1;) alert tcp $HOME_NET any -> [185.81.157.246] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204363; rev:1;) alert tcp $HOME_NET any -> [185.81.157.246] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204361; rev:1;) alert tcp $HOME_NET any -> [185.81.157.246] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204362; rev:1;) alert tcp $HOME_NET any -> [104.243.32.185] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204360; rev:1;) alert tcp $HOME_NET any -> [51.20.70.15] 4443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204358; rev:1;) alert tcp $HOME_NET any -> [181.235.82.111] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204359; rev:1;) alert tcp $HOME_NET any -> [136.243.151.123] 111 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204357; rev:1;) alert tcp $HOME_NET any -> [188.165.251.43] 4242 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204356; rev:1;) alert tcp $HOME_NET any -> [172.111.148.101] 2020 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204354; rev:1;) alert tcp $HOME_NET any -> [206.123.132.235] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ctvnews.eastus.cloudapp.azure.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-16-16-26-234.eu-north-1.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-35-178-199-78.eu-west-2.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mstraffic.cloudflare-tls.workers.dev"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prfectr.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"werbeagenturbraunschweig.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.pusd.fi"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.msftonline.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip-173-255-196-101.cloudezapp.io"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blha.tail9ed4d.ts.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"staging.prfectr.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"launchpad.pusd.fi"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204342; rev:1;) alert tcp $HOME_NET any -> [51.250.38.28] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204341; rev:1;) alert tcp $HOME_NET any -> [78.92.97.220] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204338/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"suppliepackas.pw"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204322; rev:1;) alert tcp $HOME_NET any -> [27.124.4.114] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204337/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204337; rev:1;) alert tcp $HOME_NET any -> [141.164.186.22] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204336/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204336; rev:1;) alert tcp $HOME_NET any -> [102.159.136.84] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204335/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204335; rev:1;) alert tcp $HOME_NET any -> [2.88.202.44] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204334/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204334; rev:1;) alert tcp $HOME_NET any -> [85.107.152.128] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204333/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204333; rev:1;) alert tcp $HOME_NET any -> [84.155.8.44] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204332/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204332; rev:1;) alert tcp $HOME_NET any -> [70.49.245.46] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204331/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204331; rev:1;) alert tcp $HOME_NET any -> [102.158.179.3] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204330/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204330; rev:1;) alert tcp $HOME_NET any -> [217.197.62.248] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204329/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204329; rev:1;) alert tcp $HOME_NET any -> [165.227.141.167] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204328/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204328; rev:1;) alert tcp $HOME_NET any -> [161.35.162.219] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204327/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204327; rev:1;) alert tcp $HOME_NET any -> [172.208.97.188] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204326/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204326; rev:1;) alert tcp $HOME_NET any -> [173.254.235.30] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204325/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204325; rev:1;) alert tcp $HOME_NET any -> [34.205.127.224] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204324/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204324; rev:1;) alert tcp $HOME_NET any -> [52.166.195.23] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204323/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204323; rev:1;) alert tcp $HOME_NET any -> [18.142.254.96] 80 (msg:"ThreatFox Ares botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204321/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204321; rev:1;) alert tcp $HOME_NET any -> [3.127.93.22] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204320/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204320; rev:1;) alert tcp $HOME_NET any -> [45.32.8.42] 6543 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204319/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204319; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"117.72.35.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204317; rev:1;) alert tcp $HOME_NET any -> [117.72.35.30] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204318; rev:1;) alert tcp $HOME_NET any -> [149.28.109.119] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204316/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_22; classtype:trojan-activity; sid:91204316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"consciousnessauto.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"hollconsole.pw"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204315/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"8.140.135.23"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.113.204.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"95.85.73.13"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"az.yagmur.mom"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204310; rev:1;) alert tcp $HOME_NET any -> [43.139.96.246] 8787 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204307; rev:1;) alert tcp $HOME_NET any -> [194.33.191.214] 3377 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"defrosscrappeo.pw"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204306; rev:1;) alert tcp $HOME_NET any -> [45.32.101.56] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204309/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204309; rev:1;) alert tcp $HOME_NET any -> [206.188.196.156] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204305/; target:src_ip; metadata: confidence_level 60, first_seen 2023_11_22; classtype:trojan-activity; sid:91204305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"thebestthings1337.online"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"thebestthings1337.online"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"38.147.172.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"121.43.55.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204301/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204301; rev:1;) alert tcp $HOME_NET any -> [35.78.243.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.115.201.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204298/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"39.107.107.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204297/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"167.71.53.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204296/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204296; rev:1;) alert tcp $HOME_NET any -> [117.72.35.30] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"44.225.229.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"119.45.181.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"111.230.198.166"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"121.41.2.26"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204291; rev:1;) alert tcp $HOME_NET any -> [104.21.83.199] 80 (msg:"ThreatFox Lumma Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204289; rev:1;) alert tcp $HOME_NET any -> [172.67.181.9] 80 (msg:"ThreatFox Lumma Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dein-waschbaer.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204280/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"voice.testyteste.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/network/voice/voiceai_setup.exe"; depth:41; nocase; http.host; content:"dein-waschbaer.de"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jooshorks.pw"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204283/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kir.odaire.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204284; rev:1;) alert tcp $HOME_NET any -> [209.25.141.223] 45283 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204286/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204286; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"83.147.245.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204288; rev:1;) alert tcp $HOME_NET any -> [8.137.48.121] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204287/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204287; rev:1;) alert tcp $HOME_NET any -> [172.105.235.197] 8008 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204279/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204279; rev:1;) alert tcp $HOME_NET any -> [45.13.227.9] 1312 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204257/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_22; classtype:trojan-activity; sid:91204257; rev:1;) alert tcp $HOME_NET any -> [185.80.2.120] 21 (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204259/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204259; rev:1;) alert tcp $HOME_NET any -> [162.144.23.32] 21 (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204260/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_22; classtype:trojan-activity; sid:91204260; rev:1;) alert tcp $HOME_NET any -> [91.92.244.198] 6696 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204266; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6coinc.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204267; rev:1;) alert tcp $HOME_NET any -> [194.15.216.233] 4548 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"thebestthings1337.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"midatlanticlabel.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"limeerror.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"risenpeaches.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204278/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204278; rev:1;) alert tcp $HOME_NET any -> [60.204.223.119] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204274/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"43.138.118.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"175.178.174.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.43.165.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.113.204.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"175.178.174.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"8.134.109.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"139.224.188.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"60.204.139.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"124.223.83.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"101.43.165.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0885664.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204258; rev:1;) alert tcp $HOME_NET any -> [124.221.209.99] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"124.221.209.99"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204255/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204255; rev:1;) alert tcp $HOME_NET any -> [13.52.77.84] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204254/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204254; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"13.52.77.84"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204253/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204253; rev:1;) alert tcp $HOME_NET any -> [112.124.6.100] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204252/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204252; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-aizhwq2o-1255155815.gz.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204251/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"service-aizhwq2o-1255155815.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204250; rev:1;) alert tcp $HOME_NET any -> [104.143.46.178] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"104.143.46.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204248/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft/owa/"; depth:15; nocase; http.host; content:"101.43.45.243"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204247; rev:1;) alert tcp $HOME_NET any -> [192.185.152.133] 21 (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204245; rev:1;) alert tcp $HOME_NET any -> [188.241.222.22] 21 (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204246; rev:1;) alert tcp $HOME_NET any -> [116.203.51.117] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204244/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204244; rev:1;) alert tcp $HOME_NET any -> [123.57.90.78] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204243/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204243; rev:1;) alert tcp $HOME_NET any -> [119.45.181.134] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204242/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204242; rev:1;) alert tcp $HOME_NET any -> [1.92.76.153] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204241/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204241; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 15203 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204240; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 15203 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204239; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 15203 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lander/chrome_1695206714/_cf.php"; depth:33; nocase; http.host; content:"midatlanticlabel.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204237; rev:1;) alert tcp $HOME_NET any -> [141.98.10.26] 1024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204233/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_22; classtype:trojan-activity; sid:91204233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"midatlanticlabel.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"midatlanticlabel.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204236; rev:1;) alert tcp $HOME_NET any -> [178.162.199.83] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204234/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204234; rev:1;) alert tcp $HOME_NET any -> [77.91.68.4] 17487 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204232; rev:1;) alert tcp $HOME_NET any -> [45.15.156.240] 21823 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204231; rev:1;) alert tcp $HOME_NET any -> [62.109.22.162] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204230/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204230; rev:1;) alert tcp $HOME_NET any -> [39.107.107.245] 8091 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204229/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204229; rev:1;) alert tcp $HOME_NET any -> [43.139.47.123] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204228/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204228; rev:1;) alert tcp $HOME_NET any -> [187.192.88.210] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204227/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204227; rev:1;) alert tcp $HOME_NET any -> [95.147.160.184] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204226/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204226; rev:1;) alert tcp $HOME_NET any -> [187.213.220.168] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204225/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204225; rev:1;) alert tcp $HOME_NET any -> [79.107.159.93] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204224/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204224; rev:1;) alert tcp $HOME_NET any -> [201.137.198.250] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204223/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204223; rev:1;) alert tcp $HOME_NET any -> [154.246.230.147] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204222/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204222; rev:1;) alert tcp $HOME_NET any -> [197.204.157.205] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204221/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204221; rev:1;) alert tcp $HOME_NET any -> [31.190.242.168] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204220/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204220; rev:1;) alert tcp $HOME_NET any -> [54.245.165.170] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204219/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204219; rev:1;) alert tcp $HOME_NET any -> [172.208.90.130] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204218/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204218; rev:1;) alert tcp $HOME_NET any -> [185.254.238.160] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204217/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"8sjimonstersboonkonline.com"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1204140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"siliconerumble.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1204141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204141; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"adfincolniclo.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1204142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"188.246.224.221"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1204143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"twittesling.com"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1204144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"vittoriogioia.icu"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1204145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.91.68.247"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1204146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.244.48.148"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1204147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"danielhamerling.icu"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1204148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.91.124.154"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1204149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"vewver.xyz"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1204150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"giuliotoro.icu"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1204151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204151; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.233.232.54"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1204152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204152; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"severinofragola.icu"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1204153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204153; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.250.45.18"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1204154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204154; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"arturogillotti.icu"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1204155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204155; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bernardofata.icu"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1204156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204156; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.78.76.13"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1204157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"128.140.84.205"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1204158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204158; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.92.215"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1204159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"googlecloudns.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204160; rev:1;) alert tcp $HOME_NET any -> [193.168.143.148] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204162; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"adhufdauifadhj13.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1204137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204137; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"167.114.199.65"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1204138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"jordanmikejeforse.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1204139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204139; rev:1;) alert tcp $HOME_NET any -> [95.214.55.177] 2474 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204134/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"faststroygo.com"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1204135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"homeservicetreking.com"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1204136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204136; rev:1;) alert tcp $HOME_NET any -> [185.221.198.97] 26730 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204133/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204133; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.92.243.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204130/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204130; rev:1;) alert tcp $HOME_NET any -> [65.153.151.130] 8800 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204216/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204216; rev:1;) alert tcp $HOME_NET any -> [45.15.159.225] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204215/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204215; rev:1;) alert tcp $HOME_NET any -> [154.9.254.202] 8858 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204214/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/john/panel/fre.php"; depth:19; nocase; http.host; content:"homoeo4u.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/protectdownloads/track0local/basevoiddb/dle/trafficlow/pollprocessor/temporary/6central/polllowprocessorapisqllinuxwppublicuploads.php"; depth:135; nocase; http.host; content:"5.42.86.60"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204212; rev:1;) alert tcp $HOME_NET any -> [110.42.218.211] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204211/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204211; rev:1;) alert tcp $HOME_NET any -> [103.212.81.160] 6609 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204210; rev:1;) alert tcp $HOME_NET any -> [124.222.167.173] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204209/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/strong/"; depth:8; nocase; http.host; content:"ahoram-appphp.tech"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/strong/phone.txt"; depth:17; nocase; http.host; content:"ahoram-appphp.tech"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/strong/web.txt"; depth:15; nocase; http.host; content:"ahoram-appphp.tech"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahoram-appphp.tech"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ahoram-appphp.tech"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mori/"; depth:6; nocase; http.host; content:"ahoram-appphp.tech"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mori/log.php"; depth:13; nocase; http.host; content:"ahoram-appphp.tech"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mori/phone.txt"; depth:15; nocase; http.host; content:"ahoram-appphp.tech"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204201; rev:1;) alert tcp $HOME_NET any -> [94.191.187.105] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204200/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204200; rev:1;) alert tcp $HOME_NET any -> [120.89.68.50] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204199/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.php"; depth:8; nocase; http.host; content:"ssn.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etanol/log.php"; depth:15; nocase; http.host; content:"thebestgn.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etanol/web.txt"; depth:15; nocase; http.host; content:"thebestgn.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204196; rev:1;) alert tcp $HOME_NET any -> [104.248.249.135] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204195/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204195; rev:1;) alert tcp $HOME_NET any -> [18.197.53.191] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204194/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204194; rev:1;) alert tcp $HOME_NET any -> [8.141.81.51] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204193/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204193; rev:1;) alert tcp $HOME_NET any -> [120.89.68.51] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204192/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204192; rev:1;) alert tcp $HOME_NET any -> [111.230.198.166] 8333 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204191/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mani1"; depth:6; nocase; http.host; content:"thebestgn.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mani1/web.txt"; depth:14; nocase; http.host; content:"thebestgn.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mani1/log.php"; depth:14; nocase; http.host; content:"thebestgn.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/-1002031980062"; depth:22; nocase; http.host; content:"drnull.pkmqazreza.workers.dev"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1002031980062"; depth:19; nocase; http.host; content:"drnull.pkmqazreza.workers.dev"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1002031980062"; depth:19; nocase; http.host; content:"drnull.pkmqazreza.workers.dev"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providervideovmtophpmultiwordpress.php"; depth:39; nocase; http.host; content:"269818cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_22; classtype:trojan-activity; sid:91204184; rev:1;) alert tcp $HOME_NET any -> [125.60.95.157] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204183/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204183; rev:1;) alert tcp $HOME_NET any -> [3.77.56.253] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204182/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204182; rev:1;) alert tcp $HOME_NET any -> [106.14.143.151] 55555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204181/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204181; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"182.126.117.247"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204180/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_22; classtype:trojan-activity; sid:91204180; rev:1;) alert tcp $HOME_NET any -> [16.170.148.195] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204179/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_22; classtype:trojan-activity; sid:91204179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"revivalsecularas.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"1.94.26.40"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xpencildiscussiio.pw"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"xpencildiscussiio.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204175; rev:1;) alert tcp $HOME_NET any -> [185.172.128.100] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204174/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204174; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"barbecueappledos.pw"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zip.php"; depth:8; nocase; http.host; content:"qoone1sr.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoone1sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204171; rev:1;) alert tcp $HOME_NET any -> [64.176.5.228] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204168; rev:1;) alert tcp $HOME_NET any -> [65.20.78.68] 13721 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204169; rev:1;) alert tcp $HOME_NET any -> [64.176.67.194] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"117.72.35.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204167; rev:1;) alert tcp $HOME_NET any -> [45.61.128.201] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204166/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91204166; rev:1;) alert tcp $HOME_NET any -> [112.35.98.208] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204165/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91204165; rev:1;) alert tcp $HOME_NET any -> [20.68.243.107] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204164/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91204164; rev:1;) alert tcp $HOME_NET any -> [185.202.175.170] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204163/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_21; classtype:trojan-activity; sid:91204163; rev:1;) alert tcp $HOME_NET any -> [35.77.79.179] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twlifeuat.sumikuma.tw"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204131; rev:1;) alert tcp $HOME_NET any -> [152.32.219.243] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204129/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204129; rev:1;) alert tcp $HOME_NET any -> [121.209.149.131] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204128/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204128; rev:1;) alert tcp $HOME_NET any -> [95.149.166.38] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204127/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204127; rev:1;) alert tcp $HOME_NET any -> [117.215.23.136] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204126/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204126; rev:1;) alert tcp $HOME_NET any -> [60.49.97.58] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204125/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204125; rev:1;) alert tcp $HOME_NET any -> [117.195.17.160] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204124/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204124; rev:1;) alert tcp $HOME_NET any -> [197.2.10.236] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204123/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204123; rev:1;) alert tcp $HOME_NET any -> [70.49.34.218] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204122/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204122; rev:1;) alert tcp $HOME_NET any -> [190.133.143.232] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204121/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204121; rev:1;) alert tcp $HOME_NET any -> [39.40.190.194] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204120/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204120; rev:1;) alert tcp $HOME_NET any -> [154.246.116.114] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204119/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204119; rev:1;) alert tcp $HOME_NET any -> [20.77.132.128] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204118/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204118; rev:1;) alert tcp $HOME_NET any -> [46.101.85.199] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204116/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204116; rev:1;) alert tcp $HOME_NET any -> [13.36.11.243] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204117/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204117; rev:1;) alert tcp $HOME_NET any -> [51.20.80.52] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204115/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204115; rev:1;) alert tcp $HOME_NET any -> [109.72.93.55] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204114/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204114; rev:1;) alert tcp $HOME_NET any -> [5.39.249.226] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204113/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204113; rev:1;) alert tcp $HOME_NET any -> [167.71.38.111] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204112/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204112; rev:1;) alert tcp $HOME_NET any -> [195.2.92.206] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204111/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204111; rev:1;) alert tcp $HOME_NET any -> [94.198.50.195] 6000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204110/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204110; rev:1;) alert tcp $HOME_NET any -> [13.212.172.17] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204109/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204109; rev:1;) alert tcp $HOME_NET any -> [13.212.172.17] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204108/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91204108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b14/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204107/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_21; classtype:trojan-activity; sid:91204107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b14/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204106; rev:1;) alert tcp $HOME_NET any -> [77.91.124.27] 20885 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loghub/master"; depth:14; nocase; http.host; content:"5.42.64.20"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204104; rev:1;) alert tcp $HOME_NET any -> [195.154.188.211] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204078/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204078; rev:1;) alert tcp $HOME_NET any -> [195.154.241.165] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204080; rev:1;) alert tcp $HOME_NET any -> [195.154.252.221] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204085; rev:1;) alert tcp $HOME_NET any -> [195.154.253.49] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204086; rev:1;) alert tcp $HOME_NET any -> [37.187.142.187] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204087/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204087; rev:1;) alert tcp $HOME_NET any -> [37.187.148.204] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204089/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204089; rev:1;) alert tcp $HOME_NET any -> [88.80.145.110] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204091/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204091; rev:1;) alert tcp $HOME_NET any -> [62.210.204.131] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204090/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204090; rev:1;) alert tcp $HOME_NET any -> [88.80.145.142] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204092/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204092; rev:1;) alert tcp $HOME_NET any -> [88.80.147.200] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204093/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204093; rev:1;) alert tcp $HOME_NET any -> [88.80.147.205] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204094; rev:1;) alert tcp $HOME_NET any -> [88.80.147.36] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204095; rev:1;) alert tcp $HOME_NET any -> [88.80.148.33] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204096; rev:1;) alert tcp $HOME_NET any -> [88.80.148.8] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204097; rev:1;) alert tcp $HOME_NET any -> [91.121.171.208] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204098; rev:1;) alert tcp $HOME_NET any -> [91.121.30.185] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204099; rev:1;) alert tcp $HOME_NET any -> [91.92.111.131] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204100; rev:1;) alert tcp $HOME_NET any -> [91.92.111.132] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204101; rev:1;) alert tcp $HOME_NET any -> [91.92.111.133] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204102/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204102; rev:1;) alert tcp $HOME_NET any -> [94.23.58.173] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204103/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204103; rev:1;) alert tcp $HOME_NET any -> [195.154.235.51] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204079/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204079; rev:1;) alert tcp $HOME_NET any -> [195.154.242.37] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204081; rev:1;) alert tcp $HOME_NET any -> [195.154.243.38] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204082/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204082; rev:1;) alert tcp $HOME_NET any -> [195.154.251.21] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204083; rev:1;) alert tcp $HOME_NET any -> [195.154.251.99] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204084; rev:1;) alert tcp $HOME_NET any -> [37.187.143.172] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204088; rev:1;) alert tcp $HOME_NET any -> [195.154.178.238] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204077; rev:1;) alert tcp $HOME_NET any -> [195.154.176.209] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204076/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204076; rev:1;) alert tcp $HOME_NET any -> [195.154.176.206] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204075/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204075; rev:1;) alert tcp $HOME_NET any -> [188.165.192.18] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204072/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204072; rev:1;) alert tcp $HOME_NET any -> [195.154.174.130] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204074/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204074; rev:1;) alert tcp $HOME_NET any -> [185.141.63.85] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204070; rev:1;) alert tcp $HOME_NET any -> [188.165.195.130] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204073; rev:1;) alert tcp $HOME_NET any -> [185.141.63.4] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204068; rev:1;) alert tcp $HOME_NET any -> [188.165.192.126] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204071; rev:1;) alert tcp $HOME_NET any -> [185.141.63.2] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204067; rev:1;) alert tcp $HOME_NET any -> [185.141.63.84] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204069; rev:1;) alert tcp $HOME_NET any -> [176.31.254.229] 1074 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204066; rev:1;) alert tcp $HOME_NET any -> [185.31.111.198] 25001 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204064; rev:1;) alert tcp $HOME_NET any -> [185.157.162.241] 1302 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204065; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 5240 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204024; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 18925 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204025; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 5240 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204026; rev:1;) alert tcp $HOME_NET any -> [34.130.82.241] 5010 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204027; rev:1;) alert tcp $HOME_NET any -> [46.183.221.28] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204028; rev:1;) alert tcp $HOME_NET any -> [51.89.38.74] 33966 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204029; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 18925 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204030; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 5240 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204031; rev:1;) alert tcp $HOME_NET any -> [52.91.10.228] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204032; rev:1;) alert tcp $HOME_NET any -> [54.90.216.100] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204033; rev:1;) alert tcp $HOME_NET any -> [65.0.80.77] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204034; rev:1;) alert tcp $HOME_NET any -> [80.66.87.4] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204035; rev:1;) alert tcp $HOME_NET any -> [87.172.204.140] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204036; rev:1;) alert tcp $HOME_NET any -> [93.123.85.35] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204037/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204037; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2023navidad.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204038/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204038; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 18925 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204023; rev:1;) alert tcp $HOME_NET any -> [216.107.136.195] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204022; rev:1;) alert tcp $HOME_NET any -> [206.189.20.127] 6234 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204020; rev:1;) alert tcp $HOME_NET any -> [207.32.219.52] 7771 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204021; rev:1;) alert tcp $HOME_NET any -> [185.183.34.34] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204018/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204018; rev:1;) alert tcp $HOME_NET any -> [185.239.237.162] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204019; rev:1;) alert tcp $HOME_NET any -> [162.212.154.8] 41589 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204017/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204017; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 24796 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204016/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"house-rooms.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204050/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204050; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"if-shuttle.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204051; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gold-peoples.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frank4893.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204045; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fgfdsnvisdnvijnsdvdssdsd.con-ip.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"around-lite.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204040; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conditions-monthly.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204041/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204041; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"language-partnership.gl.at.ply.gg"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204053/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newpossibility.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204056/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"traffic-statewide.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"viiper1337-29699.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowis11.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"treegreeny.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204012/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204012; rev:1;) alert tcp $HOME_NET any -> [104.250.180.178] 7061 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1204015/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"117.50.188.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204014/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"111.230.198.166"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1204013/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204013; rev:1;) alert tcp $HOME_NET any -> [136.50.194.181] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203966; rev:1;) alert tcp $HOME_NET any -> [136.50.194.181] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203967; rev:1;) alert tcp $HOME_NET any -> [154.9.253.177] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203968; rev:1;) alert tcp $HOME_NET any -> [163.5.169.28] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203969/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203969; rev:1;) alert tcp $HOME_NET any -> [180.195.205.155] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203970/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203970; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 58530 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203971; rev:1;) alert tcp $HOME_NET any -> [194.55.224.24] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203972/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203972; rev:1;) alert tcp $HOME_NET any -> [194.55.224.24] 9030 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203973/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203973; rev:1;) alert tcp $HOME_NET any -> [195.133.197.3] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203974/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203974; rev:1;) alert tcp $HOME_NET any -> [20.205.140.63] 1024 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203975; rev:1;) alert tcp $HOME_NET any -> [45.32.119.154] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203976/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203976; rev:1;) alert tcp $HOME_NET any -> [45.61.174.20] 5552 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203977; rev:1;) alert tcp $HOME_NET any -> [85.98.162.136] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203978; rev:1;) alert tcp $HOME_NET any -> [87.159.4.210] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203979/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203979; rev:1;) alert tcp $HOME_NET any -> [88.209.197.253] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cock.holyshithowmanydomainandproxycanigettorunmyserver.info"; depth:59; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203981/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"download.adaklab.ir"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203983/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goldbolbein.chickenkiller.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203986/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goldgoblein.sytes.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203987/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"infallible-water-17742.pktriot.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203988/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laraloveu-44526.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203989/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malhost.loca.lt"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203990/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"points-deep.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203995/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quasardeez.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"riprealworld-55179.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rough-night-92806.pktriot.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204001/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sero.definitivlegit.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204002/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204002; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shipperd69.strangled.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204003/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204003; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"statics.kozow.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204005/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testrun.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204007/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204007; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"topportas.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1204009/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91204009; rev:1;) alert tcp $HOME_NET any -> [95.216.176.210] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203963/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203963; rev:1;) alert tcp $HOME_NET any -> [195.201.255.35] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203964/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203964; rev:1;) alert tcp $HOME_NET any -> [128.140.72.50] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203965/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.72.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203962/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.255.35"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203961/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.176.210"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bowbrain"; depth:9; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199572358993"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203958/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.54"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.54"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.253.125"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1203953/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203953; rev:1;) alert tcp $HOME_NET any -> [123.60.67.177] 8889 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203955/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203955; rev:1;) alert tcp $HOME_NET any -> [38.147.172.207] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203954/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mwvlmgi1odc4njfj/"; depth:18; nocase; http.host; content:"strmbaselib.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203952/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203952; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mwvlmgi1odc4njfj/"; depth:18; nocase; http.host; content:"nigemgrouapp.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203950/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mwvlmgi1odc4njfj/"; depth:18; nocase; http.host; content:"nigemgrouapp.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203951/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ymu2mgq0zwyxodm5/"; depth:18; nocase; http.host; content:"peyfi.bio"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203949/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ymu2mgq0zwyxodm5/"; depth:18; nocase; http.host; content:"ecolosolution.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203948/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ymu2mgq0zwyxodm5/"; depth:18; nocase; http.host; content:"cotogarden.co"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203947/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ymu2mgq0zwyxodm5/"; depth:18; nocase; http.host; content:"fhuiooemrrerensb.co"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203946/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203946; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ymu2mgq0zwyxodm5/"; depth:18; nocase; http.host; content:"fhuiooemensb.info"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203945/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ymu2mgq0zwyxodm5/"; depth:18; nocase; http.host; content:"rrqg.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203944/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203944; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ymu2mgq0zwyxodm5/"; depth:18; nocase; http.host; content:"fghdfhdgh33.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203942/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ymu2mgq0zwyxodm5/"; depth:18; nocase; http.host; content:"rgsdhsdf31.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203943/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mwvlmgi1odc4njfj/"; depth:18; nocase; http.host; content:"macfitt.net"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203941/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mwvlmgi1odc4njfj/"; depth:18; nocase; http.host; content:"strmphone.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203940/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mwvlmgi1odc4njfj/"; depth:18; nocase; http.host; content:"stormslva.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203939/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmezntkzzdfkowqz/"; depth:18; nocase; http.host; content:"junggvbvqqnetok.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203938/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203938; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmezntkzzdfkowqz/"; depth:18; nocase; http.host; content:"junggvbvqqgroup.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203937/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203937; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmezntkzzdfkowqz/"; depth:18; nocase; http.host; content:"junggpervbvqqqqqq.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203936/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmezntkzzdfkowqz/"; depth:18; nocase; http.host; content:"junggvrebvqq.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203935/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmezntkzzdfkowqz/"; depth:18; nocase; http.host; content:"bobnoopo.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203934/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203934; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmezntkzzdfkowqz/"; depth:18; nocase; http.host; content:"lauytropo.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203933/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203933; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjrkzje0ntuynzzm/"; depth:18; nocase; http.host; content:"otakikotaik6423234.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203931/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjrkzje0ntuynzzm/"; depth:18; nocase; http.host; content:"otakikotaik1224634.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203930/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjrkzje0ntuynzzm/"; depth:18; nocase; http.host; content:"otakikotaik3234234.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203928/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203928; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjrkzje0ntuynzzm/"; depth:18; nocase; http.host; content:"otakikotaik1334534.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203929/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjrkzje0ntuynzzm/"; depth:18; nocase; http.host; content:"otakikotaik4234234.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203927/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjrkzje0ntuynzzm/"; depth:18; nocase; http.host; content:"185.225.75.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203926/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odvlzdlkmzu1ztri/"; depth:18; nocase; http.host; content:"7jamiryo22113.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203925/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odvlzdlkmzu1ztri/"; depth:18; nocase; http.host; content:"6jamiryo22113.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203924/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odvlzdlkmzu1ztri/"; depth:18; nocase; http.host; content:"3jamiryo22113.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203922/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odvlzdlkmzu1ztri/"; depth:18; nocase; http.host; content:"5jamiryo22113.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203923/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odvlzdlkmzu1ztri/"; depth:18; nocase; http.host; content:"4jamiryo22113.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203921/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odvlzdlkmzu1ztri/"; depth:18; nocase; http.host; content:"185.225.75.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203919/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odvlzdlkmzu1ztri/"; depth:18; nocase; http.host; content:"2jamiryo22113.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203920/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203920; rev:1;) alert tcp $HOME_NET any -> [18.235.126.195] 443 (msg:"ThreatFox Serpent botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203918/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203918; rev:1;) alert tcp $HOME_NET any -> [69.197.161.106] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203915/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203915; rev:1;) alert tcp $HOME_NET any -> [185.172.128.19] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203916/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203916; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"brodoyouevenlift.co.za"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203917/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203917; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tceducn.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203911/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203911; rev:1;) alert tcp $HOME_NET any -> [5.42.66.9] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203912/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"shohetrc.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203913/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203913; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"atillapro.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203914/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203914; rev:1;) alert tcp $HOME_NET any -> [45.8.145.80] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203910/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203910; rev:1;) alert tcp $HOME_NET any -> [146.190.41.228] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203900/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"skinnychattyfur.pw"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203901/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203901; rev:1;) alert tcp $HOME_NET any -> [3.132.159.158] 13615 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.microsoftus.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203909/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203909; rev:1;) alert tcp $HOME_NET any -> [3.140.223.7] 13615 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203904/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203904; rev:1;) alert tcp $HOME_NET any -> [3.141.142.211] 13615 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203905; rev:1;) alert tcp $HOME_NET any -> [3.141.177.1] 13615 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203906; rev:1;) alert tcp $HOME_NET any -> [3.141.210.37] 13615 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203907/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203907; rev:1;) alert tcp $HOME_NET any -> [18.189.106.45] 13615 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203908/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203908; rev:1;) alert tcp $HOME_NET any -> [18.188.146.171] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203902/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.249.9.208"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"92.63.196.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203898; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"103.39.78.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/master22.js"; depth:12; nocase; http.host; content:"140.210.213.211"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"113.141.87.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203895; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"52.198.192.145"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203894; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/questions/32251816/c-sharp-directives-compilation-error"; depth:56; nocase; http.host; content:"117.72.17.162"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203893; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"172.245.9.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203892; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.42.170.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203891/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203891; rev:1;) alert tcp $HOME_NET any -> [158.247.253.155] 2225 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203887/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203887; rev:1;) alert tcp $HOME_NET any -> [139.180.216.25] 2967 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203888/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203888; rev:1;) alert tcp $HOME_NET any -> [70.34.209.101] 13720 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203889; rev:1;) alert tcp $HOME_NET any -> [137.220.55.190] 2223 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203890/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203890; rev:1;) alert tcp $HOME_NET any -> [87.239.108.174] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203886/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203886; rev:1;) alert tcp $HOME_NET any -> [8.134.161.181] 4848 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203885/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203885; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"23.225.191.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203884/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203884; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user/five/fre.php"; depth:18; nocase; http.host; content:"cands.tel"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203883/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_21; classtype:trojan-activity; sid:91203883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"re.remotekimhyunnck.site"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203880/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"re.remotekimhyunnck.site"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203881/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"remotekimhyunnck.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203882/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203882; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/"; depth:6; nocase; http.host; content:"re.remotekimhyunnck.site"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203879/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203879; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/web.txt"; depth:13; nocase; http.host; content:"re.remotekimhyunnck.site"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203878/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203878; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/log.php"; depth:13; nocase; http.host; content:"re.remotekimhyunnck.site"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203877/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203877; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"120.78.201.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203876/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203876; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"fastis.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203874/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fastis.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203875; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dars/"; depth:6; nocase; http.host; content:"fastis.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203873/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203873; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dars/amoozesh"; depth:14; nocase; http.host; content:"fastis.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203872/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dars/amoozesh/wa/"; depth:18; nocase; http.host; content:"fastis.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203871/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dars/amoozesh/wa/sms.php"; depth:25; nocase; http.host; content:"fastis.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203870/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203870; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dars/amoozesh/wa/sms.php"; depth:25; nocase; http.host; content:"fastis.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203869/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203869; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dars/amoozesh/wa/requests.php"; depth:30; nocase; http.host; content:"fastis.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203868/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203868; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dars/amoozesh/wa/id.txt"; depth:24; nocase; http.host; content:"fastis.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203867; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dars/amoozesh/wa/contact.php"; depth:29; nocase; http.host; content:"fastis.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203866; rev:1;) alert tcp $HOME_NET any -> [188.246.224.221] 2351 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203834; rev:1;) alert tcp $HOME_NET any -> [188.246.224.221] 8080 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"howtofixit.imnotaturk.network"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203863/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"howtofixit.imnotaturk.network"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203864; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imnotaturk.network"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203865/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203865; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/"; depth:5; nocase; http.host; content:"howtofixit.imnotaturk.network"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203862/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/"; depth:8; nocase; http.host; content:"howtofixit.imnotaturk.network"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203861/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/-1001942313538"; depth:22; nocase; http.host; content:"howtofixit.imnotaturk.network"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203860/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203860; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1001942313538"; depth:19; nocase; http.host; content:"howtofixit.imnotaturk.network"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203859/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203859; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1001942313538"; depth:19; nocase; http.host; content:"howtofixit.imnotaturk.network"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203858/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203858; rev:1;) alert tcp $HOME_NET any -> [147.182.185.27] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203857/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203857; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clientwebservice"; depth:17; nocase; http.host; content:"oak-d5fmc3bzezh2dwhk.z01.azurefd.net"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203855/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203855; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oak-d5fmc3bzezh2dwhk.z01.azurefd.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203856/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203856; rev:1;) alert tcp $HOME_NET any -> [123.249.104.83] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203854/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203854; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"123.249.104.83"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203853/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203853; rev:1;) alert tcp $HOME_NET any -> [101.42.172.78] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203852/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203852; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"101.42.172.78"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203851/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.223.38.97"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203850/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203850; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"116.204.98.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203849/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203849; rev:1;) alert tcp $HOME_NET any -> [89.231.229.193] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203848/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203848; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sober/"; depth:7; nocase; http.host; content:"imini.site"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imini.site"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203847; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sober/phone.txt"; depth:16; nocase; http.host; content:"imini.site"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203845; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sober/web.txt"; depth:14; nocase; http.host; content:"imini.site"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203844/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203844; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arslan/"; depth:8; nocase; http.host; content:"thebestgn.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203843; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arslan/log.php"; depth:15; nocase; http.host; content:"thebestgn.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arslan/web.txt"; depth:15; nocase; http.host; content:"thebestgn.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203841; rev:1;) alert tcp $HOME_NET any -> [8.222.187.235] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203840/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203840; rev:1;) alert tcp $HOME_NET any -> [149.248.4.22] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203839/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sezar/log.php"; depth:14; nocase; http.host; content:"thebestgn.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sezar/web.txt"; depth:14; nocase; http.host; content:"thebestgn.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203837; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thebestgn.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203836; rev:1;) alert tcp $HOME_NET any -> [107.172.34.126] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203833/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203833; rev:1;) alert tcp $HOME_NET any -> [45.66.230.229] 8753 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203832/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_21; classtype:trojan-activity; sid:91203832; rev:1;) alert tcp $HOME_NET any -> [104.129.27.19] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203830/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_21; classtype:trojan-activity; sid:91203830; rev:1;) alert tcp $HOME_NET any -> [104.129.27.19] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203831/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_21; classtype:trojan-activity; sid:91203831; rev:1;) alert tcp $HOME_NET any -> [104.129.27.19] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203828/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_21; classtype:trojan-activity; sid:91203828; rev:1;) alert tcp $HOME_NET any -> [104.129.27.19] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203829/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_21; classtype:trojan-activity; sid:91203829; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/21b9c0db1dfb4718.php"; depth:21; nocase; http.host; content:"185.78.76.13"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203827; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g9sdjscv2/login.php"; depth:20; nocase; http.host; content:"brodoyouevenlift.co.za"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203825/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203825; rev:1;) alert tcp $HOME_NET any -> [148.72.153.115] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203826/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203826; rev:1;) alert tcp $HOME_NET any -> [103.212.81.154] 6028 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203708/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203708; rev:1;) alert tcp $HOME_NET any -> [155.94.136.130] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203709; rev:1;) alert tcp $HOME_NET any -> [173.249.196.201] 5077 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203710/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203710; rev:1;) alert tcp $HOME_NET any -> [194.147.140.186] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203711/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203711; rev:1;) alert tcp $HOME_NET any -> [23.227.199.39] 1976 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203712/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203712; rev:1;) alert tcp $HOME_NET any -> [45.133.235.148] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203713; rev:1;) alert tcp $HOME_NET any -> [46.183.223.122] 29873 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203714; rev:1;) alert tcp $HOME_NET any -> [91.193.75.147] 6789 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203715/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"centurygift.myq-see.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"donpapajay.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grace.adds-only.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"info1.dynamic-dns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jilnsmclein.3utilities.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"members-path.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft-update-tool.duckdns.org"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgexserver.hopto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soon-lp.at.ply.gg"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"segun.ddns.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sanael-62946.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tende.dvrdns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"waswift.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxxxza.dynamic-dns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203742; rev:1;) alert tcp $HOME_NET any -> [109.236.82.82] 5001 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203743; rev:1;) alert tcp $HOME_NET any -> [149.56.240.44] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203744; rev:1;) alert tcp $HOME_NET any -> [149.56.240.44] 2405 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203745; rev:1;) alert tcp $HOME_NET any -> [149.56.240.44] 2406 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203746; rev:1;) alert tcp $HOME_NET any -> [149.56.240.44] 2407 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203747; rev:1;) alert tcp $HOME_NET any -> [149.56.240.44] 2408 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203748; rev:1;) alert tcp $HOME_NET any -> [149.56.240.44] 3398 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203749; rev:1;) alert tcp $HOME_NET any -> [149.56.240.44] 9987 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203750; rev:1;) alert tcp $HOME_NET any -> [5.61.55.210] 8004 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203753; rev:1;) alert tcp $HOME_NET any -> [185.29.8.29] 4039 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203751; rev:1;) alert tcp $HOME_NET any -> [2.59.254.160] 8500 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203752; rev:1;) alert tcp $HOME_NET any -> [5.61.55.210] 8006 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203754; rev:1;) alert tcp $HOME_NET any -> [80.66.75.86] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203755; rev:1;) alert tcp $HOME_NET any -> [94.142.138.155] 2580 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203756/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bantubusta0816.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203758/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cocacabanaclubsdownt.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203759/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bad.con-ip.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203757/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"comercio.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203760/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dxxxxza.dynamic-dns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203761/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gig24.sytes.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203762/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"idofjodjvodjvojvojfojooiodijnj.con-ip.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203763/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ima.con-ip.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203764/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"menge.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203766/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203766; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"large-sox.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203765/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sdhisdviudsibdsibedas.con-ip.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203769/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rem0323.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203768/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"millon777.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203767/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sdvsiudhvisdhvodshv.con-ip.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203770/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"snackdoom94.hopto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203772/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203772; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sembe.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203771/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203771; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sonia777.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203773/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"virtuallogoprepaidmaxspippline.onedumb.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203774/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"arrogantcatfishef.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203779; rev:1;) alert tcp $HOME_NET any -> [4.224.60.120] 28410 (msg:"ThreatFox MetaStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203691/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203691; rev:1;) alert tcp $HOME_NET any -> [101.34.209.73] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203824/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203824; rev:1;) alert tcp $HOME_NET any -> [101.35.252.249] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203823/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203823; rev:1;) alert tcp $HOME_NET any -> [198.13.36.40] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203822/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203822; rev:1;) alert tcp $HOME_NET any -> [52.141.25.85] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203821/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203821; rev:1;) alert tcp $HOME_NET any -> [77.49.187.148] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203820/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203820; rev:1;) alert tcp $HOME_NET any -> [197.204.133.11] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203819/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203819; rev:1;) alert tcp $HOME_NET any -> [70.121.206.30] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203818/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203818; rev:1;) alert tcp $HOME_NET any -> [74.12.146.184] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203817/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203817; rev:1;) alert tcp $HOME_NET any -> [154.246.116.114] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203816/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203816; rev:1;) alert tcp $HOME_NET any -> [45.62.69.55] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203815/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203815; rev:1;) alert tcp $HOME_NET any -> [46.251.130.164] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203814/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203814; rev:1;) alert tcp $HOME_NET any -> [103.156.170.229] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203813/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203813; rev:1;) alert tcp $HOME_NET any -> [78.124.155.37] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203812/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203812; rev:1;) alert tcp $HOME_NET any -> [20.93.5.194] 8089 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203811/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203811; rev:1;) alert tcp $HOME_NET any -> [40.76.55.180] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203810/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203810; rev:1;) alert tcp $HOME_NET any -> [172.208.90.130] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203809/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203809; rev:1;) alert tcp $HOME_NET any -> [185.236.202.153] 4444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203808/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203808; rev:1;) alert tcp $HOME_NET any -> [173.255.196.101] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203807/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203807; rev:1;) alert tcp $HOME_NET any -> [185.240.103.195] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203806/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203806; rev:1;) alert tcp $HOME_NET any -> [143.198.166.150] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203805/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203805; rev:1;) alert tcp $HOME_NET any -> [5.35.5.136] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203804/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203804; rev:1;) alert tcp $HOME_NET any -> [37.27.22.110] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203803/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203803; rev:1;) alert tcp $HOME_NET any -> [37.27.22.110] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203802/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_21; classtype:trojan-activity; sid:91203802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40d570f44e84a454.php"; depth:21; nocase; http.host; content:"danielhamerling.icu"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203801; rev:1;) alert tcp $HOME_NET any -> [156.234.211.226] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203800/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203800; rev:1;) alert tcp $HOME_NET any -> [52.198.192.145] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203799/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203799; rev:1;) alert tcp $HOME_NET any -> [204.44.86.49] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203798/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagewindows/cdnprotonpipe/9db/providerphp/downloadseternaldle/uploads/pythontrackdump/image/uploads5/temporarymulti/topythonpacketprocessormultitrafficuniversal.php"; depth:166; nocase; http.host; content:"77.91.124.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203797; rev:1;) alert tcp $HOME_NET any -> [147.78.47.231] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203796/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203796; rev:1;) alert tcp $HOME_NET any -> [124.223.38.97] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203795/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203795; rev:1;) alert tcp $HOME_NET any -> [20.96.123.147] 19851 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_21; classtype:trojan-activity; sid:91203794; rev:1;) alert tcp $HOME_NET any -> [119.45.181.134] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203793/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_21; classtype:trojan-activity; sid:91203793; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1170771441797566586/1174334633442291753/ccleaner.zip"; depth:65; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203792; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/appropriate"; depth:12; nocase; http.host; content:"supportlights.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/customerresources"; depth:18; nocase; http.host; content:"supportlights.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ofiuewq20o1.php"; depth:16; nocase; http.host; content:"ocube-consulting.fr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pqoicjein2.php"; depth:15; nocase; http.host; content:"mon-carnet-de-sante.fr"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pofoiwjeniofj12.php"; depth:20; nocase; http.host; content:"hangdrums.fr"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doihn12ijok21.php"; depth:18; nocase; http.host; content:"baywatchrent.fr"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203786; rev:1;) alert tcp $HOME_NET any -> [95.85.73.13] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203785; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"95.85.73.13"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203784; rev:1;) alert tcp $HOME_NET any -> [43.156.2.29] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"43.156.2.29"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203782; rev:1;) alert tcp $HOME_NET any -> [154.213.17.174] 999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"154.213.17.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bookgames.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203778; rev:1;) alert tcp $HOME_NET any -> [185.215.113.61] 16034 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203777; rev:1;) alert tcp $HOME_NET any -> [154.26.157.48] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"loodwork.fun"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203775/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.mis.charitykp.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203707/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"check.mis.charitykp.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203706/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.mis.charitykp.info"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203705; rev:1;) alert tcp $HOME_NET any -> [54.233.162.122] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203704/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_20; classtype:trojan-activity; sid:91203704; rev:1;) alert tcp $HOME_NET any -> [43.153.207.85] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203703/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203703; rev:1;) alert tcp $HOME_NET any -> [59.88.27.148] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203702/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203702; rev:1;) alert tcp $HOME_NET any -> [154.246.62.35] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203701/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203701; rev:1;) alert tcp $HOME_NET any -> [154.246.62.35] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203700/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203700; rev:1;) alert tcp $HOME_NET any -> [197.26.188.179] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203699/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203699; rev:1;) alert tcp $HOME_NET any -> [102.156.106.202] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203698/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203698; rev:1;) alert tcp $HOME_NET any -> [188.161.234.48] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203697/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203697; rev:1;) alert tcp $HOME_NET any -> [90.4.184.29] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203696/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203696; rev:1;) alert tcp $HOME_NET any -> [147.182.146.29] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203695/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203695; rev:1;) alert tcp $HOME_NET any -> [139.28.36.5] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203694/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203694; rev:1;) alert tcp $HOME_NET any -> [112.3.30.170] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203693/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203693; rev:1;) alert tcp $HOME_NET any -> [4.227.189.107] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203692/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"revivalsecularas.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203689/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"interplaychoske.pw"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203690/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"loodwork.fun"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203688/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"101.43.96.246"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203687/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203687; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns18.clsr.ca"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203686/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"124.222.14.232"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203685/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203685; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 49975 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203644/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203644; rev:1;) alert tcp $HOME_NET any -> [15.228.35.69] 5000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203645/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203645; rev:1;) alert tcp $HOME_NET any -> [188.148.105.135] 2112 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203647/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203647; rev:1;) alert tcp $HOME_NET any -> [172.177.19.106] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203646/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203646; rev:1;) alert tcp $HOME_NET any -> [35.220.199.19] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203648/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203648; rev:1;) alert tcp $HOME_NET any -> [54.90.216.100] 7001 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203649/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203649; rev:1;) alert tcp $HOME_NET any -> [62.233.57.160] 6789 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203650/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203650; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2freshinxworm2.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"case-defines.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f8terat.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203656; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fl-distributions.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goheg99417-59409.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203661; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juandice-60636.portmap.io"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203664; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m0ney7.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"media-specified.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203668; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"normanisback.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203670; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notfishvr55-32209.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203671; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"okaa0-35095.portmap.host"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203673; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"partner-juice.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"q-grounds.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203675/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203675; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raven123.ddnsgeek.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203676/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reference-tokyo.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203677/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shows-brussels.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203680/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tarekfr77-41254.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203682/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203682; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tcxerr.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203683/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203683; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 40164 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203643/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203643; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 18915 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203642/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203642; rev:1;) alert tcp $HOME_NET any -> [135.181.11.41] 2424 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203588; rev:1;) alert tcp $HOME_NET any -> [167.71.56.116] 22112 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203589/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203589; rev:1;) alert tcp $HOME_NET any -> [178.254.32.61] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203590/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203590; rev:1;) alert tcp $HOME_NET any -> [192.160.0.65] 5040 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203591/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203591; rev:1;) alert tcp $HOME_NET any -> [193.42.33.210] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203592/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203592; rev:1;) alert tcp $HOME_NET any -> [201.79.229.55] 1000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203593/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203593; rev:1;) alert tcp $HOME_NET any -> [37.1.207.27] 222 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203594/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203594; rev:1;) alert tcp $HOME_NET any -> [43.135.4.224] 4789 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203595/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203595; rev:1;) alert tcp $HOME_NET any -> [45.148.244.83] 7752 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203596/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203596; rev:1;) alert tcp $HOME_NET any -> [45.61.128.77] 5552 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203597/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203597; rev:1;) alert tcp $HOME_NET any -> [54.94.248.37] 16018 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203598/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203598; rev:1;) alert tcp $HOME_NET any -> [8.134.72.167] 8808 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203599/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"action-list.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203600/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203600; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alex123123123141-56619.portmap.host"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203601/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203601; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alibabash.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203602/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"allah420.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203603/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"an-volunteer.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203604/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awoware.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203605/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"berlinqua.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boogerbreath-59460.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203608/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203608; rev:1;) alert tcp $HOME_NET any -> [109.99.113.208] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203587/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bitra12.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203607/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"com-overhead.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203609/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203609; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dng.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203611; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dng05vpn.v4.softether.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203612/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"everyone-substantially.gl.at.ply.gg"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203615/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203615; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"douzi.my-wan.de"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frosty-wind-77851.pktriot.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203617; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frp.deitie.asia"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203618/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"japanese-youth.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203620/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"johndoenut-37242.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203621/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"espadadz.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203655; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dizzywizzy-61490.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203654/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kids-reported.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203622/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203622; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"memet.ddns.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203623/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203623; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"message-pockets.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203625/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"okaa0-35095.portmap.host"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scambaiting2022.ddns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"schools-softball.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serverlolxd.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsxrkj.synology.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203635; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"without-sure.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"youtubevideos.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zeroski.ink"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203640/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203640; rev:1;) alert tcp $HOME_NET any -> [109.107.178.106] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203684/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_20; classtype:trojan-activity; sid:91203684; rev:1;) alert tcp $HOME_NET any -> [209.127.186.232] 4765 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203641/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_20; classtype:trojan-activity; sid:91203641; rev:1;) alert tcp $HOME_NET any -> [95.217.244.44] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203584/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203584; rev:1;) alert tcp $HOME_NET any -> [65.108.152.136] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203585/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203585; rev:1;) alert tcp $HOME_NET any -> [195.201.46.42] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203586/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203586; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.46.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203583/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.108.152.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203582/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.244.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203581/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203581; rev:1;) alert tcp $HOME_NET any -> [91.92.242.229] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203580/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_20; classtype:trojan-activity; sid:91203580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hmza.con-ip.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"forlatinamerica.bumbleshrimp.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"itskmc.run.place"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"extra-hack.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foodie.ooguy.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"exrobotos.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"envio2023asy.bumbleshrimp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erouhisugvizi4.cn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dool.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drippmedsot.mywire.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcemprendimiento.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dkteamfix.webhop.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bloxstrap.theworkpc.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bollon8.kozow.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"best-recycling.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jauan2023.kozow.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jobsearchtest.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knowledge-variance.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203554/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l11ol12s.sells-it.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lesson.webredirect.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203556/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lila152512.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203557/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lol1112s.sells-it.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loveisthegreatest.ddnsfree.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203559/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microwsfp5555.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203560/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mloptuytonroyem.sytes.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203561/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modyforeditor.loseyourip.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203562/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asfyvisoeogtca3.fun"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bendicionesoctubre.ddnsguru.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amm.mine.nu"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asdvua78v8ed4t6fhvha.cn"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"12tainss1s.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"474ba67bdb289c6263b36dfd8.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaarr43.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"new22.vpndns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newjakodns.con-ip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nsairoet.kozow.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203565/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pacman.dontexist.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203566/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rxrr.duckdns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203567/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saofidubixo4r.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203568/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdhvvy7vbysuxnvjdr6gtd64.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203569/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sen3tors.linkpc.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203570/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shady-mo.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203571/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taaymhost.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203572/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w3llstore.work.gd"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webazssc.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203574/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webazsswebc.sytes.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203575/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webwdircetcc.sytes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203576/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webwsetcc.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203577/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowsignn.theworkpc.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203578/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yaper.dynuddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203579/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203579; rev:1;) alert tcp $HOME_NET any -> [82.117.253.136] 2351 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203529; rev:1;) alert tcp $HOME_NET any -> [172.234.16.71] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203510; rev:1;) alert tcp $HOME_NET any -> [172.234.16.71] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203511; rev:1;) alert tcp $HOME_NET any -> [185.221.67.19] 18883 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203512; rev:1;) alert tcp $HOME_NET any -> [185.221.67.19] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203513; rev:1;) alert tcp $HOME_NET any -> [198.37.108.208] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203514; rev:1;) alert tcp $HOME_NET any -> [198.44.165.35] 6602 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203515; rev:1;) alert tcp $HOME_NET any -> [198.44.165.35] 8802 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203516; rev:1;) alert tcp $HOME_NET any -> [198.44.165.77] 6105 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203517; rev:1;) alert tcp $HOME_NET any -> [199.36.223.62] 52364 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203518; rev:1;) alert tcp $HOME_NET any -> [199.36.223.62] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203519; rev:1;) alert tcp $HOME_NET any -> [20.201.123.99] 30120 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203520; rev:1;) alert tcp $HOME_NET any -> [24.254.118.248] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203521; rev:1;) alert tcp $HOME_NET any -> [4.229.227.81] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203522; rev:1;) alert tcp $HOME_NET any -> [45.138.16.87] 998 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203524; rev:1;) alert tcp $HOME_NET any -> [4.229.227.81] 8081 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203523; rev:1;) alert tcp $HOME_NET any -> [46.1.103.69] 9371 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203525; rev:1;) alert tcp $HOME_NET any -> [65.21.8.16] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203526; rev:1;) alert tcp $HOME_NET any -> [79.134.225.113] 9346 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203527; rev:1;) alert tcp $HOME_NET any -> [91.107.228.216] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203528; rev:1;) alert tcp $HOME_NET any -> [172.111.138.100] 4447 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203508; rev:1;) alert tcp $HOME_NET any -> [172.234.16.71] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203509; rev:1;) alert tcp $HOME_NET any -> [167.71.56.116] 22863 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203507; rev:1;) alert tcp $HOME_NET any -> [16.170.222.231] 13044 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203506; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 57444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203504; rev:1;) alert tcp $HOME_NET any -> [154.221.25.208] 8848 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203505; rev:1;) alert tcp $HOME_NET any -> [138.199.21.208] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203502; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 47793 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203503; rev:1;) alert tcp $HOME_NET any -> [124.248.66.154] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203500/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203500; rev:1;) alert tcp $HOME_NET any -> [129.226.175.203] 7771 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203501; rev:1;) alert tcp $HOME_NET any -> [121.62.23.38] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203496; rev:1;) alert tcp $HOME_NET any -> [124.248.66.136] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203497; rev:1;) alert tcp $HOME_NET any -> [124.248.66.148] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203499; rev:1;) alert tcp $HOME_NET any -> [124.248.66.143] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203498/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203498; rev:1;) alert tcp $HOME_NET any -> [103.233.253.8] 8801 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203493; rev:1;) alert tcp $HOME_NET any -> [103.82.38.49] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203494; rev:1;) alert tcp $HOME_NET any -> [104.168.24.201] 2345 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203495; rev:1;) alert tcp $HOME_NET any -> [103.149.201.161] 6106 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203492; rev:1;) alert tcp $HOME_NET any -> [1.120.227.126] 4449 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203491; rev:1;) alert tcp $HOME_NET any -> [37.187.122.227] 53 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203489/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203489; rev:1;) alert tcp $HOME_NET any -> [51.159.66.125] 53 (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203490; rev:1;) alert tcp $HOME_NET any -> [103.97.176.121] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203484/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203484; rev:1;) alert tcp $HOME_NET any -> [207.148.120.140] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203485/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203485; rev:1;) alert tcp $HOME_NET any -> [207.148.120.140] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203486/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203486; rev:1;) alert tcp $HOME_NET any -> [207.148.120.140] 995 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203487/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203487; rev:1;) alert tcp $HOME_NET any -> [158.247.202.188] 993 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203488/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203488; rev:1;) alert tcp $HOME_NET any -> [158.247.253.206] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203480/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203480; rev:1;) alert tcp $HOME_NET any -> [103.56.19.158] 993 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203481/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203481; rev:1;) alert tcp $HOME_NET any -> [209.58.190.167] 32443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203482/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203482; rev:1;) alert tcp $HOME_NET any -> [103.97.176.121] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203483/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203483; rev:1;) alert tcp $HOME_NET any -> [107.150.18.101] 1604 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203478/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_20; classtype:trojan-activity; sid:91203478; rev:1;) alert tcp $HOME_NET any -> [172.86.75.10] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203477/; target:src_ip; metadata: confidence_level 60, first_seen 2023_11_20; classtype:trojan-activity; sid:91203477; rev:1;) alert tcp $HOME_NET any -> [178.208.87.112] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203476/; target:src_ip; metadata: confidence_level 60, first_seen 2023_11_20; classtype:trojan-activity; sid:91203476; rev:1;) alert tcp $HOME_NET any -> [196.200.131.2] 53 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203475/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_20; classtype:trojan-activity; sid:91203475; rev:1;) alert tcp $HOME_NET any -> [67.223.117.90] 80 (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203474/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_20; classtype:trojan-activity; sid:91203474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/get.php"; depth:15; nocase; http.host; content:"gpksanfrancisco.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/qzwewmrqqgqnaww.php"; depth:26; nocase; http.host; content:"gpksanfrancisco.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getimagedata.php"; depth:17; nocase; http.host; content:"forumsecrets.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"182.92.216.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"16.163.101.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.95.37.191"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203471; rev:1;) alert tcp $HOME_NET any -> [43.249.9.208] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.249.9.208"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"85.209.11.131"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"213.226.123.124"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"121.37.214.255"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203466; rev:1;) alert tcp $HOME_NET any -> [194.135.104.211] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203465/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_20; classtype:trojan-activity; sid:91203465; rev:1;) alert tcp $HOME_NET any -> [77.105.139.229] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203461/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_20; classtype:trojan-activity; sid:91203461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghsdh39s/login.php"; depth:19; nocase; http.host; content:"185.172.128.19"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"gravellyroadhunge.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"121.40.66.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"182.43.71.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"121.40.66.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"content.microsoft.com.w.kunlunca.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"192.144.231.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"redteam.tandemcyberops.co"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"103.39.78.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203453; rev:1;) alert tcp $HOME_NET any -> [47.101.148.200] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns32.starbucksvip.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns31.starbucksvip.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203450; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203449; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns.controlcavi.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203448; rev:1;) alert tcp $HOME_NET any -> [172.93.217.218] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203447/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_20; classtype:trojan-activity; sid:91203447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.249.9.208"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203445; rev:1;) alert tcp $HOME_NET any -> [3.121.109.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"18.185.64.250"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.113.204.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/contact/v9.23/aodfy6x8uv"; depth:25; nocase; http.host; content:"142.93.2.25"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203441; rev:1;) alert tcp $HOME_NET any -> [198.46.143.110] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"198.46.143.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203439; rev:1;) alert tcp $HOME_NET any -> [82.64.87.168] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203438/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_20; classtype:trojan-activity; sid:91203438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"139.9.186.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203437; rev:1;) alert tcp $HOME_NET any -> [172.203.240.179] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203436/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_20; classtype:trojan-activity; sid:91203436; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sensfixlook.pw"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bloockflad.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"barbecueappledos.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203431; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"terninadeshi.pw"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203432; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"proogreso.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203433; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g9smksxla/login.php"; depth:20; nocase; http.host; content:"0-9u210edu12j-dj-1.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7jshasds/login.php"; depth:19; nocase; http.host; content:"185.196.8.176"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203419; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bjdm32dp/login.php"; depth:19; nocase; http.host; content:"167.235.20.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203420; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mbsdvj3/login.php"; depth:18; nocase; http.host; content:"193.42.33.7"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203421; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g93kdwj3s/login.php"; depth:20; nocase; http.host; content:"77.91.97.162"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203422; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g9sdjscv2/login.php"; depth:20; nocase; http.host; content:"kbond2024.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203423; rev:1;) alert tcp $HOME_NET any -> [103.97.176.121] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203424; rev:1;) alert tcp $HOME_NET any -> [154.7.64.210] 44444 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203425; rev:1;) alert tcp $HOME_NET any -> [95.174.24.213] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203426; rev:1;) alert tcp $HOME_NET any -> [91.92.242.192] 54357 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203427; rev:1;) alert tcp $HOME_NET any -> [101.132.186.224] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203430/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_20; classtype:trojan-activity; sid:91203430; rev:1;) alert tcp $HOME_NET any -> [79.137.205.179] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203429/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203429; rev:1;) alert tcp $HOME_NET any -> [91.92.242.85] 4285 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203428/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_20; classtype:trojan-activity; sid:91203428; rev:1;) alert tcp $HOME_NET any -> [167.179.98.155] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203417; rev:1;) alert tcp $HOME_NET any -> [203.69.170.86] 21 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203416; rev:1;) alert tcp $HOME_NET any -> [203.69.170.86] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203415; rev:1;) alert tcp $HOME_NET any -> [45.67.230.185] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203414; rev:1;) alert tcp $HOME_NET any -> [43.230.161.205] 12345 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203413; rev:1;) alert tcp $HOME_NET any -> [154.204.24.244] 65000 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203411; rev:1;) alert tcp $HOME_NET any -> [13.115.129.191] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203412; rev:1;) alert tcp $HOME_NET any -> [112.121.187.179] 12345 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203410; rev:1;) alert tcp $HOME_NET any -> [185.189.241.155] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203407; rev:1;) alert tcp $HOME_NET any -> [45.74.6.188] 21 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203408; rev:1;) alert tcp $HOME_NET any -> [185.189.241.208] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203406; rev:1;) alert tcp $HOME_NET any -> [16.163.142.128] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203405; rev:1;) alert tcp $HOME_NET any -> [203.69.170.86] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203404; rev:1;) alert tcp $HOME_NET any -> [45.67.230.185] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203403; rev:1;) alert tcp $HOME_NET any -> [175.27.191.226] 21 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203402; rev:1;) alert tcp $HOME_NET any -> [45.86.162.190] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203401; rev:1;) alert tcp $HOME_NET any -> [185.189.241.159] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203400; rev:1;) alert tcp $HOME_NET any -> [185.189.241.186] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203399; rev:1;) alert tcp $HOME_NET any -> [175.27.191.226] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203398; rev:1;) alert tcp $HOME_NET any -> [45.74.6.148] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203397; rev:1;) alert tcp $HOME_NET any -> [185.189.241.155] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203396; rev:1;) alert tcp $HOME_NET any -> [185.189.241.208] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203395; rev:1;) alert tcp $HOME_NET any -> [109.123.230.56] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203393; rev:1;) alert tcp $HOME_NET any -> [34.92.77.165] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203391; rev:1;) alert tcp $HOME_NET any -> [13.208.47.9] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203392; rev:1;) alert tcp $HOME_NET any -> [185.189.241.186] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203390; rev:1;) alert tcp $HOME_NET any -> [185.189.241.159] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203388; rev:1;) alert tcp $HOME_NET any -> [175.27.191.226] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203389; rev:1;) alert tcp $HOME_NET any -> [165.154.233.32] 1024 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g9sdjscv2/login.php"; depth:20; nocase; http.host; content:"69.197.161.106"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vsdjcn3khs/login.php"; depth:21; nocase; http.host; content:"5.42.66.9"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203385; rev:1;) alert tcp $HOME_NET any -> [194.87.191.171] 24901 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vsdjcn3khs/login.php"; depth:21; nocase; http.host; content:"atillapro.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.dynabot.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203294; rev:1;) alert tcp $HOME_NET any -> [93.123.85.86] 14356 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203291/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_20; classtype:trojan-activity; sid:91203291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ayranoos.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalpipesqltrackcdn.php"; depth:27; nocase; http.host; content:"5.182.86.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203383; rev:1;) alert tcp $HOME_NET any -> [8.130.34.53] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203382/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203382; rev:1;) alert tcp $HOME_NET any -> [124.223.38.97] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203381/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203381; rev:1;) alert tcp $HOME_NET any -> [75.173.60.146] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203380/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203380; rev:1;) alert tcp $HOME_NET any -> [176.44.90.218] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203379/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203379; rev:1;) alert tcp $HOME_NET any -> [154.246.62.35] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203378/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203378; rev:1;) alert tcp $HOME_NET any -> [161.142.98.51] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203377/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203377; rev:1;) alert tcp $HOME_NET any -> [77.91.101.173] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203376/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203376; rev:1;) alert tcp $HOME_NET any -> [212.71.238.198] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203375/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203375; rev:1;) alert tcp $HOME_NET any -> [176.126.113.164] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203374/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203374; rev:1;) alert tcp $HOME_NET any -> [79.133.183.84] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203373/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203373; rev:1;) alert tcp $HOME_NET any -> [157.245.48.209] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203372/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203372; rev:1;) alert tcp $HOME_NET any -> [83.97.20.136] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203371/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203371; rev:1;) alert tcp $HOME_NET any -> [103.35.190.33] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203370/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203370; rev:1;) alert tcp $HOME_NET any -> [103.35.190.33] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203369/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_20; classtype:trojan-activity; sid:91203369; rev:1;) alert tcp $HOME_NET any -> [43.249.9.208] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203368/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_20; classtype:trojan-activity; sid:91203368; rev:1;) alert tcp $HOME_NET any -> [91.92.254.87] 1606 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203367/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_20; classtype:trojan-activity; sid:91203367; rev:1;) alert tcp $HOME_NET any -> [198.12.88.135] 80 (msg:"ThreatFox IRATA payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203365; rev:1;) alert tcp $HOME_NET any -> [198.12.88.135] 443 (msg:"ThreatFox IRATA payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"smc.dns05.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"fca.dns05.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"smf.dns05.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"rdc.dns05.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"fbc.dns05.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"scm.dns05.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"shc.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"shf.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"ssc.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"ssf.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"ssv.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"scv.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"ssn.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"ssj.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sdt.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"sst.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sdt.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203333; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sst.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ssn.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203335/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203335; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ssj.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ssv.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"scv.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ssf.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203339; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ssc.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shc.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shf.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"scm.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rdc.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fbc.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smf.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smc.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fca.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_20; classtype:trojan-activity; sid:91203348; rev:1;) alert tcp $HOME_NET any -> [3.121.101.76] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203306/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_20; classtype:trojan-activity; sid:91203306; rev:1;) alert tcp $HOME_NET any -> [3.127.214.250] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203305/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_20; classtype:trojan-activity; sid:91203305; rev:1;) alert tcp $HOME_NET any -> [114.35.162.47] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203304/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_20; classtype:trojan-activity; sid:91203304; rev:1;) alert tcp $HOME_NET any -> [101.34.222.38] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203303/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_20; classtype:trojan-activity; sid:91203303; rev:1;) alert tcp $HOME_NET any -> [45.88.186.47] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203301/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203301; rev:1;) alert tcp $HOME_NET any -> [112.74.74.125] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"112.74.74.125"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203299/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203299; rev:1;) alert tcp $HOME_NET any -> [208.87.206.205] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203298/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"208.87.206.205"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203297/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203297; rev:1;) alert tcp $HOME_NET any -> [54.160.205.236] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203296/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203296; rev:1;) alert tcp $HOME_NET any -> [85.209.176.30] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203295/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203295; rev:1;) alert tcp $HOME_NET any -> [89.168.78.92] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203292/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.101.170.17"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203290; rev:1;) alert tcp $HOME_NET any -> [109.123.242.1] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203289/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203289; rev:1;) alert tcp $HOME_NET any -> [47.115.201.46] 60001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203288/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203288; rev:1;) alert tcp $HOME_NET any -> [123.60.176.96] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203287/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203287; rev:1;) alert tcp $HOME_NET any -> [65.109.56.26] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203286/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203286; rev:1;) alert tcp $HOME_NET any -> [78.165.35.232] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203285/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203285; rev:1;) alert tcp $HOME_NET any -> [201.210.66.73] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203284/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203284; rev:1;) alert tcp $HOME_NET any -> [13.215.191.59] 4444 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203283/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203283; rev:1;) alert tcp $HOME_NET any -> [79.133.183.84] 8081 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203282/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203282; rev:1;) alert tcp $HOME_NET any -> [167.71.38.111] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203281/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203281; rev:1;) alert tcp $HOME_NET any -> [91.219.150.98] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203280/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203280; rev:1;) alert tcp $HOME_NET any -> [109.123.240.37] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203279/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203279; rev:1;) alert tcp $HOME_NET any -> [88.129.241.65] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203278/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203278; rev:1;) alert tcp $HOME_NET any -> [101.42.170.233] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203277/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203277; rev:1;) alert tcp $HOME_NET any -> [85.192.63.35] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203276/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203276; rev:1;) alert tcp $HOME_NET any -> [185.226.116.226] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203275/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_19; classtype:trojan-activity; sid:91203275; rev:1;) alert tcp $HOME_NET any -> [3.90.21.66] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203274/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203274; rev:1;) alert tcp $HOME_NET any -> [54.175.249.5] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203273/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203273; rev:1;) alert tcp $HOME_NET any -> [120.78.201.246] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203272/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203272; rev:1;) alert tcp $HOME_NET any -> [5.42.65.27] 4811 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"52.198.192.145"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203270; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"39.100.84.221"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203269; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"42.194.249.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"82.157.57.66"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.136.174.84"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"23.95.14.229"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"14.225.19.116"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203263; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ctic.azureedge.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"ctic.azureedge.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203261; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.132.146.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lastimaners.ug"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203259/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203259; rev:1;) alert tcp $HOME_NET any -> [192.121.46.165] 9307 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203258; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"150.158.50.177"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203257; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"110.41.11.72"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"104.245.213.48"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203255/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203255; rev:1;) alert tcp $HOME_NET any -> [198.98.57.123] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203254/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203254; rev:1;) alert tcp $HOME_NET any -> [16.163.101.10] 2052 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203253/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203253; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"judicious.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arabianos.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203232; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"urdevont.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203233; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"absorbeni.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203234/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"barakapi.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203235; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brudimar.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203236; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"decorous.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203237; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dumerilipi.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heartbreaking.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karoanpa.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"superficial.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203242/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"valefgo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203243/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vasifgo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203244; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vloperang.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203245; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zerodems.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203246; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geminiso.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sabirpo.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203248/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203248; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"andamanos.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203249; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"triticumos.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203250; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suizibel.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203225; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmozpi.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203227; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"squeamish.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203229; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nahtizi.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nubiumbi.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203224; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dakareypa.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nebtoizi.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmm2yjmyyje4mmmx/"; depth:18; nocase; http.host; content:"91.92.251.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203219/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzi1ogm2yji0nde5/"; depth:18; nocase; http.host; content:"185.192.246.251"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203220/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmm2yjmyyje4mmmx/"; depth:18; nocase; http.host; content:"91.92.244.72"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203221/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203221; rev:1;) alert tcp $HOME_NET any -> [18.185.64.250] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203252/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"18.185.64.250"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203251/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_19; classtype:trojan-activity; sid:91203251; rev:1;) alert tcp $HOME_NET any -> [167.71.53.89] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203223/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203223; rev:1;) alert tcp $HOME_NET any -> [95.216.100.78] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203222/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203222; rev:1;) alert tcp $HOME_NET any -> [185.196.9.84] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203218/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203218; rev:1;) alert tcp $HOME_NET any -> [49.235.98.38] 9080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203217/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203217; rev:1;) alert tcp $HOME_NET any -> [188.166.67.116] 4258 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203203/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_19; classtype:trojan-activity; sid:91203203; rev:1;) alert tcp $HOME_NET any -> [111.180.199.252] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203216/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203216; rev:1;) alert tcp $HOME_NET any -> [142.171.75.208] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203215/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203215; rev:1;) alert tcp $HOME_NET any -> [45.76.182.234] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203214/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203214; rev:1;) alert tcp $HOME_NET any -> [139.180.194.27] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203213/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203213; rev:1;) alert tcp $HOME_NET any -> [172.247.189.100] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203212/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203212; rev:1;) alert tcp $HOME_NET any -> [149.88.80.228] 47001 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203211/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203211; rev:1;) alert tcp $HOME_NET any -> [105.102.106.170] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203210/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203210; rev:1;) alert tcp $HOME_NET any -> [154.247.225.213] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203209/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203209; rev:1;) alert tcp $HOME_NET any -> [68.59.65.193] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203208/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203208; rev:1;) alert tcp $HOME_NET any -> [103.35.190.32] 8080 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203207/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203207; rev:1;) alert tcp $HOME_NET any -> [103.35.190.32] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203206/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203206; rev:1;) alert tcp $HOME_NET any -> [149.28.207.233] 59856 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203205/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_19; classtype:trojan-activity; sid:91203205; rev:1;) alert tcp $HOME_NET any -> [31.11.194.49] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203204/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203204; rev:1;) alert tcp $HOME_NET any -> [80.66.75.66] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203202/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203202; rev:1;) alert tcp $HOME_NET any -> [94.98.229.240] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203201/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203201; rev:1;) alert tcp $HOME_NET any -> [149.210.74.229] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203200/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203200; rev:1;) alert tcp $HOME_NET any -> [45.130.141.161] 81 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203199/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203199; rev:1;) alert tcp $HOME_NET any -> [18.153.74.37] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203198/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_19; classtype:trojan-activity; sid:91203198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"150.158.139.244"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"101.43.64.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"121.40.243.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"92.63.196.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203193; rev:1;) alert tcp $HOME_NET any -> [220.90.135.156] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203192/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_18; classtype:trojan-activity; sid:91203192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"8.219.229.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"162.14.209.70"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"82.157.69.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"43.138.188.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nv.js"; depth:6; nocase; http.host; content:"powellfamilydentist.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203187; rev:1;) alert tcp $HOME_NET any -> [20.250.1.56] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inquiry/v7.40/573p2jwk"; depth:23; nocase; http.host; content:"20.250.1.56"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203185; rev:1;) alert tcp $HOME_NET any -> [206.189.20.119] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"206.189.20.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203183; rev:1;) alert tcp $HOME_NET any -> [182.92.216.47] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203182/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_18; classtype:trojan-activity; sid:91203182; rev:1;) alert tcp $HOME_NET any -> [192.248.177.82] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app.jinnahinternational.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203180; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"check-in.jinnahinternational.org"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.jinnahinternational.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.42.22.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203177; rev:1;) alert tcp $HOME_NET any -> [139.9.186.196] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203176/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_18; classtype:trojan-activity; sid:91203176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da"; depth:3; nocase; http.host; content:"134.209.164.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203175; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"erc.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dmc.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rsc.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203170; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fms.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203171; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fmc.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fcb.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203173; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"htc.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203174/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"htc.dns05.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203167; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"fcb.dns05.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203166; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"fms.dns05.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"rsc.dns05.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203164; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"dmc.dns05.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"erc.dns05.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203162; rev:1;) alert tcp $HOME_NET any -> [82.157.57.66] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203149/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_18; classtype:trojan-activity; sid:91203149; rev:1;) alert tcp $HOME_NET any -> [121.199.166.71] 8009 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203148/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_18; classtype:trojan-activity; sid:91203148; rev:1;) alert tcp $HOME_NET any -> [175.27.249.112] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203147/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203147; rev:1;) alert tcp $HOME_NET any -> [62.1.22.187] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203146/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203146; rev:1;) alert tcp $HOME_NET any -> [74.12.147.178] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203145/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203145; rev:1;) alert tcp $HOME_NET any -> [96.237.16.36] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203144/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203144; rev:1;) alert tcp $HOME_NET any -> [105.102.21.121] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203143/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203143; rev:1;) alert tcp $HOME_NET any -> [141.164.198.216] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203142/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203142; rev:1;) alert tcp $HOME_NET any -> [34.124.220.218] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203141/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203141; rev:1;) alert tcp $HOME_NET any -> [136.40.23.26] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203140/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203140; rev:1;) alert tcp $HOME_NET any -> [167.172.232.177] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203139/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203139; rev:1;) alert tcp $HOME_NET any -> [34.245.72.161] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203138/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203138; rev:1;) alert tcp $HOME_NET any -> [178.239.168.153] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203137/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203137; rev:1;) alert tcp $HOME_NET any -> [3.76.100.131] 4424 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203136/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203136; rev:1;) alert tcp $HOME_NET any -> [188.127.224.177] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203135/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203135; rev:1;) alert tcp $HOME_NET any -> [37.27.17.204] 31338 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203134/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203134; rev:1;) alert tcp $HOME_NET any -> [35.174.58.172] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203133/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_18; classtype:trojan-activity; sid:91203133; rev:1;) alert tcp $HOME_NET any -> [193.57.137.61] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203132; rev:1;) alert tcp $HOME_NET any -> [79.137.205.201] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203131/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"39.100.84.221"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"43.129.230.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203129/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.97.6.61"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203128; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.70.154.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203127; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.130.70.58"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203126/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.92.203.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203125; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40d570f44e84a454.php"; depth:21; nocase; http.host; content:"giuliotoro.icu"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203124; rev:1;) alert tcp $HOME_NET any -> [35.157.111.131] 17339 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203123; rev:1;) alert tcp $HOME_NET any -> [3.68.56.232] 17339 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203122; rev:1;) alert tcp $HOME_NET any -> [3.125.188.168] 17339 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203120; rev:1;) alert tcp $HOME_NET any -> [3.126.224.214] 17339 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203121; rev:1;) alert tcp $HOME_NET any -> [3.124.67.191] 17339 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203119; rev:1;) alert tcp $HOME_NET any -> [18.229.248.167] 12232 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203118; rev:1;) alert tcp $HOME_NET any -> [47.120.1.247] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203117/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_18; classtype:trojan-activity; sid:91203117; rev:1;) alert tcp $HOME_NET any -> [117.50.162.183] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203116/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_18; classtype:trojan-activity; sid:91203116; rev:1;) alert tcp $HOME_NET any -> [38.6.177.100] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"38.6.177.100"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203114; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mricossoftmanager.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203112; rev:1;) alert tcp $HOME_NET any -> [88.119.169.58] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203113; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/siteindex/c/"; depth:13; nocase; http.host; content:"mricossoftmanager.info"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203111; rev:1;) alert tcp $HOME_NET any -> [193.134.209.143] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203110/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_18; classtype:trojan-activity; sid:91203110; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"acutbank.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203109/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.233.132.13"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203108; rev:1;) alert tcp $HOME_NET any -> [46.246.12.3] 2054 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203107; rev:1;) alert tcp $HOME_NET any -> [52.55.23.101] 80 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203106/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_18; classtype:trojan-activity; sid:91203106; rev:1;) alert tcp $HOME_NET any -> [194.87.31.237] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203073; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.6innovations.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203074/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203074; rev:1;) alert tcp $HOME_NET any -> [77.91.68.235] 9486 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ddddd/lokinew/fre.php"; depth:22; nocase; http.host; content:"acutbank.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203105/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_18; classtype:trojan-activity; sid:91203105; rev:1;) alert tcp $HOME_NET any -> [45.137.22.146] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203104; rev:1;) alert tcp $HOME_NET any -> [121.43.55.16] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203103/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_18; classtype:trojan-activity; sid:91203103; rev:1;) alert tcp $HOME_NET any -> [46.250.241.188] 1194 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203102/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203102; rev:1;) alert tcp $HOME_NET any -> [124.221.43.13] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203101/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203101; rev:1;) alert tcp $HOME_NET any -> [45.125.46.159] 8712 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203100; rev:1;) alert tcp $HOME_NET any -> [70.27.15.45] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203099/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203099; rev:1;) alert tcp $HOME_NET any -> [154.247.49.145] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203098/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203098; rev:1;) alert tcp $HOME_NET any -> [54.188.132.103] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203097/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203097; rev:1;) alert tcp $HOME_NET any -> [144.172.79.129] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203096/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203096; rev:1;) alert tcp $HOME_NET any -> [13.113.204.244] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203095/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"078374cm.nyashnyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203094; rev:1;) alert tcp $HOME_NET any -> [37.220.86.73] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203093/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203093; rev:1;) alert tcp $HOME_NET any -> [91.92.241.80] 1337 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203092/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203092; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"miners-gold.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203091/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_18; classtype:trojan-activity; sid:91203091; rev:1;) alert tcp $HOME_NET any -> [190.232.148.201] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203090/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_18; classtype:trojan-activity; sid:91203090; rev:1;) alert tcp $HOME_NET any -> [43.132.146.67] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203089/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_18; classtype:trojan-activity; sid:91203089; rev:1;) alert tcp $HOME_NET any -> [52.86.18.77] 8080 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deddd/lokinew/fre.php"; depth:22; nocase; http.host; content:"miners-gold.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203087/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_18; classtype:trojan-activity; sid:91203087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deddd/lokinew/fre.php"; depth:22; nocase; http.host; content:"miners-gold.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"steycools.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"knittinprophec.pw"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dftyh/lokinew/fre.php"; depth:22; nocase; http.host; content:"www.swiftguaranteedb.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203082/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_18; classtype:trojan-activity; sid:91203082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dftyh/lokinew/fre.php"; depth:22; nocase; http.host; content:"www.swiftguaranteedb.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"400886cm.nyashnyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_18; classtype:trojan-activity; sid:91203080; rev:1;) alert tcp $HOME_NET any -> [43.136.174.84] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203079/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91203079; rev:1;) alert tcp $HOME_NET any -> [47.116.25.208] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203078/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91203078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.116.25.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91203077; rev:1;) alert tcp $HOME_NET any -> [23.95.14.229] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203076/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91203076; rev:1;) alert tcp $HOME_NET any -> [101.43.141.31] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203075/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91203075; rev:1;) alert tcp $HOME_NET any -> [130.193.51.15] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203072/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91203072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"ci61682.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91203071; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"triathlethe.ug"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203064/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ns2.timecheck.ug"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203065/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"opsdjs.ug"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203066/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kfdhsa.ru"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203067/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203067; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ns1.timecheck.ug"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203068/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tuskslacx.ug"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203069/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203069; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hubvera.ac.ug"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203070/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203070; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"qwertzx.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203059/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203059; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.timecheck.ug"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203060/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203060; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"qwerty12346.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203061/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203061; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"maralskds.ug"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203062/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203062; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"checkerrors.ug"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203063/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203063; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"opesjk.ug"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203053/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203053; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zxvbcrt.ug"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203054/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203054; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"asdsadasrdc.ug"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203055/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203055; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"partadino.ac.ug"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203056/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203056; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"malayska.ug"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203057/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203057; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"karimgouss.ug"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203058/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203058; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dgkhj.ru"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203052/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203052; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hellowin.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91203033; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xopolllo.today"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91203034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"up.xopolllo.today"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91203035; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wow.hellowin.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91203036; rev:1;) alert tcp $HOME_NET any -> [47.236.36.154] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203051/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203051; rev:1;) alert tcp $HOME_NET any -> [117.215.23.117] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203050/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203050; rev:1;) alert tcp $HOME_NET any -> [74.12.147.233] 2083 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203049/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203049; rev:1;) alert tcp $HOME_NET any -> [88.252.226.153] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203048/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203048; rev:1;) alert tcp $HOME_NET any -> [117.215.21.245] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203047/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203047; rev:1;) alert tcp $HOME_NET any -> [197.1.219.110] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203046/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203046; rev:1;) alert tcp $HOME_NET any -> [188.176.179.89] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203045/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203045; rev:1;) alert tcp $HOME_NET any -> [97.118.24.246] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203044/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203044; rev:1;) alert tcp $HOME_NET any -> [197.204.93.150] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203043/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203043; rev:1;) alert tcp $HOME_NET any -> [108.21.244.235] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203042/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203042; rev:1;) alert tcp $HOME_NET any -> [144.172.79.129] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203041/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203041; rev:1;) alert tcp $HOME_NET any -> [79.141.169.72] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203040/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203040; rev:1;) alert tcp $HOME_NET any -> [13.59.168.154] 3417 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203039/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203039; rev:1;) alert tcp $HOME_NET any -> [172.245.205.13] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203038/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203038; rev:1;) alert tcp $HOME_NET any -> [209.97.189.230] 443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203037/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203037; rev:1;) alert tcp $HOME_NET any -> [45.76.88.103] 8888 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203032/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91203032; rev:1;) alert tcp $HOME_NET any -> [14.225.19.116] 49153 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203031/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91203031; rev:1;) alert tcp $HOME_NET any -> [195.20.16.131] 30344 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91203030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bezstpool.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91203025; rev:1;) alert tcp $HOME_NET any -> [27.101.222.24] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203029/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91203029; rev:1;) alert tcp $HOME_NET any -> [47.116.17.169] 5001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203028/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91203028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aspmx5.googlemail.clsr.ca"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91203027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"aspmx5.googlemail.clsr.ca"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91203026; rev:1;) alert tcp $HOME_NET any -> [185.217.98.121] 8080 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91203024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"zamesblack.fun"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1203019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91203019; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"numpersb.fun"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91203020; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"killredls.pw"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91203021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"keewoolas.pw"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91203022; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dayzilons.pw"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1203023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91203023; rev:1;) alert tcp $HOME_NET any -> [185.140.231.8] 2087 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203018/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91203018; rev:1;) alert tcp $HOME_NET any -> [185.142.184.125] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203017/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91203017; rev:1;) alert tcp $HOME_NET any -> [43.130.70.58] 8033 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1203016/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91203016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"profitcentronline.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1202985/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"taochinashowwers.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1202987/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202987; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"80.66.88.145"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1202988/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202988; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"sftp.noheroway.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1202989/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202989; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"sftp.noheroway.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1202990/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202990; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"shsukadadyuikmmonk.com"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1202991/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"shsukadadyuikmmonk.com"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1202992/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"voodmastrelinux.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1202993/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"voodmastrelinux.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1202994/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.248.193.66"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1202995/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.130.227.202"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1202996/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202996; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.130.227.202"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1202997/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"hadfadf87yuadfad.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1202998/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"hadfadf87yuadfad.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1202999/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"onlineserviceboonkers.com"; depth:25; nocase; reference:url, threatfox.abuse.ch/ioc/1203000/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"onlineserviceboonkers.com"; depth:25; nocase; reference:url, threatfox.abuse.ch/ioc/1203001/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"profitcentronline.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1202984/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"taochinashowwers.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1202986/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202986; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"projecktupdatemonk.com"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1202982/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202982; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"projecktupdatemonk.com"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1202983/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202983; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"178.236.247.102"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1202980/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"178.236.247.102"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1202981/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"80.66.88.145"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1202979/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"80.66.88.145"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1202977/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202977; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"107.181.161.200"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1202978/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"sftp.bitepieces.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1202975/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202975; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"sftp.bitepieces.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1202976/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202976; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"uiahbmajokriswhoer.net"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1202974/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202974; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"uiahbmajokriswhoer.net"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1202973/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202973; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"annoyingannoying.vodka"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1202971/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202971; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"annoyingannoying.vodka"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1202972/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202972; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cheneseemeg7575.cash"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1202970/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202970; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cheneseemeg7575.cash"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1202969/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202969; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cdn-ext.net"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1202968/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202968; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cdn-ext.net"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1202967/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"zochao.com"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1202966/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"80.66.88.145"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1202964/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"zochao.com"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1202965/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"tottalonlineservis.com"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1203002/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"tottalonlineservis.com"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1203003/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"hgfdytrywq.com"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1203004/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"hgfdytrywq.com"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1203005/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"jeraldsin3dsajdklafdmonk.com"; depth:28; nocase; reference:url, threatfox.abuse.ch/ioc/1203006/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"sftp.firestarted.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1203007/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.130.226.220"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1203009/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"sftp.firestarted.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1203008/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.130.226.220"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1203010/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"179.60.149.3"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1203011/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"a-1bcdn.com"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1203012/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"sanibroadbandcommunicton.duckdns.org"; depth:36; nocase; reference:url, threatfox.abuse.ch/ioc/1203013/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"katiklan.tech"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1203014/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"katiklan.tech"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1203015/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91203015; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smithroses.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202961/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202961; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rimaflower.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202962/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202962; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"feeneypol.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202963/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202963; rev:1;) alert tcp $HOME_NET any -> [172.233.156.100] 13721 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202957; rev:1;) alert tcp $HOME_NET any -> [207.148.93.23] 2221 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202958/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202958; rev:1;) alert tcp $HOME_NET any -> [64.176.190.166] 2222 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202959; rev:1;) alert tcp $HOME_NET any -> [45.32.244.94] 9785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202960; rev:1;) alert tcp $HOME_NET any -> [35.228.248.56] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202956/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/endpoint.php"; depth:17; nocase; http.host; content:"135.181.11.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202955; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"85.130.227.202"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1202953/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202953; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"85.130.227.202"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1202954/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202954; rev:1;) alert tcp $HOME_NET any -> [45.143.234.4] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202952/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202952; rev:1;) alert tcp $HOME_NET any -> [38.87.247.90] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202951/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202951; rev:1;) alert tcp $HOME_NET any -> [123.249.33.8] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202950/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202950; rev:1;) alert tcp $HOME_NET any -> [149.210.4.170] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202949/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fks/index.php"; depth:14; nocase; http.host; content:"194.49.94.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202948/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_17; classtype:trojan-activity; sid:91202948; rev:1;) alert tcp $HOME_NET any -> [45.154.98.86] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202947/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202947; rev:1;) alert tcp $HOME_NET any -> [91.92.248.59] 5201 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 25%)"; dns_query; content:"jghskd9kfx7.brazilsouth.cloudapp.azure.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202945/; target:src_ip; metadata: confidence_level 25, first_seen 2023_11_17; classtype:trojan-activity; sid:91202945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.130.70.58"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202944/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202944; rev:1;) alert tcp $HOME_NET any -> [125.60.0.199] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202943/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202943; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"115.159.64.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202942/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202942; rev:1;) alert tcp $HOME_NET any -> [45.227.255.189] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202941/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dz"; depth:3; nocase; http.host; content:"45.227.255.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202940/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202940; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"45.32.110.254"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202939/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/list/hx28/config.php"; depth:21; nocase; http.host; content:"39.108.104.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202937/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202937; rev:1;) alert tcp $HOME_NET any -> [39.108.104.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202938/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202938; rev:1;) alert tcp $HOME_NET any -> [118.89.133.137] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202936/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202936; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"134.175.121.178"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202935/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202935; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"110.41.130.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202934/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202934; rev:1;) alert tcp $HOME_NET any -> [109.107.189.6] 80 (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202929/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202929; rev:1;) alert tcp $HOME_NET any -> [37.255.148.139] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202933/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202933; rev:1;) alert tcp $HOME_NET any -> [158.247.246.71] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202932/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202932; rev:1;) alert tcp $HOME_NET any -> [52.198.192.145] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202931/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202931; rev:1;) alert tcp $HOME_NET any -> [47.92.203.152] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202930/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202930; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdixmjjmy2nlzme5/"; depth:18; nocase; http.host; content:"194.33.191.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202735/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tpowe2.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202765; rev:1;) alert tcp $HOME_NET any -> [121.41.2.26] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202928/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202928; rev:1;) alert tcp $HOME_NET any -> [192.121.162.86] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202927/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202927; rev:1;) alert tcp $HOME_NET any -> [173.160.3.209] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202926/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202926; rev:1;) alert tcp $HOME_NET any -> [187.233.184.144] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202925/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202925; rev:1;) alert tcp $HOME_NET any -> [201.137.202.178] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202924/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202924; rev:1;) alert tcp $HOME_NET any -> [154.247.41.123] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202923/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202923; rev:1;) alert tcp $HOME_NET any -> [102.156.45.163] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202922/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202922; rev:1;) alert tcp $HOME_NET any -> [14.19.159.105] 8443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202921/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202921; rev:1;) alert tcp $HOME_NET any -> [91.193.18.110] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202920/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202920; rev:1;) alert tcp $HOME_NET any -> [3.10.217.178] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202919/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202919; rev:1;) alert tcp $HOME_NET any -> [31.13.195.53] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202918/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202918; rev:1;) alert tcp $HOME_NET any -> [62.210.207.211] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202917/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202917; rev:1;) alert tcp $HOME_NET any -> [194.213.18.45] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202916/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202916; rev:1;) alert tcp $HOME_NET any -> [46.225.119.108] 12115 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202915/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202915; rev:1;) alert tcp $HOME_NET any -> [192.227.213.235] 60000 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202914/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202914; rev:1;) alert tcp $HOME_NET any -> [64.176.196.183] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202913/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202913; rev:1;) alert tcp $HOME_NET any -> [35.177.215.200] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202912/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_17; classtype:trojan-activity; sid:91202912; rev:1;) alert tcp $HOME_NET any -> [51.222.98.76] 8080 (msg:"ThreatFox Bandit Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202911/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202911; rev:1;) alert tcp $HOME_NET any -> [193.222.96.20] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202910/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202910; rev:1;) alert tcp $HOME_NET any -> [37.187.54.56] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202909/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mouseblock.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202908/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202908; rev:1;) alert tcp $HOME_NET any -> [194.49.94.50] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202907/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202907; rev:1;) alert tcp $HOME_NET any -> [45.33.118.219] 35633 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202906; rev:1;) alert tcp $HOME_NET any -> [194.49.94.152] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_17; classtype:trojan-activity; sid:91202905; rev:1;) alert tcp $HOME_NET any -> [149.56.101.42] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202904/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202904; rev:1;) alert tcp $HOME_NET any -> [47.117.163.173] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202903/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202903; rev:1;) alert tcp $HOME_NET any -> [43.143.143.195] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202902/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202902; rev:1;) alert tcp $HOME_NET any -> [138.68.129.245] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202901/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202901; rev:1;) alert tcp $HOME_NET any -> [101.34.46.239] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202900/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202900; rev:1;) alert tcp $HOME_NET any -> [81.69.96.149] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202899/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202899; rev:1;) alert tcp $HOME_NET any -> [123.249.41.106] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202898/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202898; rev:1;) alert tcp $HOME_NET any -> [138.99.216.141] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202897/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202897; rev:1;) alert tcp $HOME_NET any -> [132.145.126.111] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202896/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202896; rev:1;) alert tcp $HOME_NET any -> [119.29.145.4] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202895/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202895; rev:1;) alert tcp $HOME_NET any -> [194.26.29.99] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202894/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202894; rev:1;) alert tcp $HOME_NET any -> [106.14.149.88] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202893/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202893; rev:1;) alert tcp $HOME_NET any -> [137.220.133.105] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202892/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202892; rev:1;) alert tcp $HOME_NET any -> [120.46.164.123] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202891/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202891; rev:1;) alert tcp $HOME_NET any -> [123.60.140.76] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202890/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202890; rev:1;) alert tcp $HOME_NET any -> [159.223.29.112] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202889/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202889; rev:1;) alert tcp $HOME_NET any -> [139.159.203.44] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202888/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202888; rev:1;) alert tcp $HOME_NET any -> [198.44.184.235] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202887/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202887; rev:1;) alert tcp $HOME_NET any -> [51.250.16.184] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202886/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202886; rev:1;) alert tcp $HOME_NET any -> [170.130.165.100] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202885/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202885; rev:1;) alert tcp $HOME_NET any -> [114.115.165.215] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202884/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_17; classtype:trojan-activity; sid:91202884; rev:1;) alert tcp $HOME_NET any -> [18.177.44.29] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202883/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_16; classtype:trojan-activity; sid:91202883; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"pwn.safetygarden.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202882/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202882; rev:1;) alert tcp $HOME_NET any -> [146.59.12.132] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202881/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_16; classtype:trojan-activity; sid:91202881; rev:1;) alert tcp $HOME_NET any -> [157.230.47.29] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202880/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_16; classtype:trojan-activity; sid:91202880; rev:1;) alert tcp $HOME_NET any -> [20.83.148.22] 5000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202878/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202878; rev:1;) alert tcp $HOME_NET any -> [103.20.235.123] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202879/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202879; rev:1;) alert tcp $HOME_NET any -> [101.201.37.74] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202877/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202877; rev:1;) alert tcp $HOME_NET any -> [103.116.245.130] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202876/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202876; rev:1;) alert tcp $HOME_NET any -> [182.92.128.205] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202875; rev:1;) alert tcp $HOME_NET any -> [8.212.15.60] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202874/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202874; rev:1;) alert tcp $HOME_NET any -> [182.92.98.240] 8011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202872/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202872; rev:1;) alert tcp $HOME_NET any -> [16.171.58.40] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202873/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202873; rev:1;) alert tcp $HOME_NET any -> [182.92.98.240] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202871/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202871; rev:1;) alert tcp $HOME_NET any -> [216.24.246.11] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202869/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202869; rev:1;) alert tcp $HOME_NET any -> [3.78.215.222] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202870/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202870; rev:1;) alert tcp $HOME_NET any -> [20.15.227.53] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202868/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202868; rev:1;) alert tcp $HOME_NET any -> [1.14.192.93] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202867; rev:1;) alert tcp $HOME_NET any -> [34.69.87.196] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202865/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202865; rev:1;) alert tcp $HOME_NET any -> [120.46.210.58] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202866; rev:1;) alert tcp $HOME_NET any -> [44.225.229.165] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202864; rev:1;) alert tcp $HOME_NET any -> [16.170.232.194] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202863/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202863; rev:1;) alert tcp $HOME_NET any -> [101.43.127.45] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202861/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202861; rev:1;) alert tcp $HOME_NET any -> [47.109.44.195] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202862/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202862; rev:1;) alert tcp $HOME_NET any -> [175.27.232.222] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202860/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202860; rev:1;) alert tcp $HOME_NET any -> [139.180.139.215] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202858/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202858; rev:1;) alert tcp $HOME_NET any -> [38.54.88.153] 8114 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202859/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202859; rev:1;) alert tcp $HOME_NET any -> [154.17.6.176] 50080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202857/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202857; rev:1;) alert tcp $HOME_NET any -> [47.93.38.170] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202856/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202856; rev:1;) alert tcp $HOME_NET any -> [47.108.117.51] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202855/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202855; rev:1;) alert tcp $HOME_NET any -> [85.167.207.117] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202853/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202853; rev:1;) alert tcp $HOME_NET any -> [152.136.35.240] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202854/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202854; rev:1;) alert tcp $HOME_NET any -> [3.1.203.127] 11443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202852/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202852; rev:1;) alert tcp $HOME_NET any -> [120.78.189.210] 9022 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202850/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202850; rev:1;) alert tcp $HOME_NET any -> [120.78.189.210] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202851/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202851; rev:1;) alert tcp $HOME_NET any -> [85.209.11.131] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202849/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202849; rev:1;) alert tcp $HOME_NET any -> [213.226.123.124] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202847; rev:1;) alert tcp $HOME_NET any -> [172.245.9.15] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202848; rev:1;) alert tcp $HOME_NET any -> [43.128.55.74] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202846; rev:1;) alert tcp $HOME_NET any -> [101.200.221.221] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202845; rev:1;) alert tcp $HOME_NET any -> [129.211.210.61] 8881 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202843; rev:1;) alert tcp $HOME_NET any -> [81.68.248.191] 8021 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202844/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202844; rev:1;) alert tcp $HOME_NET any -> [139.9.74.12] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202841; rev:1;) alert tcp $HOME_NET any -> [3.34.48.216] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202842; rev:1;) alert tcp $HOME_NET any -> [47.92.203.152] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202840; rev:1;) alert tcp $HOME_NET any -> [45.207.38.139] 10081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202838; rev:1;) alert tcp $HOME_NET any -> [198.98.57.123] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202839; rev:1;) alert tcp $HOME_NET any -> [106.55.180.173] 8998 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202837; rev:1;) alert tcp $HOME_NET any -> [47.96.252.193] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202836; rev:1;) alert tcp $HOME_NET any -> [118.24.87.10] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202835; rev:1;) alert tcp $HOME_NET any -> [193.233.22.59] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202834; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-249-85-13.ap-northeast-1.compute.amazonaws.com"; depth:53; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clients.edge-akamai.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202833; rev:1;) alert tcp $HOME_NET any -> [104.194.78.224] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202830; rev:1;) alert tcp $HOME_NET any -> [192.144.231.141] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202831; rev:1;) alert tcp $HOME_NET any -> [107.172.89.198] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202829; rev:1;) alert tcp $HOME_NET any -> [1.92.94.117] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202828; rev:1;) alert tcp $HOME_NET any -> [31.220.80.167] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202827; rev:1;) alert tcp $HOME_NET any -> [8.216.65.42] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202826/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202826; rev:1;) alert tcp $HOME_NET any -> [46.246.98.47] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202825/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_16; classtype:trojan-activity; sid:91202825; rev:1;) alert tcp $HOME_NET any -> [189.250.48.94] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202824/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202824; rev:1;) alert tcp $HOME_NET any -> [189.250.48.94] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202822; rev:1;) alert tcp $HOME_NET any -> [189.250.48.94] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202823/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202823; rev:1;) alert tcp $HOME_NET any -> [189.250.48.94] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202821/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202821; rev:1;) alert tcp $HOME_NET any -> [189.250.48.94] 1694 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202819; rev:1;) alert tcp $HOME_NET any -> [189.250.48.94] 2004 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202820; rev:1;) alert tcp $HOME_NET any -> [189.250.48.94] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202818/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202818; rev:1;) alert tcp $HOME_NET any -> [189.250.48.94] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202816; rev:1;) alert tcp $HOME_NET any -> [189.250.48.94] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202817/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202817; rev:1;) alert tcp $HOME_NET any -> [189.250.48.94] 2078 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202815; rev:1;) alert tcp $HOME_NET any -> [189.250.48.94] 1911 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202813/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202813; rev:1;) alert tcp $HOME_NET any -> [189.250.48.94] 1962 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202814/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.41.189.202.116.clients.your-server.de"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202812/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202812; rev:1;) alert tcp $HOME_NET any -> [52.0.63.134] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202811/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-44-217-89-101.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-0-63-134.compute-1.amazonaws.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202810; rev:1;) alert tcp $HOME_NET any -> [66.42.93.127] 3306 (msg:"ThreatFox Ares botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202808/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_16; classtype:trojan-activity; sid:91202808; rev:1;) alert tcp $HOME_NET any -> [154.204.181.5] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202807; rev:1;) alert tcp $HOME_NET any -> [154.204.181.244] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202806; rev:1;) alert tcp $HOME_NET any -> [154.204.181.146] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202804/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202804; rev:1;) alert tcp $HOME_NET any -> [154.204.181.148] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202805; rev:1;) alert tcp $HOME_NET any -> [154.204.181.230] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202803; rev:1;) alert tcp $HOME_NET any -> [154.204.181.29] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202801; rev:1;) alert tcp $HOME_NET any -> [154.204.181.212] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202802; rev:1;) alert tcp $HOME_NET any -> [154.204.181.141] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202800; rev:1;) alert tcp $HOME_NET any -> [154.204.181.200] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202798; rev:1;) alert tcp $HOME_NET any -> [154.204.181.170] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202799; rev:1;) alert tcp $HOME_NET any -> [154.204.181.104] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202797; rev:1;) alert tcp $HOME_NET any -> [154.204.181.246] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202795; rev:1;) alert tcp $HOME_NET any -> [154.204.181.82] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202796; rev:1;) alert tcp $HOME_NET any -> [154.204.181.214] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202794; rev:1;) alert tcp $HOME_NET any -> [154.204.181.225] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202793; rev:1;) alert tcp $HOME_NET any -> [74.234.223.12] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202791; rev:1;) alert tcp $HOME_NET any -> [141.98.7.18] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202792; rev:1;) alert tcp $HOME_NET any -> [51.77.159.52] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202790; rev:1;) alert tcp $HOME_NET any -> [3.129.208.252] 587 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202789; rev:1;) alert tcp $HOME_NET any -> [191.254.169.139] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202788; rev:1;) alert tcp $HOME_NET any -> [172.232.134.145] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202787; rev:1;) alert tcp $HOME_NET any -> [193.149.190.168] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202786; rev:1;) alert tcp $HOME_NET any -> [103.47.147.204] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202785; rev:1;) alert tcp $HOME_NET any -> [181.235.82.111] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202783; rev:1;) alert tcp $HOME_NET any -> [181.235.82.111] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202784; rev:1;) alert tcp $HOME_NET any -> [37.19.216.81] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202782; rev:1;) alert tcp $HOME_NET any -> [191.246.186.145] 2021 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202780; rev:1;) alert tcp $HOME_NET any -> [14.161.135.108] 8080 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202781; rev:1;) alert tcp $HOME_NET any -> [181.235.87.205] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202779; rev:1;) alert tcp $HOME_NET any -> [185.81.157.133] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202777; rev:1;) alert tcp $HOME_NET any -> [185.81.157.149] 2024 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202778; rev:1;) alert tcp $HOME_NET any -> [201.185.178.29] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202776; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"159-65-168-135.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202775/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202775; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.181.182.76.144.clients.your-server.de"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202774; rev:1;) alert tcp $HOME_NET any -> [203.135.101.181] 82 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202773; rev:1;) alert tcp $HOME_NET any -> [94.156.64.184] 4433 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202772; rev:1;) alert tcp $HOME_NET any -> [66.204.14.104] 9042 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202771/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_16; classtype:trojan-activity; sid:91202771; rev:1;) alert tcp $HOME_NET any -> [64.176.196.183] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202770/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_16; classtype:trojan-activity; sid:91202770; rev:1;) alert tcp $HOME_NET any -> [193.168.141.215] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202769/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_16; classtype:trojan-activity; sid:91202769; rev:1;) alert tcp $HOME_NET any -> [45.85.117.196] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202768/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_16; classtype:trojan-activity; sid:91202768; rev:1;) alert tcp $HOME_NET any -> [45.129.199.172] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202767/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_16; classtype:trojan-activity; sid:91202767; rev:1;) alert tcp $HOME_NET any -> [5.180.114.52] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202766/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_16; classtype:trojan-activity; sid:91202766; rev:1;) alert tcp $HOME_NET any -> [185.227.68.176] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202764/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202764; rev:1;) alert tcp $HOME_NET any -> [195.133.53.90] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202763/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202763; rev:1;) alert tcp $HOME_NET any -> [207.178.66.158] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202762/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202762; rev:1;) alert tcp $HOME_NET any -> [93.210.162.76] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202761/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202761; rev:1;) alert tcp $HOME_NET any -> [35.167.121.116] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202760/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202760; rev:1;) alert tcp $HOME_NET any -> [94.237.44.137] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202759/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202759; rev:1;) alert tcp $HOME_NET any -> [66.228.60.73] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202758/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202758; rev:1;) alert tcp $HOME_NET any -> [16.16.26.234] 3306 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202757/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202757; rev:1;) alert tcp $HOME_NET any -> [178.62.57.69] 587 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202756/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202756; rev:1;) alert tcp $HOME_NET any -> [43.138.87.237] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202755/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202755; rev:1;) alert tcp $HOME_NET any -> [185.241.124.217] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202754/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202754; rev:1;) alert tcp $HOME_NET any -> [194.49.94.20] 10443 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202753/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202753; rev:1;) alert tcp $HOME_NET any -> [146.190.54.95] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202752/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202752; rev:1;) alert tcp $HOME_NET any -> [207.148.76.74] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202751/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202751; rev:1;) alert tcp $HOME_NET any -> [207.148.76.74] 55855 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202750/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202750; rev:1;) alert tcp $HOME_NET any -> [43.140.251.2] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202749/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202749; rev:1;) alert tcp $HOME_NET any -> [43.140.251.2] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202748/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202748; rev:1;) alert tcp $HOME_NET any -> [3.145.101.221] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"many.praccountingandtax.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202746; rev:1;) alert tcp $HOME_NET any -> [173.249.201.170] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.noranekoheart.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202744; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"192.144.231.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202743; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"8.134.71.235"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202742; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"152.136.128.162"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"82.157.44.254"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"service-ibyz0l1g-1312758067.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"95.214.25.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202738; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"121.40.66.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202737; rev:1;) alert tcp $HOME_NET any -> [193.57.137.61] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202736/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_16; classtype:trojan-activity; sid:91202736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a21/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202734/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_16; classtype:trojan-activity; sid:91202734; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"8.134.71.235"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202733; rev:1;) alert tcp $HOME_NET any -> [42.194.233.97] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202732; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"175.178.45.17"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"117.50.188.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.78.201.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"163.5.169.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"111.230.198.166"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202727; rev:1;) alert tcp $HOME_NET any -> [142.202.205.155] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202726/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ki.js"; depth:6; nocase; http.host; content:"bibogajan.network"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bibogajan.network"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"82.157.65.5"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202723; rev:1;) alert tcp $HOME_NET any -> [5.42.64.20] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202722/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_16; classtype:trojan-activity; sid:91202722; rev:1;) alert tcp $HOME_NET any -> [104.243.21.203] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202721/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_16; classtype:trojan-activity; sid:91202721; rev:1;) alert tcp $HOME_NET any -> [62.173.140.37] 4001 (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"outsiderus.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202719; rev:1;) alert tcp $HOME_NET any -> [165.22.184.26] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202718/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_16; classtype:trojan-activity; sid:91202718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faststroygo.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202708/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202708; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"faststroygo.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202709; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"faststroygo.com"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1202710/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8sjimonstersboonkonline.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202711/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202711; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"8sjimonstersboonkonline.com"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1202712/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202712; rev:1;) alert tcp $HOME_NET any -> [3.15.148.108] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"campaign.dchalegal.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202716/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202716; rev:1;) alert tcp $HOME_NET any -> [194.49.94.93] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202715/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_16; classtype:trojan-activity; sid:91202715; rev:1;) alert tcp $HOME_NET any -> [3.75.250.5] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202714/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_16; classtype:trojan-activity; sid:91202714; rev:1;) alert tcp $HOME_NET any -> [115.159.64.94] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202713/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_16; classtype:trojan-activity; sid:91202713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"18.221.2.4"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202706/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202706; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"82.157.44.254"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202704/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"123.207.29.252"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202703/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"88.214.27.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202702/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"114.115.220.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202701/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/idle/1376547834/1"; depth:18; nocase; http.host; content:"95.164.35.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.243.175.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/boxes"; depth:6; nocase; http.host; content:"134.209.164.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202698/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202698; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202697; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bootstrap-5.3.1.min.js"; depth:23; nocase; http.host; content:"124.223.52.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"121.40.66.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202695; rev:1;) alert tcp $HOME_NET any -> [87.237.55.99] 1791 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202693/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_16; classtype:trojan-activity; sid:91202693; rev:1;) alert tcp $HOME_NET any -> [207.148.70.71] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202694/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_16; classtype:trojan-activity; sid:91202694; rev:1;) alert tcp $HOME_NET any -> [91.92.242.92] 650 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202692/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_16; classtype:trojan-activity; sid:91202692; rev:1;) alert tcp $HOME_NET any -> [50.60.142.170] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202691/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202691; rev:1;) alert tcp $HOME_NET any -> [74.12.147.233] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202690/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202690; rev:1;) alert tcp $HOME_NET any -> [97.118.9.180] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202689/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202689; rev:1;) alert tcp $HOME_NET any -> [2.50.16.128] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202688/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202688; rev:1;) alert tcp $HOME_NET any -> [154.247.162.174] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202687/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202687; rev:1;) alert tcp $HOME_NET any -> [20.71.97.27] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202686/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202686; rev:1;) alert tcp $HOME_NET any -> [40.76.55.180] 8090 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202685/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202685; rev:1;) alert tcp $HOME_NET any -> [16.16.26.234] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202684/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202684; rev:1;) alert tcp $HOME_NET any -> [164.92.189.96] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202683/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202683; rev:1;) alert tcp $HOME_NET any -> [20.52.226.156] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202682/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202682; rev:1;) alert tcp $HOME_NET any -> [194.213.18.45] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202681/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202681; rev:1;) alert tcp $HOME_NET any -> [194.213.18.45] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202679/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202679; rev:1;) alert tcp $HOME_NET any -> [194.213.18.45] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202680/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202680; rev:1;) alert tcp $HOME_NET any -> [129.226.151.175] 26766 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202678/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202678; rev:1;) alert tcp $HOME_NET any -> [94.103.93.160] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202677/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202677; rev:1;) alert tcp $HOME_NET any -> [94.103.93.160] 4443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202676/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_16; classtype:trojan-activity; sid:91202676; rev:1;) alert tcp $HOME_NET any -> [216.83.41.113] 53 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202654/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202654; rev:1;) alert tcp $HOME_NET any -> [13.115.194.155] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202655; rev:1;) alert tcp $HOME_NET any -> [23.224.239.44] 8080 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202656; rev:1;) alert tcp $HOME_NET any -> [35.77.99.82] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202657/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202657; rev:1;) alert tcp $HOME_NET any -> [43.229.112.204] 65000 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202659/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202659; rev:1;) alert tcp $HOME_NET any -> [13.115.194.155] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202658; rev:1;) alert tcp $HOME_NET any -> [13.115.129.191] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202660/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202660; rev:1;) alert tcp $HOME_NET any -> [13.229.238.49] 53 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202661; rev:1;) alert tcp $HOME_NET any -> [23.225.71.115] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202662/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202662; rev:1;) alert tcp $HOME_NET any -> [43.153.162.95] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202663; rev:1;) alert tcp $HOME_NET any -> [5.255.88.185] 53 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202664; rev:1;) alert tcp $HOME_NET any -> [13.115.194.155] 8080 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202665/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202665; rev:1;) alert tcp $HOME_NET any -> [217.197.160.235] 8080 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202666/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202666; rev:1;) alert tcp $HOME_NET any -> [103.45.68.125] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202668; rev:1;) alert tcp $HOME_NET any -> [118.193.35.61] 8443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202669/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202669; rev:1;) alert tcp $HOME_NET any -> [35.77.99.82] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202667; rev:1;) alert tcp $HOME_NET any -> [45.74.6.203] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202670; rev:1;) alert tcp $HOME_NET any -> [45.74.6.168] 8443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202671; rev:1;) alert tcp $HOME_NET any -> [45.74.6.203] 21 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202672/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202672; rev:1;) alert tcp $HOME_NET any -> [216.83.41.111] 53 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202673; rev:1;) alert tcp $HOME_NET any -> [194.49.94.150] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202675/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202675; rev:1;) alert tcp $HOME_NET any -> [13.115.129.191] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202651; rev:1;) alert tcp $HOME_NET any -> [47.117.177.231] 21 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202652; rev:1;) alert tcp $HOME_NET any -> [154.204.24.245] 65000 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202648; rev:1;) alert tcp $HOME_NET any -> [35.77.99.82] 8080 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202649; rev:1;) alert tcp $HOME_NET any -> [194.37.97.132] 21 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202650; rev:1;) alert tcp $HOME_NET any -> [34.92.77.165] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202647/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202647; rev:1;) alert tcp $HOME_NET any -> [70.34.198.203] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202644; rev:1;) alert tcp $HOME_NET any -> [14.161.32.142] 8443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202645; rev:1;) alert tcp $HOME_NET any -> [43.155.95.97] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202646; rev:1;) alert tcp $HOME_NET any -> [195.133.11.98] 8080 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"safhiyedoleremolipez.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202638; rev:1;) alert tcp $HOME_NET any -> [87.26.121.156] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202674/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_16; classtype:trojan-activity; sid:91202674; rev:1;) alert tcp $HOME_NET any -> [142.11.242.31] 443 (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_16; classtype:trojan-activity; sid:91202642; rev:1;) alert tcp $HOME_NET any -> [189.250.48.94] 1741 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202641/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_16; classtype:trojan-activity; sid:91202641; rev:1;) alert tcp $HOME_NET any -> [3.71.81.137] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202640/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_16; classtype:trojan-activity; sid:91202640; rev:1;) alert tcp $HOME_NET any -> [124.243.43.9] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202639/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_16; classtype:trojan-activity; sid:91202639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.94.43.210"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202637; rev:1;) alert tcp $HOME_NET any -> [175.178.14.59] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202636/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"175.178.14.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202635; rev:1;) alert tcp $HOME_NET any -> [172.111.251.138] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202634/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202634; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hardcorearrpa.viewdns.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202633/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"hardcorearrpa.viewdns.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202632; rev:1;) alert tcp $HOME_NET any -> [194.49.94.152] 19053 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"noladuer.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202630; rev:1;) alert tcp $HOME_NET any -> [146.190.145.40] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202629; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns.manager.moonlighter.space"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.53"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202555; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.53"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202556/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"engrousf.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202576/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202576; rev:1;) alert tcp $HOME_NET any -> [20.218.243.58] 30829 (msg:"ThreatFox MetaStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202584/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202584; rev:1;) alert tcp $HOME_NET any -> [194.169.175.128] 37853 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202627; rev:1;) alert tcp $HOME_NET any -> [141.11.250.53] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202626/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202626; rev:1;) alert tcp $HOME_NET any -> [2.50.16.180] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202625/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202625; rev:1;) alert tcp $HOME_NET any -> [39.51.188.223] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202624/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202624; rev:1;) alert tcp $HOME_NET any -> [91.134.141.245] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202623/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202623; rev:1;) alert tcp $HOME_NET any -> [49.12.245.198] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202622/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202622; rev:1;) alert tcp $HOME_NET any -> [104.36.229.15] 5101 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202621/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1170056539550273571/1172900269948936312/installer.zip"; depth:66; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202620/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/a758f7iedcl34v8/filesetup.7z/file"; depth:39; nocase; http.host; content:"www.mediafire.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202619/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1173717476106838098/1173717612853743727/killazz_github.zip"; depth:71; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202618/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/5706qszapws9a6s/software_by_nixware_v2.rar"; depth:48; nocase; http.host; content:"www.mediafire.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/950116131354587206/1173339506448015462/setup.rar"; depth:61; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202616/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pwyampux"; depth:9; nocase; http.host; content:"cutt.ly"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202615/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/0c01oazdhg3vyvj/software_by_nixware_v1.rar"; depth:48; nocase; http.host; content:"www.mediafire.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5ebpnjc8"; depth:9; nocase; http.host; content:"tinyurl.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202613/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fkwvg"; depth:6; nocase; http.host; content:"kurl.ru"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202612/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/56mk7pa8"; depth:9; nocase; http.host; content:"tinyurl.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1wym3o2q"; depth:9; nocase; http.host; content:"cutt.ly"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202610/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/xnz4fm9l50zx67d9tl21u/launcher.zip"; depth:42; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202609/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tpqme"; depth:6; nocase; http.host; content:"kurl.ru"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202608/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/khodam/"; depth:8; nocase; http.host; content:"iirir.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202605/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/7bhp93gywcm1gjl/valorant.zip/file"; depth:39; nocase; http.host; content:"www.mediafire.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iirir.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202607/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/khodam/web.txt"; depth:15; nocase; http.host; content:"iirir.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202603/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/3a6x11o8uilhi5c/dowloand.rar/file"; depth:39; nocase; http.host; content:"www.mediafire.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202604/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/khodam/log.php"; depth:15; nocase; http.host; content:"iirir.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202601/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mryh33jv"; depth:9; nocase; http.host; content:"tinyurl.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202602/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/view/valorant45"; depth:16; nocase; http.host; content:"sites.google.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202600/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/z5bov2gbgti7kse/cheat.zip/file"; depth:36; nocase; http.host; content:"www.mediafire.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202599/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"softonyxx.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202598/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baknx"; depth:6; nocase; http.host; content:"kurl.ru"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202597/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrf4ghd"; depth:9; nocase; http.host; content:"cutt.ly"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202596/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/roa5krtmcmkvszq/cheatgeame.rar/file"; depth:41; nocase; http.host; content:"www.mediafire.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202595/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/estayls/web.txt"; depth:16; nocase; http.host; content:"salesthe.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202592/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ed.sarltma.rest"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202593/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sarltma.rest"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202594/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202594; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/estayls/log.php"; depth:16; nocase; http.host; content:"salesthe.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202591/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%f0%9d%90%9c%e2%80%8c%e2%80%8c/rat.php"; depth:39; nocase; http.host; content:"ed.sarltma.rest"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202590/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//rat.php"; depth:9; nocase; http.host; content:"ed.sarltma.rest"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202589/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ed.sarltma.rest"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202588; rev:1;) alert tcp $HOME_NET any -> [77.91.73.70] 1488 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202587/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202587; rev:1;) alert tcp $HOME_NET any -> [35.228.89.229] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202586/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202586; rev:1;) alert tcp $HOME_NET any -> [35.205.17.31] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202585/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kmeran/log.php"; depth:15; nocase; http.host; content:"salesthe.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202583/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kmeran/web.txt"; depth:15; nocase; http.host; content:"salesthe.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202582/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%f0%9d%90%a2%f0%9d%90%ab/apply.php"; depth:35; nocase; http.host; content:"er.aledlsa.sbs"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202581/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//apply.php"; depth:11; nocase; http.host; content:"er.aledlsa.sbs"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202580/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%f0%9d%90%a2%f0%9d%90%ab/"; depth:26; nocase; http.host; content:"er.aledlsa.sbs"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202579/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aledlsa.sbs"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202578/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"er.aledlsa.sbs"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202577/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gold/phone.txt"; depth:15; nocase; http.host; content:"dodovdo.store"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202575/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gold/log.php"; depth:13; nocase; http.host; content:"dodovdo.store"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202574/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202574; rev:1;) alert tcp $HOME_NET any -> [146.190.141.158] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202573; rev:1;) alert tcp $HOME_NET any -> [129.226.83.129] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202572/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-68-111-52.eu-central-1.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202571/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clients.dnsportal.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202570/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202570; rev:1;) alert tcp $HOME_NET any -> [101.35.42.157] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202569/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arslan/web.txt"; depth:15; nocase; http.host; content:"salesthe.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202568/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arslan/log.php"; depth:15; nocase; http.host; content:"salesthe.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202567/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in.php"; depth:7; nocase; http.host; content:"adjj-ir.itsaol.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202566/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panel.freeddns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202565/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202565; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/far/phone.txt"; depth:14; nocase; http.host; content:"dodovdo.store"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202564; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/far/web.txt"; depth:12; nocase; http.host; content:"dodovdo.store"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drnull.pkmqazreza.workers.dev"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202561/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pkmqazreza.workers.dev"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202562/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202562; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"drnull.pkmqazreza.workers.dev"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202560/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/-1001983244127"; depth:22; nocase; http.host; content:"drnull.pkmqazreza.workers.dev"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202559/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202559; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1001983244127"; depth:19; nocase; http.host; content:"drnull.pkmqazreza.workers.dev"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202558; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1001983244127"; depth:19; nocase; http.host; content:"drnull.pkmqazreza.workers.dev"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202557/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202557; rev:1;) alert tcp $HOME_NET any -> [3.64.193.204] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202554/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"jooshorks.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"xdpanel.cloud"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ctrdfg.cloud"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tools/"; depth:7; nocase; http.host; content:"xdpanel.cloud"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tools/eblis.json"; depth:17; nocase; http.host; content:"xdpanel.cloud"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eblis/strawberry.php"; depth:21; nocase; http.host; content:"ctrdfg.cloud"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202548; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eblis/"; depth:7; nocase; http.host; content:"ctrdfg.cloud"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eblis/grape.php"; depth:16; nocase; http.host; content:"ctrdfg.cloud"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202546; rev:1;) alert tcp $HOME_NET any -> [44.200.80.224] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202545; rev:1;) alert tcp $HOME_NET any -> [150.158.45.62] 4455 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202544; rev:1;) alert tcp $HOME_NET any -> [207.246.81.130] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202543; rev:1;) alert tcp $HOME_NET any -> [107.173.155.160] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202542; rev:1;) alert tcp $HOME_NET any -> [124.222.223.144] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202540; rev:1;) alert tcp $HOME_NET any -> [110.41.158.220] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202541; rev:1;) alert tcp $HOME_NET any -> [111.229.106.48] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202539; rev:1;) alert tcp $HOME_NET any -> [111.229.106.48] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202538; rev:1;) alert tcp $HOME_NET any -> [38.54.20.236] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202537; rev:1;) alert tcp $HOME_NET any -> [49.232.249.109] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202536; rev:1;) alert tcp $HOME_NET any -> [124.223.197.198] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202535; rev:1;) alert tcp $HOME_NET any -> [39.100.84.221] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202533; rev:1;) alert tcp $HOME_NET any -> [185.196.9.120] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202534; rev:1;) alert tcp $HOME_NET any -> [107.174.241.206] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202532; rev:1;) alert tcp $HOME_NET any -> [107.174.241.206] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202531; rev:1;) alert tcp $HOME_NET any -> [47.103.77.37] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202530; rev:1;) alert tcp $HOME_NET any -> [185.73.125.8] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202529; rev:1;) alert tcp $HOME_NET any -> [16.170.232.194] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202528; rev:1;) alert tcp $HOME_NET any -> [164.155.134.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202527; rev:1;) alert tcp $HOME_NET any -> [47.95.37.191] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202526; rev:1;) alert tcp $HOME_NET any -> [47.107.44.15] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202525; rev:1;) alert tcp $HOME_NET any -> [44.193.191.18] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202524; rev:1;) alert tcp $HOME_NET any -> [8.212.15.60] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202523; rev:1;) alert tcp $HOME_NET any -> [59.110.161.54] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202521; rev:1;) alert tcp $HOME_NET any -> [101.34.28.84] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202522; rev:1;) alert tcp $HOME_NET any -> [172.94.104.162] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202520; rev:1;) alert tcp $HOME_NET any -> [43.142.177.236] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202519; rev:1;) alert tcp $HOME_NET any -> [114.115.180.116] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202517; rev:1;) alert tcp $HOME_NET any -> [23.94.56.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202518; rev:1;) alert tcp $HOME_NET any -> [106.12.124.212] 8012 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202516; rev:1;) alert tcp $HOME_NET any -> [38.54.84.141] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202514; rev:1;) alert tcp $HOME_NET any -> [54.237.14.58] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202515; rev:1;) alert tcp $HOME_NET any -> [124.223.58.225] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202513; rev:1;) alert tcp $HOME_NET any -> [195.88.56.36] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202512; rev:1;) alert tcp $HOME_NET any -> [159.75.252.21] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202511; rev:1;) alert tcp $HOME_NET any -> [134.175.121.178] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202510; rev:1;) alert tcp $HOME_NET any -> [134.122.75.115] 23 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202509; rev:1;) alert tcp $HOME_NET any -> [124.221.38.104] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202508; rev:1;) alert tcp $HOME_NET any -> [47.120.48.10] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202507; rev:1;) alert tcp $HOME_NET any -> [47.97.6.61] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202505; rev:1;) alert tcp $HOME_NET any -> [47.120.48.10] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202506; rev:1;) alert tcp $HOME_NET any -> [111.230.198.166] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202504; rev:1;) alert tcp $HOME_NET any -> [111.230.198.166] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202503; rev:1;) alert tcp $HOME_NET any -> [121.91.168.253] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202502; rev:1;) alert tcp $HOME_NET any -> [45.138.16.196] 1222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202501; rev:1;) alert tcp $HOME_NET any -> [103.186.215.46] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202500/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202500; rev:1;) alert tcp $HOME_NET any -> [149.88.77.120] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202499; rev:1;) alert tcp $HOME_NET any -> [110.41.32.218] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202498/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202498; rev:1;) alert tcp $HOME_NET any -> [149.28.145.175] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202497; rev:1;) alert tcp $HOME_NET any -> [104.219.209.175] 60000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202496; rev:1;) alert tcp $HOME_NET any -> [1.14.46.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202494; rev:1;) alert tcp $HOME_NET any -> [47.92.116.209] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202495; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-237-14-58.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202492; rev:1;) alert tcp $HOME_NET any -> [121.196.200.178] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202493; rev:1;) alert tcp $HOME_NET any -> [8.140.184.64] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202491; rev:1;) alert tcp $HOME_NET any -> [47.116.79.79] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ms17-010.win-x86.zip"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202489/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202489; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"192-46-232-181.ip.linodeusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-44-200-80-224.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202487; rev:1;) alert tcp $HOME_NET any -> [121.22.243.241] 47779 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202486/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_15; classtype:trojan-activity; sid:91202486; rev:1;) alert tcp $HOME_NET any -> [156.224.27.167] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202485/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_15; classtype:trojan-activity; sid:91202485; rev:1;) alert tcp $HOME_NET any -> [8.131.50.94] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202484/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202484; rev:1;) alert tcp $HOME_NET any -> [1.94.51.173] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202483; rev:1;) alert tcp $HOME_NET any -> [23.95.85.102] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202482; rev:1;) alert tcp $HOME_NET any -> [101.200.164.66] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202480; rev:1;) alert tcp $HOME_NET any -> [43.142.177.236] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202481; rev:1;) alert tcp $HOME_NET any -> [43.143.187.177] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202479; rev:1;) alert tcp $HOME_NET any -> [8.130.27.180] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202478; rev:1;) alert tcp $HOME_NET any -> [1.92.72.148] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202476; rev:1;) alert tcp $HOME_NET any -> [101.200.187.59] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202477; rev:1;) alert tcp $HOME_NET any -> [111.230.242.229] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202475; rev:1;) alert tcp $HOME_NET any -> [103.186.215.46] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202473; rev:1;) alert tcp $HOME_NET any -> [123.60.99.12] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202474; rev:1;) alert tcp $HOME_NET any -> [47.116.13.239] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202472; rev:1;) alert tcp $HOME_NET any -> [173.49.90.229] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202471/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_15; classtype:trojan-activity; sid:91202471; rev:1;) alert tcp $HOME_NET any -> [172.233.237.227] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202469/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_15; classtype:trojan-activity; sid:91202469; rev:1;) alert tcp $HOME_NET any -> [193.149.176.199] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202470/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_15; classtype:trojan-activity; sid:91202470; rev:1;) alert tcp $HOME_NET any -> [5.252.178.38] 8081 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202468/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_15; classtype:trojan-activity; sid:91202468; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 12256 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202467; rev:1;) alert tcp $HOME_NET any -> [154.179.78.37] 443 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202466; rev:1;) alert tcp $HOME_NET any -> [77.53.97.85] 55554 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn.manuelsterner.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip-89-38-135-11-82867.vps.hosted-by-mvps.net"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lamp.manuelsterner.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"33095-2.whserv.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"autoconfig.33095-2.whserv.de"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202461; rev:1;) alert tcp $HOME_NET any -> [18.213.237.79] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202459; rev:1;) alert tcp $HOME_NET any -> [34.194.229.219] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202458; rev:1;) alert tcp $HOME_NET any -> [18.211.111.68] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202457; rev:1;) alert tcp $HOME_NET any -> [34.121.161.18] 5900 (msg:"ThreatFox Ares botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202456/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_15; classtype:trojan-activity; sid:91202456; rev:1;) alert tcp $HOME_NET any -> [18.166.249.66] 443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202454; rev:1;) alert tcp $HOME_NET any -> [154.204.181.27] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202455; rev:1;) alert tcp $HOME_NET any -> [81.28.6.148] 9090 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202453; rev:1;) alert tcp $HOME_NET any -> [64.40.154.127] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202452; rev:1;) alert tcp $HOME_NET any -> [110.92.64.176] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202450; rev:1;) alert tcp $HOME_NET any -> [208.64.33.115] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202451; rev:1;) alert tcp $HOME_NET any -> [171.250.188.34] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202449; rev:1;) alert tcp $HOME_NET any -> [34.28.132.129] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202448; rev:1;) alert tcp $HOME_NET any -> [34.124.138.144] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202447; rev:1;) alert tcp $HOME_NET any -> [34.124.231.204] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202446; rev:1;) alert tcp $HOME_NET any -> [152.89.198.49] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202445; rev:1;) alert tcp $HOME_NET any -> [5.42.92.51] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202444; rev:1;) alert tcp $HOME_NET any -> [128.140.73.191] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202443; rev:1;) alert tcp $HOME_NET any -> [185.216.70.233] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202442; rev:1;) alert tcp $HOME_NET any -> [37.27.22.139] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202441; rev:1;) alert tcp $HOME_NET any -> [85.209.11.247] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202440; rev:1;) alert tcp $HOME_NET any -> [185.216.70.238] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202439; rev:1;) alert tcp $HOME_NET any -> [116.103.214.233] 9025 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202437; rev:1;) alert tcp $HOME_NET any -> [116.103.214.233] 42132 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202438; rev:1;) alert tcp $HOME_NET any -> [116.103.214.233] 8080 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202436; rev:1;) alert tcp $HOME_NET any -> [116.103.214.233] 1024 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202435; rev:1;) alert tcp $HOME_NET any -> [116.103.214.233] 21 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202434; rev:1;) alert tcp $HOME_NET any -> [64.176.81.70] 9090 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202433; rev:1;) alert tcp $HOME_NET any -> [223.155.16.151] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202431; rev:1;) alert tcp $HOME_NET any -> [93.85.85.86] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202432; rev:1;) alert tcp $HOME_NET any -> [223.155.16.149] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202430; rev:1;) alert tcp $HOME_NET any -> [64.52.80.114] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202429; rev:1;) alert tcp $HOME_NET any -> [109.147.149.255] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202427; rev:1;) alert tcp $HOME_NET any -> [223.155.16.152] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202428; rev:1;) alert tcp $HOME_NET any -> [81.205.110.65] 4783 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202426; rev:1;) alert tcp $HOME_NET any -> [223.155.16.150] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202424; rev:1;) alert tcp $HOME_NET any -> [27.158.214.241] 52516 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202425; rev:1;) alert tcp $HOME_NET any -> [136.243.151.21] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202423; rev:1;) alert tcp $HOME_NET any -> [186.112.202.44] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202422; rev:1;) alert tcp $HOME_NET any -> [91.208.92.74] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202420; rev:1;) alert tcp $HOME_NET any -> [186.112.202.44] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202421; rev:1;) alert tcp $HOME_NET any -> [190.28.181.222] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202419; rev:1;) alert tcp $HOME_NET any -> [185.81.157.254] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202418; rev:1;) alert tcp $HOME_NET any -> [185.81.157.254] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202417; rev:1;) alert tcp $HOME_NET any -> [81.214.77.85] 57 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202415; rev:1;) alert tcp $HOME_NET any -> [185.81.157.254] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202416; rev:1;) alert tcp $HOME_NET any -> [193.23.3.37] 4545 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202414; rev:1;) alert tcp $HOME_NET any -> [187.24.3.145] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202412; rev:1;) alert tcp $HOME_NET any -> [193.23.3.37] 4003 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202413; rev:1;) alert tcp $HOME_NET any -> [185.81.157.103] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202411; rev:1;) alert tcp $HOME_NET any -> [181.235.87.205] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202410; rev:1;) alert tcp $HOME_NET any -> [185.81.157.135] 2525 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202408; rev:1;) alert tcp $HOME_NET any -> [185.81.157.236] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202409; rev:1;) alert tcp $HOME_NET any -> [186.168.71.240] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202407; rev:1;) alert tcp $HOME_NET any -> [91.192.100.22] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202406; rev:1;) alert tcp $HOME_NET any -> [198.23.227.175] 8880 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202405; rev:1;) alert tcp $HOME_NET any -> [45.76.71.236] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7desktop.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202403; rev:1;) alert tcp $HOME_NET any -> [91.92.243.43] 7719 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202402; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"117.50.176.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"82.157.69.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202400; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.116.113.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"121.37.18.7"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.43.170.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202397; rev:1;) alert tcp $HOME_NET any -> [124.221.237.165] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.221.237.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"8.130.79.38"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202394; rev:1;) alert tcp $HOME_NET any -> [139.162.215.12] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202393/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202393; rev:1;) alert tcp $HOME_NET any -> [3.76.98.45] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202392/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202392; rev:1;) alert tcp $HOME_NET any -> [45.33.69.35] 5242 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202386; rev:1;) alert tcp $HOME_NET any -> [155.138.132.163] 13786 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202387; rev:1;) alert tcp $HOME_NET any -> [172.232.189.83] 5243 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202388; rev:1;) alert tcp $HOME_NET any -> [172.104.12.76] 5242 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202389; rev:1;) alert tcp $HOME_NET any -> [97.107.131.224] 13782 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202390; rev:1;) alert tcp $HOME_NET any -> [172.232.189.84] 23399 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202391; rev:1;) alert tcp $HOME_NET any -> [194.213.18.45] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202385/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firegate.php"; depth:17; nocase; http.host; content:"91.92.243.151"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202380; rev:1;) alert tcp $HOME_NET any -> [104.223.118.109] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202383; rev:1;) alert tcp $HOME_NET any -> [104.248.81.48] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202384/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202384; rev:1;) alert tcp $HOME_NET any -> [68.183.227.107] 444 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202381/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202381; rev:1;) alert tcp $HOME_NET any -> [188.241.39.165] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202379/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//apply.php"; depth:11; nocase; http.host; content:"ed.sahmane.sbs"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202377; rev:1;) alert tcp $HOME_NET any -> [46.1.103.69] 7355 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202378/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_15; classtype:trojan-activity; sid:91202378; rev:1;) alert tcp $HOME_NET any -> [46.1.103.69] 4263 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202376/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_15; classtype:trojan-activity; sid:91202376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reza/log.php"; depth:13; nocase; http.host; content:"salesthe.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reza/web.txt"; depth:13; nocase; http.host; content:"salesthe.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"salesthe.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sahmane.sbs"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ed.sahmane.sbs"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dodovdo.store"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dodovdo.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kla/log.php"; depth:12; nocase; http.host; content:"dodovdo.store"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kla/phone.txt"; depth:14; nocase; http.host; content:"dodovdo.store"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.20.16.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www1.allegiancefithealth.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www2.eastus.cloudapp.azure.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"8.219.229.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"121.40.66.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202362; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-3s2hxn8v-1308639534.sh.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-3s2hxn8v-1308639534.sh.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202360; rev:1;) alert tcp $HOME_NET any -> [192.46.232.181] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"rockpython.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rockpython.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.129.249.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload/v7.89/qikqd52kv7"; depth:24; nocase; http.host; content:"110.40.171.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"20.107.244.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"110.42.222.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"1.117.79.251"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"101.43.49.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"124.223.83.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"121.40.243.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"92.63.196.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202348; rev:1;) alert tcp $HOME_NET any -> [175.178.45.17] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202347/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.theokanegroup.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.theokanegroup.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202345; rev:1;) alert tcp $HOME_NET any -> [77.83.196.189] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202344/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_15; classtype:trojan-activity; sid:91202344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud0vh/"; depth:7; nocase; http.host; content:"re-tend.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yveu/"; depth:6; nocase; http.host; content:"frensterol.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202342; rev:1;) alert tcp $HOME_NET any -> [45.32.232.31] 13782 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202340; rev:1;) alert tcp $HOME_NET any -> [158.247.196.155] 9785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202341; rev:1;) alert tcp $HOME_NET any -> [3.66.249.70] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202339/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202339; rev:1;) alert tcp $HOME_NET any -> [38.6.177.117] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202338/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202338; rev:1;) alert tcp $HOME_NET any -> [78.19.226.207] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202337/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202337; rev:1;) alert tcp $HOME_NET any -> [201.124.62.185] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202336/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202336; rev:1;) alert tcp $HOME_NET any -> [187.211.117.174] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202335/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202335; rev:1;) alert tcp $HOME_NET any -> [31.117.143.39] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202334/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202334; rev:1;) alert tcp $HOME_NET any -> [102.113.158.156] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202333/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202333; rev:1;) alert tcp $HOME_NET any -> [142.154.8.161] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202332/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202332; rev:1;) alert tcp $HOME_NET any -> [154.247.166.34] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202331/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202331; rev:1;) alert tcp $HOME_NET any -> [24.199.115.140] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202330/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202330; rev:1;) alert tcp $HOME_NET any -> [54.186.60.102] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202329/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202329; rev:1;) alert tcp $HOME_NET any -> [3.97.232.186] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202328/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202328; rev:1;) alert tcp $HOME_NET any -> [34.81.238.204] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202327/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202327; rev:1;) alert tcp $HOME_NET any -> [144.76.182.181] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202326/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202326; rev:1;) alert tcp $HOME_NET any -> [170.64.171.160] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202325/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202325; rev:1;) alert tcp $HOME_NET any -> [54.193.91.232] 9443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202324/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_15; classtype:trojan-activity; sid:91202324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmm2yjmyyje4mmmx/"; depth:18; nocase; http.host; content:"mmma7811play.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202303/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202303; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmm2yjmyyje4mmmx/"; depth:18; nocase; http.host; content:"mmma7811play.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202304/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202304; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmm2yjmyyje4mmmx/"; depth:18; nocase; http.host; content:"mmma7811play.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202302/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202302; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmm2yjmyyje4mmmx/"; depth:18; nocase; http.host; content:"mmma8291play.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202301/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202301; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmm2yjmyyje4mmmx/"; depth:18; nocase; http.host; content:"94.156.68.232"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202297/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202297; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmm2yjmyyje4mmmx/"; depth:18; nocase; http.host; content:"94.156.68.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202298/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202298; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmm2yjmyyje4mmmx/"; depth:18; nocase; http.host; content:"mmma8291play.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202300/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202300; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmm2yjmyyje4mmmx/"; depth:18; nocase; http.host; content:"94.156.68.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202299/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202299; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmm2yjmyyje4mmmx/"; depth:18; nocase; http.host; content:"94.156.68.231"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202295/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202295; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmm2yjmyyje4mmmx/"; depth:18; nocase; http.host; content:"mmma8291play.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202296/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202296; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmm2yjmyyje4mmmx/"; depth:18; nocase; http.host; content:"octobusiness.com.tr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202293/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmm2yjmyyje4mmmx/"; depth:18; nocase; http.host; content:"businessocto.com.tr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202294/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202294; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmm2yjmyyje4mmmx/"; depth:18; nocase; http.host; content:"planlimited.com.tr"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202291/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmm2yjmyyje4mmmx/"; depth:18; nocase; http.host; content:"planultra.com.tr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202292/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202292; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmm2yjmyyje4mmmx/"; depth:18; nocase; http.host; content:"planbusiness.com.tr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202290/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202290; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/index.php"; depth:16; nocase; http.host; content:"shohetrc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/login.php"; depth:16; nocase; http.host; content:"shohetrc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/index.php"; depth:16; nocase; http.host; content:"shohetrc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/index.php"; depth:16; nocase; http.host; content:"tceducn.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/login.php"; depth:16; nocase; http.host; content:"tceducn.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202278/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202278; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/plugins/clip64.dll"; depth:25; nocase; http.host; content:"shohetrc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202279/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/plugins/cred64.dll"; depth:25; nocase; http.host; content:"shohetrc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202280/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"amzoneyfotela.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aynedfer.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"terekovenzozsen.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202307; rev:1;) alert tcp $HOME_NET any -> [162.14.102.159] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202323/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202323; rev:1;) alert tcp $HOME_NET any -> [34.245.119.31] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202322/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202322; rev:1;) alert tcp $HOME_NET any -> [45.85.249.39] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202321/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/panel/index.php"; depth:21; nocase; http.host; content:"185.29.10.12"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202320; rev:1;) alert tcp $HOME_NET any -> [52.61.168.199] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202319/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202319; rev:1;) alert tcp $HOME_NET any -> [103.212.81.158] 3050 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202318/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_15; classtype:trojan-activity; sid:91202318; rev:1;) alert tcp $HOME_NET any -> [178.190.102.43] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202317/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202317; rev:1;) alert tcp $HOME_NET any -> [141.164.62.87] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202316/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_15; classtype:trojan-activity; sid:91202316; rev:1;) alert tcp $HOME_NET any -> [8.210.141.104] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ews/2012"; depth:9; nocase; http.host; content:"8.210.141.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"8.210.141.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_15; classtype:trojan-activity; sid:91202313; rev:1;) alert tcp $HOME_NET any -> [65.49.210.124] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202312/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202312; rev:1;) alert tcp $HOME_NET any -> [83.40.181.55] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202311/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202311; rev:1;) alert tcp $HOME_NET any -> [54.174.89.226] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202310/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202310; rev:1;) alert tcp $HOME_NET any -> [101.36.110.122] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202309/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202309; rev:1;) alert tcp $HOME_NET any -> [111.230.198.166] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202308/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_15; classtype:trojan-activity; sid:91202308; rev:1;) alert tcp $HOME_NET any -> [76.74.127.145] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202289; rev:1;) alert tcp $HOME_NET any -> [66.204.14.125] 3268 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202288/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_14; classtype:trojan-activity; sid:91202288; rev:1;) alert tcp $HOME_NET any -> [193.168.141.81] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202287/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_14; classtype:trojan-activity; sid:91202287; rev:1;) alert tcp $HOME_NET any -> [45.129.199.75] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202286/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_14; classtype:trojan-activity; sid:91202286; rev:1;) alert tcp $HOME_NET any -> [83.243.122.245] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202285/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_14; classtype:trojan-activity; sid:91202285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"194.26.135.137"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202283/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202283; rev:1;) alert tcp $HOME_NET any -> [194.26.135.137] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202284; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/async/newtab_promos"; depth:20; nocase; http.host; content:"74.235.187.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202281; rev:1;) alert tcp $HOME_NET any -> [74.235.187.46] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202282; rev:1;) alert tcp $HOME_NET any -> [79.137.207.240] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202273/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202273; rev:1;) alert tcp $HOME_NET any -> [39.98.115.22] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202272/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202272; rev:1;) alert tcp $HOME_NET any -> [223.26.57.5] 1145 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202271/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202271; rev:1;) alert tcp $HOME_NET any -> [88.234.26.139] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202270/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202270; rev:1;) alert tcp $HOME_NET any -> [109.145.252.40] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202269/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202269; rev:1;) alert tcp $HOME_NET any -> [41.227.211.64] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202268/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202268; rev:1;) alert tcp $HOME_NET any -> [35.134.202.121] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202267/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202267; rev:1;) alert tcp $HOME_NET any -> [8.208.95.78] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202266/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202266; rev:1;) alert tcp $HOME_NET any -> [20.157.16.178] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202265/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202265; rev:1;) alert tcp $HOME_NET any -> [146.190.157.226] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202264/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202264; rev:1;) alert tcp $HOME_NET any -> [34.124.204.208] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202263/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202263; rev:1;) alert tcp $HOME_NET any -> [3.252.36.202] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202262/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202262; rev:1;) alert tcp $HOME_NET any -> [142.171.194.122] 9000 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202261/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202261; rev:1;) alert tcp $HOME_NET any -> [103.159.133.163] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202260/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202260; rev:1;) alert tcp $HOME_NET any -> [8.218.204.19] 33333 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202259/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202259; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ffle"; depth:5; nocase; http.host; content:"103.185.249.119"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202258/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_14; classtype:trojan-activity; sid:91202258; rev:1;) alert tcp $HOME_NET any -> [3.109.55.94] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202257/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_14; classtype:trojan-activity; sid:91202257; rev:1;) alert tcp $HOME_NET any -> [103.185.249.119] 4434 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202256; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firegate.php"; depth:17; nocase; http.host; content:"185.216.70.235"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202253/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202253; rev:1;) alert tcp $HOME_NET any -> [194.49.94.142] 41292 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202254/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202254; rev:1;) alert tcp $HOME_NET any -> [114.115.247.120] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202255/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_14; classtype:trojan-activity; sid:91202255; rev:1;) alert tcp $HOME_NET any -> [193.149.129.245] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202251/; target:src_ip; metadata: confidence_level 60, first_seen 2023_11_14; classtype:trojan-activity; sid:91202251; rev:1;) alert tcp $HOME_NET any -> [185.164.163.105] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202252/; target:src_ip; metadata: confidence_level 60, first_seen 2023_11_14; classtype:trojan-activity; sid:91202252; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"39.104.230.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"81.70.11.25"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202249; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"110.40.192.122"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202248/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202248; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"39.105.201.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202247; rev:1;) alert tcp $HOME_NET any -> [180.184.71.135] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202246/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_14; classtype:trojan-activity; sid:91202246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"185.196.9.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"112.124.37.145"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"216.224.123.241"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202243/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202243; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"60.204.216.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202242/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.142.115.47"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202241; rev:1;) alert tcp $HOME_NET any -> [121.40.126.71] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202240; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-k046gp6x-1252319062.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-k046gp6x-1252319062.bj.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ajax/jquery-3.3.1.js"; depth:21; nocase; http.host; content:"125.124.18.241"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"121.37.214.255"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firegate.php"; depth:17; nocase; http.host; content:"194.49.94.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"80.66.89.128"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"80.66.89.128"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"robolorunerushe.pw"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/report"; depth:11; nocase; http.host; content:"77.91.76.15"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202232/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202232; rev:1;) alert tcp $HOME_NET any -> [194.156.90.101] 8080 (msg:"ThreatFox Bandit Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202235/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_14; classtype:trojan-activity; sid:91202235; rev:1;) alert tcp $HOME_NET any -> [203.201.172.139] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202234/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_14; classtype:trojan-activity; sid:91202234; rev:1;) alert tcp $HOME_NET any -> [18.157.197.76] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202233/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_14; classtype:trojan-activity; sid:91202233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"396388cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202231; rev:1;) alert tcp $HOME_NET any -> [5.42.92.51] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"ct46096.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202226; rev:1;) alert tcp $HOME_NET any -> [192.3.101.8] 55677 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202225/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_14; classtype:trojan-activity; sid:91202225; rev:1;) alert tcp $HOME_NET any -> [192.3.101.8] 45671 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202224/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_14; classtype:trojan-activity; sid:91202224; rev:1;) alert tcp $HOME_NET any -> [37.32.9.98] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202223/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_14; classtype:trojan-activity; sid:91202223; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"5.101.0.241"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202222; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"5.101.0.241"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202221; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"netskope0.azureedge.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"netskope0.azureedge.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202219; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-2w198e2r-1308639534.sh.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-2w198e2r-1308639534.sh.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202217; rev:1;) alert tcp $HOME_NET any -> [205.234.200.157] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202216/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"205.234.200.157"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"3.149.29.109"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202213; rev:1;) alert tcp $HOME_NET any -> [3.149.29.109] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202214; rev:1;) alert tcp $HOME_NET any -> [122.152.244.183] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"122.152.244.183"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"124.221.123.55"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202210; rev:1;) alert tcp $HOME_NET any -> [72.11.142.131] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202209; rev:1;) alert tcp $HOME_NET any -> [142.202.188.173] 9953 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202208/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_14; classtype:trojan-activity; sid:91202208; rev:1;) alert tcp $HOME_NET any -> [78.47.61.97] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202206; rev:1;) alert tcp $HOME_NET any -> [49.13.94.153] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.119.148"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.94.153"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.7.211"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"167.235.143.166"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.61.97"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.189.41"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/starcofeeth"; depth:12; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199571056594"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202198; rev:1;) alert tcp $HOME_NET any -> [117.50.176.222] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202197/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_14; classtype:trojan-activity; sid:91202197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b12/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202195/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_14; classtype:trojan-activity; sid:91202195; rev:1;) alert tcp $HOME_NET any -> [79.119.54.140] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202194/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202194; rev:1;) alert tcp $HOME_NET any -> [159.0.13.214] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202193/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202193; rev:1;) alert tcp $HOME_NET any -> [70.27.167.188] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202192/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202192; rev:1;) alert tcp $HOME_NET any -> [189.177.78.206] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202191/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202191; rev:1;) alert tcp $HOME_NET any -> [50.35.132.254] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202190/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202190; rev:1;) alert tcp $HOME_NET any -> [41.98.235.240] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202189/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202189; rev:1;) alert tcp $HOME_NET any -> [97.118.20.114] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202188/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202188; rev:1;) alert tcp $HOME_NET any -> [102.157.199.93] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202187/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202187; rev:1;) alert tcp $HOME_NET any -> [187.147.137.67] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202186/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202186; rev:1;) alert tcp $HOME_NET any -> [51.255.45.227] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202185/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202185; rev:1;) alert tcp $HOME_NET any -> [40.122.50.119] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202184/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202184; rev:1;) alert tcp $HOME_NET any -> [151.236.22.64] 6544 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202183/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202183; rev:1;) alert tcp $HOME_NET any -> [13.248.174.235] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202182/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202182; rev:1;) alert tcp $HOME_NET any -> [45.151.126.118] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202181/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202181; rev:1;) alert tcp $HOME_NET any -> [137.184.4.41] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202180/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_14; classtype:trojan-activity; sid:91202180; rev:1;) alert tcp $HOME_NET any -> [14.225.206.204] 56999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202133/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_14; classtype:trojan-activity; sid:91202133; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"muphantom.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202134/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_14; classtype:trojan-activity; sid:91202134; rev:1;) alert tcp $HOME_NET any -> [93.123.85.5] 1024 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202131/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_14; classtype:trojan-activity; sid:91202131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/get.php"; depth:15; nocase; http.host; content:"ilokod.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/qzwewmrqqgqnaww.php"; depth:26; nocase; http.host; content:"ilokod.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bankedbaroloak.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202155; rev:1;) alert tcp $HOME_NET any -> [195.20.16.27] 48665 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202114; rev:1;) alert tcp $HOME_NET any -> [45.15.156.167] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202160; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"goodmpore.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202162; rev:1;) alert tcp $HOME_NET any -> [77.91.68.252] 43686 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202161; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.233.132.12"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202163; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tekegelgemez.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202164; rev:1;) alert tcp $HOME_NET any -> [130.51.20.126] 37190 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"us3.localto.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202173; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/webpanel/login.php"; depth:19; nocase; http.host; content:"www.rakishevkenes.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202179; rev:1;) alert tcp $HOME_NET any -> [82.157.65.5] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202178/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_14; classtype:trojan-activity; sid:91202178; rev:1;) alert tcp $HOME_NET any -> [110.40.171.243] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202177/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_14; classtype:trojan-activity; sid:91202177; rev:1;) alert tcp $HOME_NET any -> [47.116.113.9] 8887 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202176/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_14; classtype:trojan-activity; sid:91202176; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 56981 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202175/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_14; classtype:trojan-activity; sid:91202175; rev:1;) alert tcp $HOME_NET any -> [45.56.165.27] 7001 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202174/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_14; classtype:trojan-activity; sid:91202174; rev:1;) alert tcp $HOME_NET any -> [88.214.25.251] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202171/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_14; classtype:trojan-activity; sid:91202171; rev:1;) alert tcp $HOME_NET any -> [154.211.18.108] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202170/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_14; classtype:trojan-activity; sid:91202170; rev:1;) alert tcp $HOME_NET any -> [54.237.14.58] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202169; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"road.peerscash.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202168; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"road.peerscash.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_14; classtype:trojan-activity; sid:91202167; rev:1;) alert tcp $HOME_NET any -> [121.37.18.7] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202166/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_14; classtype:trojan-activity; sid:91202166; rev:1;) alert tcp $HOME_NET any -> [82.157.69.161] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202165/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_14; classtype:trojan-activity; sid:91202165; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/idle/1376547834/1"; depth:18; nocase; http.host; content:"193.57.137.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/idle/1376547834/1"; depth:18; nocase; http.host; content:"179.60.150.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202158; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.domainsec.club"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"www.domainsec.club"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202156; rev:1;) alert tcp $HOME_NET any -> [80.66.66.252] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202154/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202154; rev:1;) alert tcp $HOME_NET any -> [193.201.9.82] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202153; rev:1;) alert tcp $HOME_NET any -> [167.114.90.242] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202152; rev:1;) alert tcp $HOME_NET any -> [54.249.85.13] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202150; rev:1;) alert tcp $HOME_NET any -> [172.245.118.36] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202151; rev:1;) alert tcp $HOME_NET any -> [92.38.178.83] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202149; rev:1;) alert tcp $HOME_NET any -> [45.77.34.194] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202148; rev:1;) alert tcp $HOME_NET any -> [124.236.56.59] 37201 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202147; rev:1;) alert tcp $HOME_NET any -> [206.237.6.229] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202146; rev:1;) alert tcp $HOME_NET any -> [8.130.19.53] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202145; rev:1;) alert tcp $HOME_NET any -> [81.17.22.90] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202144; rev:1;) alert tcp $HOME_NET any -> [199.195.249.117] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202143; rev:1;) alert tcp $HOME_NET any -> [121.5.195.89] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202142; rev:1;) alert tcp $HOME_NET any -> [172.94.8.75] 2020 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202141; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"donotopenthis.zip"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202140; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202139; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202138; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"154.204.56.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202137; rev:1;) alert tcp $HOME_NET any -> [47.93.235.106] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202132/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3886d2276f6914c4.php"; depth:21; nocase; http.host; content:"vittoriogioia.icu"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cleansoft.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202126/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_13; classtype:trojan-activity; sid:91202126; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"clearcracksoft.fun"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202127/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_13; classtype:trojan-activity; sid:91202127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"clearcracksoft.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202128/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_13; classtype:trojan-activity; sid:91202128; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cleansoft.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202129/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_13; classtype:trojan-activity; sid:91202129; rev:1;) alert tcp $HOME_NET any -> [38.47.106.249] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202125/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202125; rev:1;) alert tcp $HOME_NET any -> [3.124.67.191] 11170 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202124; rev:1;) alert tcp $HOME_NET any -> [35.157.111.131] 11170 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202123; rev:1;) alert tcp $HOME_NET any -> [3.125.188.168] 11170 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202122; rev:1;) alert tcp $HOME_NET any -> [101.108.195.147] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202121/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91202121; rev:1;) alert tcp $HOME_NET any -> [31.117.136.251] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202120/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91202120; rev:1;) alert tcp $HOME_NET any -> [46.240.140.66] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202119/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91202119; rev:1;) alert tcp $HOME_NET any -> [68.183.220.190] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202118/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91202118; rev:1;) alert tcp $HOME_NET any -> [54.93.236.31] 8000 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202117/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91202117; rev:1;) alert tcp $HOME_NET any -> [151.236.22.64] 4359 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202116/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91202116; rev:1;) alert tcp $HOME_NET any -> [149.154.158.34] 10101 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202115/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91202115; rev:1;) alert tcp $HOME_NET any -> [121.37.45.135] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202113; rev:1;) alert tcp $HOME_NET any -> [47.120.12.203] 5566 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202112; rev:1;) alert tcp $HOME_NET any -> [77.78.31.79] 6000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202111; rev:1;) alert tcp $HOME_NET any -> [52.87.167.149] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202110/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202110; rev:1;) alert tcp $HOME_NET any -> [147.50.253.84] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202109/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202109; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/sqlite3.dll"; depth:45; nocase; http.host; content:"45.15.156.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202108; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/sqlite3.dll"; depth:45; nocase; http.host; content:"195.20.16.35"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202106; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/sqlite3.dll"; depth:45; nocase; http.host; content:"31.192.237.23"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202107; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/sqlite3.dll"; depth:45; nocase; http.host; content:"193.233.132.12"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202104; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an7jd0qo6kt5bk5bq4er8fe1xp7hl2vk/sqlite3.dll"; depth:45; nocase; http.host; content:"193.233.132.17"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202105; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.15.156.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202103/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202103; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.233.132.17"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.20.16.35"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202102/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202102; rev:1;) alert tcp $HOME_NET any -> [193.233.132.12] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202096; rev:1;) alert tcp $HOME_NET any -> [193.233.132.17] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202097; rev:1;) alert tcp $HOME_NET any -> [195.20.16.35] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202098; rev:1;) alert tcp $HOME_NET any -> [31.192.237.23] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202099; rev:1;) alert tcp $HOME_NET any -> [45.15.156.26] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202100; rev:1;) alert tcp $HOME_NET any -> [70.34.223.131] 5938 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202091/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202091; rev:1;) alert tcp $HOME_NET any -> [139.180.168.216] 13786 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202092/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202092; rev:1;) alert tcp $HOME_NET any -> [70.34.242.159] 5243 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202093/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202093; rev:1;) alert tcp $HOME_NET any -> [95.179.214.49] 5242 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202094; rev:1;) alert tcp $HOME_NET any -> [167.179.100.211] 2221 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202095; rev:1;) alert tcp $HOME_NET any -> [178.184.248.42] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202090/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202090; rev:1;) alert tcp $HOME_NET any -> [103.27.186.188] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202089/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202089; rev:1;) alert tcp $HOME_NET any -> [23.88.32.230] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.233.132.12"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202087/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202087; rev:1;) alert tcp $HOME_NET any -> [34.88.134.230] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202086/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dl.tehranuniversity.website"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202085/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91202085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"herioteeakl.pw"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2u5zjyxzta5zjcw/"; depth:18; nocase; http.host; content:"bukkub.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202074/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2u5zjyxzta5zjcw/"; depth:18; nocase; http.host; content:"bobnoopopo.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202075/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2u5zjyxzta5zjcw/"; depth:18; nocase; http.host; content:"junggvrebvqqpo.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202076/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2u5zjyxzta5zjcw/"; depth:18; nocase; http.host; content:"junggpervbvqqqqqqpo.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202077/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2u5zjyxzta5zjcw/"; depth:18; nocase; http.host; content:"junggvbvqqgrouppo.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202078/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2u5zjyxzta5zjcw/"; depth:18; nocase; http.host; content:"junggvbvqqnetokpo.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202079/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2u5zjyxzta5zjcw/"; depth:18; nocase; http.host; content:"junggvbvq.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202080/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2u5zjyxzta5zjcw/"; depth:18; nocase; http.host; content:"junggvbvq5656.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202081/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2u5zjyxzta5zjcw/"; depth:18; nocase; http.host; content:"jungjunjunggvbvq.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202082/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202082; rev:1;) alert tcp $HOME_NET any -> [34.89.20.143] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202083/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202083; rev:1;) alert tcp $HOME_NET any -> [52.193.46.239] 54443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202073; rev:1;) alert tcp $HOME_NET any -> [18.237.81.198] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202072/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202072; rev:1;) alert tcp $HOME_NET any -> [62.234.36.13] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202071; rev:1;) alert tcp $HOME_NET any -> [101.132.192.106] 60080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202070; rev:1;) alert tcp $HOME_NET any -> [47.254.50.141] 7000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202069; rev:1;) alert tcp $HOME_NET any -> [101.43.49.244] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202068; rev:1;) alert tcp $HOME_NET any -> [47.92.115.161] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202067; rev:1;) alert tcp $HOME_NET any -> [101.132.242.31] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202066; rev:1;) alert tcp $HOME_NET any -> [91.92.252.206] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202065; rev:1;) alert tcp $HOME_NET any -> [180.76.121.68] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202064; rev:1;) alert tcp $HOME_NET any -> [193.201.9.82] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202063; rev:1;) alert tcp $HOME_NET any -> [144.202.126.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202061; rev:1;) alert tcp $HOME_NET any -> [144.202.126.62] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202062; rev:1;) alert tcp $HOME_NET any -> [117.72.35.30] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202060/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202060; rev:1;) alert tcp $HOME_NET any -> [183.165.34.225] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202059/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202059; rev:1;) alert tcp $HOME_NET any -> [45.77.46.211] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202058/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202058; rev:1;) alert tcp $HOME_NET any -> [114.115.180.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202057/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202057; rev:1;) alert tcp $HOME_NET any -> [54.146.202.241] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202056/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202056; rev:1;) alert tcp $HOME_NET any -> [116.196.106.249] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202055/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202055; rev:1;) alert tcp $HOME_NET any -> [185.196.9.120] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202054/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202054; rev:1;) alert tcp $HOME_NET any -> [92.63.196.46] 19480 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202052/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202052; rev:1;) alert tcp $HOME_NET any -> [107.175.245.109] 2052 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202053/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202053; rev:1;) alert tcp $HOME_NET any -> [163.5.169.2] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202051; rev:1;) alert tcp $HOME_NET any -> [106.75.162.243] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202050/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202050; rev:1;) alert tcp $HOME_NET any -> [43.139.69.186] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202049; rev:1;) alert tcp $HOME_NET any -> [42.194.249.55] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202048/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202048; rev:1;) alert tcp $HOME_NET any -> [123.249.33.8] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202047; rev:1;) alert tcp $HOME_NET any -> [116.204.107.102] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202046/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202046; rev:1;) alert tcp $HOME_NET any -> [8.222.155.61] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202045; rev:1;) alert tcp $HOME_NET any -> [51.79.230.42] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202044; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns5006633.ip-51-79-230.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202043/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202043; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-204-111-102.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202042/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202042; rev:1;) alert tcp $HOME_NET any -> [104.225.232.136] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202041/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202041; rev:1;) alert tcp $HOME_NET any -> [49.113.72.114] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202040; rev:1;) alert tcp $HOME_NET any -> [124.222.224.57] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202039/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202039; rev:1;) alert tcp $HOME_NET any -> [81.68.159.196] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202038/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202038; rev:1;) alert tcp $HOME_NET any -> [146.70.157.115] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202037/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_13; classtype:trojan-activity; sid:91202037; rev:1;) alert tcp $HOME_NET any -> [217.12.206.194] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202036/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_13; classtype:trojan-activity; sid:91202036; rev:1;) alert tcp $HOME_NET any -> [189.250.24.235] 2082 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202035; rev:1;) alert tcp $HOME_NET any -> [167.235.143.166] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202034; rev:1;) alert tcp $HOME_NET any -> [116.202.189.41] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202033; rev:1;) alert tcp $HOME_NET any -> [49.12.119.148] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202032; rev:1;) alert tcp $HOME_NET any -> [49.13.94.153] 1021 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202031; rev:1;) alert tcp $HOME_NET any -> [3.228.58.67] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-243c526b.vps.ovh.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202029; rev:1;) alert tcp $HOME_NET any -> [5.255.117.112] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202028; rev:1;) alert tcp $HOME_NET any -> [65.108.26.147] 25 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202027; rev:1;) alert tcp $HOME_NET any -> [95.216.249.152] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.chromewebkit.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202025; rev:1;) alert tcp $HOME_NET any -> [43.163.240.112] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202024; rev:1;) alert tcp $HOME_NET any -> [154.92.18.45] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202023; rev:1;) alert tcp $HOME_NET any -> [103.143.28.36] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202022; rev:1;) alert tcp $HOME_NET any -> [223.155.16.153] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202021; rev:1;) alert tcp $HOME_NET any -> [85.239.241.136] 1337 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202020; rev:1;) alert tcp $HOME_NET any -> [198.12.125.30] 8191 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202019; rev:1;) alert tcp $HOME_NET any -> [186.168.71.240] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202018/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202018; rev:1;) alert tcp $HOME_NET any -> [45.141.215.5] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202017/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-35-178-203-77.eu-west-2.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202016/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202016; rev:1;) alert tcp $HOME_NET any -> [31.220.94.133] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202015/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202015; rev:1;) alert tcp $HOME_NET any -> [180.184.71.135] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202014/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202014; rev:1;) alert tcp $HOME_NET any -> [31.156.120.87] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202013/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202013; rev:1;) alert tcp $HOME_NET any -> [178.184.248.42] 1337 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202012/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202012; rev:1;) alert tcp $HOME_NET any -> [217.133.249.35] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202011/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202011; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"microsoft.net.linkpc.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202008/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202008; rev:1;) alert tcp $HOME_NET any -> [194.187.251.115] 62848 (msg:"ThreatFox Loda botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202009/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91202009; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"storageapis.gotdns.ch"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202010/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91202010; rev:1;) alert tcp $HOME_NET any -> [91.92.247.217] 9003 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202007/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202007; rev:1;) alert tcp $HOME_NET any -> [46.1.103.69] 2341 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202006/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202006; rev:1;) alert tcp $HOME_NET any -> [45.15.156.13] 80 (msg:"ThreatFox MetaStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202005/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202005; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"longlakeweb.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1202004/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202004; rev:1;) alert tcp $HOME_NET any -> [139.84.229.159] 2665 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1202002/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quit/fk/b4zao0sj2"; depth:18; nocase; http.host; content:"157.245.28.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202001/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1202000/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91202000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"192.144.231.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.93.63.179"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"121.40.243.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201997/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201997; rev:1;) alert tcp $HOME_NET any -> [5.182.87.106] 33883 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201996/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201996; rev:1;) alert tcp $HOME_NET any -> [172.245.81.35] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201995/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"download.windowsupdate.mom"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201994; rev:1;) alert tcp $HOME_NET any -> [47.122.10.138] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.122.10.138"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201992/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201992; rev:1;) alert tcp $HOME_NET any -> [89.95.64.132] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201991/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91201991; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"117.72.35.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201990/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201990; rev:1;) alert tcp $HOME_NET any -> [35.203.123.82] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201989/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91201989; rev:1;) alert tcp $HOME_NET any -> [34.77.140.175] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201988/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91201988; rev:1;) alert tcp $HOME_NET any -> [78.47.204.96] 443 (msg:"ThreatFox MetaStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201985/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jedi.piupiu.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201986/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201986; rev:1;) alert tcp $HOME_NET any -> [79.134.225.6] 7910 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201987/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201987; rev:1;) alert tcp $HOME_NET any -> [3.127.210.141] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201984/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91201984; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"157.90.152.131"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201982/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201982; rev:1;) alert tcp $HOME_NET any -> [157.90.152.131] 2083 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201983/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201983; rev:1;) alert tcp $HOME_NET any -> [168.119.173.77] 2087 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201981/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"168.119.173.77"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201980; rev:1;) alert tcp $HOME_NET any -> [35.203.88.123] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201979/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91201979; rev:1;) alert tcp $HOME_NET any -> [157.245.28.175] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201978/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91201978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"co99163.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201977; rev:1;) alert tcp $HOME_NET any -> [91.215.85.154] 60859 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201976/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91201976; rev:1;) alert tcp $HOME_NET any -> [103.143.28.35] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201975/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91201975; rev:1;) alert tcp $HOME_NET any -> [103.143.28.37] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201974/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91201974; rev:1;) alert tcp $HOME_NET any -> [141.255.152.88] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201973/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91201973; rev:1;) alert tcp $HOME_NET any -> [187.155.147.42] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201972/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91201972; rev:1;) alert tcp $HOME_NET any -> [68.224.65.229] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201971/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91201971; rev:1;) alert tcp $HOME_NET any -> [176.44.88.234] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201970/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91201970; rev:1;) alert tcp $HOME_NET any -> [217.165.233.123] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201969/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91201969; rev:1;) alert tcp $HOME_NET any -> [154.247.7.119] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201968/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91201968; rev:1;) alert tcp $HOME_NET any -> [109.48.28.129] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201967/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91201967; rev:1;) alert tcp $HOME_NET any -> [109.153.195.26] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201966/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91201966; rev:1;) alert tcp $HOME_NET any -> [64.227.34.214] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201965/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91201965; rev:1;) alert tcp $HOME_NET any -> [154.8.142.178] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201964/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91201964; rev:1;) alert tcp $HOME_NET any -> [54.193.91.232] 3155 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201963/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91201963; rev:1;) alert tcp $HOME_NET any -> [45.86.163.224] 7559 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201962/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91201962; rev:1;) alert tcp $HOME_NET any -> [185.231.154.113] 50543 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201961/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_13; classtype:trojan-activity; sid:91201961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getimagedata.php"; depth:17; nocase; http.host; content:"louisianaworkingdogs.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"grasialoud.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201945/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"hoodblor.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201946; rev:1;) alert tcp $HOME_NET any -> [185.221.196.69] 5127 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"31.192.237.23"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201949; rev:1;) alert tcp $HOME_NET any -> [74.48.44.7] 9443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201959/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91201959; rev:1;) alert tcp $HOME_NET any -> [45.142.214.130] 9091 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201958/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91201958; rev:1;) alert tcp $HOME_NET any -> [116.203.7.211] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201957/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91201957; rev:1;) alert tcp $HOME_NET any -> [59.110.239.147] 14344 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201956/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91201956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"quoolser.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201955; rev:1;) alert tcp $HOME_NET any -> [189.250.24.235] 1800 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201954/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91201954; rev:1;) alert tcp $HOME_NET any -> [189.250.24.235] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201953/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91201953; rev:1;) alert tcp $HOME_NET any -> [95.165.148.158] 7777 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201952/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91201952; rev:1;) alert tcp $HOME_NET any -> [82.157.65.5] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201951/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_13; classtype:trojan-activity; sid:91201951; rev:1;) alert tcp $HOME_NET any -> [185.222.58.84] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_13; classtype:trojan-activity; sid:91201950; rev:1;) alert tcp $HOME_NET any -> [111.90.147.137] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201947/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201947; rev:1;) alert tcp $HOME_NET any -> [78.10.58.203] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201944/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201944; rev:1;) alert tcp $HOME_NET any -> [51.77.173.201] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201943/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201943; rev:1;) alert tcp $HOME_NET any -> [89.168.78.92] 7443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201942/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201942; rev:1;) alert tcp $HOME_NET any -> [193.168.141.69] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201941/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_12; classtype:trojan-activity; sid:91201941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p9qc"; depth:5; nocase; http.host; content:"194.156.98.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201940/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_12; classtype:trojan-activity; sid:91201940; rev:1;) alert tcp $HOME_NET any -> [194.156.98.178] 3737 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201939/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201939; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"doooldues.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201938/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201938; rev:1;) alert tcp $HOME_NET any -> [8.222.206.196] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201937/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201937; rev:1;) alert tcp $HOME_NET any -> [141.255.153.99] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201936/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201936; rev:1;) alert tcp $HOME_NET any -> [154.247.7.226] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201935/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201935; rev:1;) alert tcp $HOME_NET any -> [142.247.239.248] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201934/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201934; rev:1;) alert tcp $HOME_NET any -> [54.202.205.155] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201933/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201933; rev:1;) alert tcp $HOME_NET any -> [76.223.68.71] 10011 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201932/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201932; rev:1;) alert tcp $HOME_NET any -> [34.142.156.79] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201931/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201931; rev:1;) alert tcp $HOME_NET any -> [174.138.76.181] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201930/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201930; rev:1;) alert tcp $HOME_NET any -> [174.138.76.181] 8888 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201929/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201929; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adelionking/dodoman"; depth:20; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201928; rev:1;) alert tcp $HOME_NET any -> [103.212.81.156] 58001 (msg:"ThreatFox zgRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201916/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201916; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1144349834749427775/1173307792656973844/pulsarcheat.zip"; depth:68; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201927/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201927; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"moonsterd.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201917/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201917; rev:1;) alert tcp $HOME_NET any -> [43.230.131.138] 57745 (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201918/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201918; rev:1;) alert tcp $HOME_NET any -> [43.230.131.138] 21 (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201919; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/digitoromdo/pulsar4"; depth:20; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201926; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1144349834749427775/1173306851643887706/pulsarcheat.zip"; depth:68; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201925; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adolfgitler23/4"; depth:16; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201924/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201924; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3ftkcjy"; depth:8; nocase; http.host; content:"bit.ly"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201923/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201923; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40zgrj3"; depth:8; nocase; http.host; content:"bit.ly"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201922/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201922; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/47l47ng"; depth:8; nocase; http.host; content:"bit.ly"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201921; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1144349834749427775/1173308334158401586/pulsarcheat.zip"; depth:68; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201920/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201920; rev:1;) alert tcp $HOME_NET any -> [109.248.144.235] 1997 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201915/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"77.91.76.14"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201913/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipjs5"; depth:6; nocase; http.host; content:"shorturl.at"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201911/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/wtufdfov94q96hr/memories+loader.zip/file"; depth:46; nocase; http.host; content:"www.mediafire.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201912/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/memories-loader-helper-11-11"; depth:29; nocase; http.host; content:"telegra.ph"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201910/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"memoriesweb.tilda.ws"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201909/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201909; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nlzow/memorieslaun"; depth:19; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201908/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moskhoods.pw"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watchdog.exe"; depth:13; nocase; http.host; content:"217.196.96.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201905; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/zntei1y1q1ad0ob3r5vh3/install.rar"; depth:41; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig.exe"; depth:10; nocase; http.host; content:"217.196.96.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201904/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201904; rev:1;) alert tcp $HOME_NET any -> [91.151.111.54] 8000 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201902/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201902; rev:1;) alert tcp $HOME_NET any -> [3.72.0.224] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201901/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201901; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cembec.pics"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ed.sarltma.rest"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sarltma.rest"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201900/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%f0%9d%90%9c%e2%80%8c%e2%80%8c/app.apk"; depth:39; nocase; http.host; content:"ed.sarltma.rest"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"cembec.pics"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201896; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"cfm.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201895; rev:1;) alert tcp $HOME_NET any -> [185.44.81.147] 56999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asq-ir.fartit.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"afm.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201890/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ir-sahq.fartit.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201891/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tfa.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cfm.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ebs.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201894; rev:1;) alert tcp $HOME_NET any -> [185.216.70.222] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201874/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"moonsterd.pw"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201872/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201872; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/s3ojdk6tu5veoje/software_by_nixware.rar"; depth:45; nocase; http.host; content:"www.mediafire.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201871/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201871; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuxdh"; depth:6; nocase; http.host; content:"kurl.ru"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201869/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201869; rev:1;) alert tcp $HOME_NET any -> [47.107.67.137] 17469 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201868/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201868; rev:1;) alert tcp $HOME_NET any -> [47.107.67.137] 60112 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201867; rev:1;) alert tcp $HOME_NET any -> [132.232.113.242] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201866; rev:1;) alert tcp $HOME_NET any -> [103.106.228.203] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201864; rev:1;) alert tcp $HOME_NET any -> [103.242.3.165] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201865/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201865; rev:1;) alert tcp $HOME_NET any -> [123.60.223.196] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201863/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201863; rev:1;) alert tcp $HOME_NET any -> [82.157.142.84] 18082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201862/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201862; rev:1;) alert tcp $HOME_NET any -> [114.103.158.104] 11000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201861/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201861; rev:1;) alert tcp $HOME_NET any -> [124.70.205.129] 48886 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201860/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201860; rev:1;) alert tcp $HOME_NET any -> [104.244.95.163] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201859/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201859; rev:1;) alert tcp $HOME_NET any -> [156.223.91.226] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201858/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201858; rev:1;) alert tcp $HOME_NET any -> [101.43.142.116] 22380 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201857/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201857; rev:1;) alert tcp $HOME_NET any -> [101.33.221.102] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201856/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201856; rev:1;) alert tcp $HOME_NET any -> [107.6.242.115] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201855/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201855; rev:1;) alert tcp $HOME_NET any -> [8.130.125.235] 6000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201854/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201854; rev:1;) alert tcp $HOME_NET any -> [111.229.10.49] 18080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201853/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201853; rev:1;) alert tcp $HOME_NET any -> [149.100.138.133] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201852/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201852; rev:1;) alert tcp $HOME_NET any -> [101.35.253.212] 880 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201851/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201851; rev:1;) alert tcp $HOME_NET any -> [124.223.6.67] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201850/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201850; rev:1;) alert tcp $HOME_NET any -> [124.70.154.188] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201849/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201849; rev:1;) alert tcp $HOME_NET any -> [124.222.141.231] 1443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201848; rev:1;) alert tcp $HOME_NET any -> [116.204.24.39] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201847; rev:1;) alert tcp $HOME_NET any -> [101.37.14.112] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201846; rev:1;) alert tcp $HOME_NET any -> [185.196.9.120] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201845; rev:1;) alert tcp $HOME_NET any -> [103.179.243.198] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"htl502.tech"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201844/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201844; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clients.ad-tracker.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201842; rev:1;) alert tcp $HOME_NET any -> [60.205.227.76] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201841; rev:1;) alert tcp $HOME_NET any -> [8.130.124.171] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eye.huyanbao.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201838; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clients.cloud-onedrive.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201839; rev:1;) alert tcp $HOME_NET any -> [8.130.126.1] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201837; rev:1;) alert tcp $HOME_NET any -> [43.138.196.105] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201836; rev:1;) alert tcp $HOME_NET any -> [121.37.46.129] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201835; rev:1;) alert tcp $HOME_NET any -> [148.135.124.207] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201834; rev:1;) alert tcp $HOME_NET any -> [107.148.1.241] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201833; rev:1;) alert tcp $HOME_NET any -> [47.245.114.158] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201832; rev:1;) alert tcp $HOME_NET any -> [180.184.132.193] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201831; rev:1;) alert tcp $HOME_NET any -> [163.197.211.60] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201830; rev:1;) alert tcp $HOME_NET any -> [140.246.72.2] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201829; rev:1;) alert tcp $HOME_NET any -> [34.162.133.104] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201828/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_12; classtype:trojan-activity; sid:91201828; rev:1;) alert tcp $HOME_NET any -> [189.250.30.254] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201827; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.173.251.201.195.clients.your-server.de"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201826/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201826; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-44-101-45.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201825/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-23-20-237-225.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201824/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kamssa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201823/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201823; rev:1;) alert tcp $HOME_NET any -> [18.166.249.66] 8443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201822; rev:1;) alert tcp $HOME_NET any -> [141.98.10.132] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201821/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201821; rev:1;) alert tcp $HOME_NET any -> [159.100.22.58] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201820; rev:1;) alert tcp $HOME_NET any -> [124.29.223.193] 4443 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-166-249-66.ap-east-1.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201818/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chromewebkit.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201817/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.qdttcm.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"franc.naservpn.cf"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201815; rev:1;) alert tcp $HOME_NET any -> [123.60.143.74] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201813/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201813; rev:1;) alert tcp $HOME_NET any -> [173.254.240.26] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201814/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201814; rev:1;) alert tcp $HOME_NET any -> [54.74.236.38] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201812/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201812; rev:1;) alert tcp $HOME_NET any -> [105.111.84.84] 288 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201811/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201811; rev:1;) alert tcp $HOME_NET any -> [186.102.161.73] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201809; rev:1;) alert tcp $HOME_NET any -> [186.102.161.73] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201810; rev:1;) alert tcp $HOME_NET any -> [186.102.161.73] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201808; rev:1;) alert tcp $HOME_NET any -> [45.88.186.47] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201807; rev:1;) alert tcp $HOME_NET any -> [142.44.252.22] 833 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201806; rev:1;) alert tcp $HOME_NET any -> [85.206.172.156] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201805; rev:1;) alert tcp $HOME_NET any -> [66.94.118.174] 4002 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201804/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201804; rev:1;) alert tcp $HOME_NET any -> [37.1.211.248] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201803; rev:1;) alert tcp $HOME_NET any -> [185.81.157.150] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201801; rev:1;) alert tcp $HOME_NET any -> [37.1.211.248] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201802; rev:1;) alert tcp $HOME_NET any -> [185.81.157.150] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201800; rev:1;) alert tcp $HOME_NET any -> [185.81.157.150] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201799; rev:1;) alert tcp $HOME_NET any -> [185.62.86.134] 666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201798; rev:1;) alert tcp $HOME_NET any -> [185.25.51.99] 222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201797; rev:1;) alert tcp $HOME_NET any -> [91.109.188.6] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201796; rev:1;) alert tcp $HOME_NET any -> [104.243.47.96] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.159-65-168-135.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201793; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-198-246-147.eu-central-1.compute.amazonaws.com"; depth:53; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201794; rev:1;) alert tcp $HOME_NET any -> [167.71.6.13] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201792; rev:1;) alert tcp $HOME_NET any -> [39.105.201.3] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201791/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"showmoreresultonliner.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"showmoreresultonliner.com"; depth:25; nocase; reference:url, threatfox.abuse.ch/ioc/1201787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"showmoreresultonliner.com"; depth:25; nocase; reference:url, threatfox.abuse.ch/ioc/1201788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201788; rev:1;) alert tcp $HOME_NET any -> [185.216.70.235] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201789; rev:1;) alert tcp $HOME_NET any -> [185.216.70.222] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201790; rev:1;) alert tcp $HOME_NET any -> [3.127.253.86] 11793 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201785; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 11793 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201784; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 11793 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.198.248.158"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzfjmdi3mjvknzdi/"; depth:18; nocase; http.host; content:"basdbjabsjdbas.pw"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201770/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzfjmdi3mjvknzdi/"; depth:18; nocase; http.host; content:"hausdhuashdauhs.biz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201771/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201771; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzfjmdi3mjvknzdi/"; depth:18; nocase; http.host; content:"mkmakmakamka.online"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201772/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzfjmdi3mjvknzdi/"; depth:18; nocase; http.host; content:"asdhkasjhdkajhs.co.uk"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201773/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201773; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzfjmdi3mjvknzdi/"; depth:18; nocase; http.host; content:"jahsdhaskdjaskjh.hk"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201774/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzfjmdi3mjvknzdi/"; depth:18; nocase; http.host; content:"iohaihsodihasoihdao.hk"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201775/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2m5mmrhmwmwodg3/"; depth:18; nocase; http.host; content:"194.33.191.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201776/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2m5mmrhmwmwodg3/"; depth:18; nocase; http.host; content:"senliksizmakek.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201777/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2m5mmrhmwmwodg3/"; depth:18; nocase; http.host; content:"senliksizmakek62.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201778/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201778; rev:1;) alert tcp $HOME_NET any -> [216.224.123.241] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201781/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201781; rev:1;) alert tcp $HOME_NET any -> [147.50.252.143] 117 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201780; rev:1;) alert tcp $HOME_NET any -> [85.209.11.162] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201779/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201779; rev:1;) alert tcp $HOME_NET any -> [154.92.16.150] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201769/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201769; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nt3.227api.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nt2.227api.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nt1.227api.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201766/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201766; rev:1;) alert tcp $HOME_NET any -> [47.245.117.155] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.blueteam.asia"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201764; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www1.canadaeast.cloudapp.azure.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201763; rev:1;) alert tcp $HOME_NET any -> [185.232.92.42] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201762/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201762; rev:1;) alert tcp $HOME_NET any -> [49.235.104.106] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201761/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201761; rev:1;) alert tcp $HOME_NET any -> [193.109.85.77] 80 (msg:"ThreatFox StrelaStealer botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201760/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_12; classtype:trojan-activity; sid:91201760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server.php"; depth:11; nocase; http.host; content:"193.109.85.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201759; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.92.246.197"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"jomjolse.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201757/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201757; rev:1;) alert tcp $HOME_NET any -> [43.138.235.42] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201756/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201756; rev:1;) alert tcp $HOME_NET any -> [182.92.218.99] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201755/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201755; rev:1;) alert tcp $HOME_NET any -> [39.98.157.4] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201754/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201754; rev:1;) alert tcp $HOME_NET any -> [39.104.230.184] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201753/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201753; rev:1;) alert tcp $HOME_NET any -> [95.214.55.177] 1689 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201647/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201647; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"db.liquidbbq.pl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"taretool.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201645; rev:1;) alert tcp $HOME_NET any -> [195.20.16.27] 23000 (msg:"ThreatFox MetaStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.42.64.13"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201644; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servidor05.likescandy.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201628; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servidor03.webhop.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201627; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servidor02.issmarterthanyou.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201625/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servidor06.is-a-rockstar.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201626/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201626; rev:1;) alert tcp $HOME_NET any -> [94.156.67.137] 7854 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201717/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201717; rev:1;) alert tcp $HOME_NET any -> [92.255.57.101] 42192 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201648; rev:1;) alert tcp $HOME_NET any -> [45.15.156.142] 33597 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201649; rev:1;) alert tcp $HOME_NET any -> [146.70.169.164] 2227 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"adhufdauifadhj13.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1201661/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201661; rev:1;) alert tcp $HOME_NET any -> [141.98.10.82] 1302 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201731/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_12; classtype:trojan-activity; sid:91201731; rev:1;) alert tcp $HOME_NET any -> [111.90.148.162] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201752/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201752; rev:1;) alert tcp $HOME_NET any -> [220.137.159.238] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201751/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201751; rev:1;) alert tcp $HOME_NET any -> [41.99.96.115] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201750/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201750; rev:1;) alert tcp $HOME_NET any -> [154.246.186.29] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201749/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201749; rev:1;) alert tcp $HOME_NET any -> [41.62.131.196] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201748/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201748; rev:1;) alert tcp $HOME_NET any -> [47.233.135.40] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201747/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201747; rev:1;) alert tcp $HOME_NET any -> [85.208.117.147] 4443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201746/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201746; rev:1;) alert tcp $HOME_NET any -> [87.122.216.191] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201745/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201745; rev:1;) alert tcp $HOME_NET any -> [91.199.147.205] 56324 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201744/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201744; rev:1;) alert tcp $HOME_NET any -> [208.115.233.154] 22122 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201743/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201743; rev:1;) alert tcp $HOME_NET any -> [208.115.233.154] 5443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201742/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_12; classtype:trojan-activity; sid:91201742; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 19360 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201741; rev:1;) alert tcp $HOME_NET any -> [95.165.148.158] 25565 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201740/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201740; rev:1;) alert tcp $HOME_NET any -> [121.41.176.54] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201739/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201739; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"103.234.72.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201738; rev:1;) alert tcp $HOME_NET any -> [77.240.89.141] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201737/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201737; rev:1;) alert tcp $HOME_NET any -> [46.246.80.6] 1111 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201736; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"639538cm.nyashcrack.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_12; classtype:trojan-activity; sid:91201735; rev:1;) alert tcp $HOME_NET any -> [182.188.78.114] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201734/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201734; rev:1;) alert tcp $HOME_NET any -> [212.118.39.189] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201733/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201733; rev:1;) alert tcp $HOME_NET any -> [47.108.175.149] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201732/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201732; rev:1;) alert tcp $HOME_NET any -> [41.97.121.174] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201730/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201730; rev:1;) alert tcp $HOME_NET any -> [1.117.93.65] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201729/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201729; rev:1;) alert tcp $HOME_NET any -> [123.24.229.49] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201726/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_12; classtype:trojan-activity; sid:91201726; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"106.75.2.57"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201725; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"121.40.66.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201724; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/async/newtab_promos"; depth:20; nocase; http.host; content:"8.219.207.66"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vlenath"; depth:8; nocase; http.host; content:"20.51.226.216"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201722; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"110.41.131.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"123.207.5.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"95.214.25.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201719; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.43.96.246"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201718/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201718; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"85.175.101.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201716/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201716; rev:1;) alert tcp $HOME_NET any -> [209.203.160.46] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201715/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"volkswagenvansuk.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"volkswagenvansuk.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asdir.dns05.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201707/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ghabzino.fartit.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201708/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adse.fartit.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cnf.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201712/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iirir.vizvaz.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"cnf.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adjj-ir.itsaol.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adse.fartit.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201693/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"aaq-ir.dns05.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"al-ir.faqserv.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201691/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"asdir.dns05.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201692/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"as-ir.mrface.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201689/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sah-am.dns05.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201690/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"dfs-sir.vizvaz.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201687/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"1-ir.fartit.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201688/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"iirir.vizvaz.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201685/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"fd-ir.dns05.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201686/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"aq-ir.itsaol.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201684/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201684; rev:1;) alert tcp $HOME_NET any -> [5.42.64.18] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201660/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201660; rev:1;) alert tcp $HOME_NET any -> [112.124.37.145] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201659/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201659; rev:1;) alert tcp $HOME_NET any -> [79.137.203.233] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201658/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201658; rev:1;) alert tcp $HOME_NET any -> [116.203.191.125] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201657/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201657; rev:1;) alert tcp $HOME_NET any -> [77.72.85.32] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201656/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_11; classtype:trojan-activity; sid:91201656; rev:1;) alert tcp $HOME_NET any -> [201.229.167.115] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201655/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201655; rev:1;) alert tcp $HOME_NET any -> [194.33.191.126] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201654/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201654; rev:1;) alert tcp $HOME_NET any -> [39.100.83.53] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201653/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201653; rev:1;) alert tcp $HOME_NET any -> [1.117.79.251] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201652/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201652; rev:1;) alert tcp $HOME_NET any -> [62.234.48.219] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201651/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201651; rev:1;) alert tcp $HOME_NET any -> [42.192.145.232] 8989 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201642/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201642; rev:1;) alert tcp $HOME_NET any -> [94.99.45.196] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201641/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201641; rev:1;) alert tcp $HOME_NET any -> [86.222.89.196] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201640/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201640; rev:1;) alert tcp $HOME_NET any -> [141.164.174.223] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201639/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201639; rev:1;) alert tcp $HOME_NET any -> [197.94.68.125] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201638/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201638; rev:1;) alert tcp $HOME_NET any -> [95.165.99.74] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201637/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201637; rev:1;) alert tcp $HOME_NET any -> [176.9.43.114] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201636/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201636; rev:1;) alert tcp $HOME_NET any -> [104.36.229.15] 7507 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201635/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201635; rev:1;) alert tcp $HOME_NET any -> [103.57.250.152] 6707 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201634/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201634; rev:1;) alert tcp $HOME_NET any -> [151.236.22.64] 5915 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201633/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201633; rev:1;) alert tcp $HOME_NET any -> [13.229.3.203] 17689 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201631; rev:1;) alert tcp $HOME_NET any -> [18.141.129.246] 17689 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201632; rev:1;) alert tcp $HOME_NET any -> [18.139.9.214] 17689 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201630; rev:1;) alert tcp $HOME_NET any -> [45.143.139.19] 81 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201629; rev:1;) alert tcp $HOME_NET any -> [3.133.207.110] 19367 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201624/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201624; rev:1;) alert tcp $HOME_NET any -> [3.138.180.119] 19367 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201622/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201622; rev:1;) alert tcp $HOME_NET any -> [3.129.187.220] 19367 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201623/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201623; rev:1;) alert tcp $HOME_NET any -> [3.22.15.135] 19367 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201621/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201621; rev:1;) alert tcp $HOME_NET any -> [60.204.243.217] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201620/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"plengreg.fun"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201619/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.35.104.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201618/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"82.157.44.254"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201617; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.221.50.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201616/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.43.49.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201615/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"116.62.164.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"194.116.215.112"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201613/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"120.78.206.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201612/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"95.214.25.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"124.71.46.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201610/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201610; rev:1;) alert tcp $HOME_NET any -> [5.42.92.43] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201609/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201609; rev:1;) alert tcp $HOME_NET any -> [104.244.95.163] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201608/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/30055d25.php"; depth:13; nocase; http.host; content:"abobub-001-site1.etempurl.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201607/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e5f9db40aa1d5c5c.php"; depth:21; nocase; http.host; content:"193.233.232.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"31.192.237.23"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201605/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201605; rev:1;) alert tcp $HOME_NET any -> [85.239.53.152] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201604/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201604; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"chrownna.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201578/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201578; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"lauytropo.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201579/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"bobnoopo.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201580/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"junggvrebvqq.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201581/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201581; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"junggpervbvqqqqqq.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201582/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201582; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"junggvbvqqgroup.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201583/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"junggvbvqqnetok.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201584/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201584; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juliet543.myvnc.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201588; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"india987.serveblog.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201587/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201587; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pegapombo.serveftp.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201589/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201589; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modularecenturion.blogdns.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201590/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201590; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modularkyoto.gotdns.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201591/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201591; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ripcurliogfa.myvnc.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201593/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"robertgoldlabel.dyndns-office.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201592/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201592; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loghub/master"; depth:14; nocase; http.host; content:"5.42.92.43"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201599/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201599; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rolexnuevocnt.is-slick.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201594/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201594; rev:1;) alert tcp $HOME_NET any -> [194.49.94.113] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201598/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mouskules.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201600/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201600; rev:1;) alert tcp $HOME_NET any -> [138.201.120.172] 15648 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201601/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"consoles.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201602/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201602; rev:1;) alert tcp $HOME_NET any -> [77.91.97.132] 31959 (msg:"ThreatFox MetaStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201603/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201603; rev:1;) alert tcp $HOME_NET any -> [188.34.193.59] 48197 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201597/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"moskhoods.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201596/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201596; rev:1;) alert tcp $HOME_NET any -> [207.148.97.218] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201595/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201595; rev:1;) alert tcp $HOME_NET any -> [27.124.53.18] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201586/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201586; rev:1;) alert tcp $HOME_NET any -> [107.172.43.155] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201585/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201585; rev:1;) alert tcp $HOME_NET any -> [91.92.246.43] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201577/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201577; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"91.92.246.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201576/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201576; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js.js"; depth:6; nocase; http.host; content:"62.234.54.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201575/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/access/"; depth:8; nocase; http.host; content:"d36nuygiqfjnnv.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d36nuygiqfjnnv.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201574/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201574; rev:1;) alert tcp $HOME_NET any -> [2.58.113.190] 8035 (msg:"ThreatFox Ares botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201572/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"microsofts.live"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201571/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201571; rev:1;) alert tcp $HOME_NET any -> [104.168.87.252] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201570/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201570; rev:1;) alert tcp $HOME_NET any -> [68.183.77.192] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201569/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201569; rev:1;) alert tcp $HOME_NET any -> [54.167.67.203] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201568/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201568; rev:1;) alert tcp $HOME_NET any -> [47.102.97.231] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201567/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201567; rev:1;) alert tcp $HOME_NET any -> [156.240.108.145] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201566/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201566; rev:1;) alert tcp $HOME_NET any -> [81.94.159.163] 3778 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201527/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_11; classtype:trojan-activity; sid:91201527; rev:1;) alert tcp $HOME_NET any -> [60.53.168.80] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201565/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201565; rev:1;) alert tcp $HOME_NET any -> [104.157.102.161] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201564/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201564; rev:1;) alert tcp $HOME_NET any -> [154.246.183.217] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201563/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201563; rev:1;) alert tcp $HOME_NET any -> [157.230.112.79] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201562/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201562; rev:1;) alert tcp $HOME_NET any -> [54.210.116.98] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201561/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201561; rev:1;) alert tcp $HOME_NET any -> [20.212.52.184] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201560/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201560; rev:1;) alert tcp $HOME_NET any -> [174.138.4.105] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201559/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201559; rev:1;) alert tcp $HOME_NET any -> [13.215.228.73] 6411 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201558/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201558; rev:1;) alert tcp $HOME_NET any -> [52.196.213.220] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201557/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_11; classtype:trojan-activity; sid:91201557; rev:1;) alert tcp $HOME_NET any -> [77.246.107.149] 15647 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201556/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201556; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"keewoolas.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201555; rev:1;) alert tcp $HOME_NET any -> [91.92.247.115] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201554/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201554; rev:1;) alert tcp $HOME_NET any -> [194.49.94.45] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201553/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201553; rev:1;) alert tcp $HOME_NET any -> [45.32.110.254] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201552/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"60.204.243.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201551; rev:1;) alert tcp $HOME_NET any -> [134.209.164.110] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201550; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"134.209.164.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201549; rev:1;) alert tcp $HOME_NET any -> [54.207.132.156] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201548/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201548; rev:1;) alert tcp $HOME_NET any -> [185.196.9.229] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201547; rev:1;) alert tcp $HOME_NET any -> [101.42.243.40] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201546; rev:1;) alert tcp $HOME_NET any -> [44.217.89.101] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.mirpurpac.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201544; rev:1;) alert tcp $HOME_NET any -> [195.20.16.31] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201543; rev:1;) alert tcp $HOME_NET any -> [79.143.181.62] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_11; classtype:trojan-activity; sid:91201542; rev:1;) alert tcp $HOME_NET any -> [77.91.151.189] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201541/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_11; classtype:trojan-activity; sid:91201541; rev:1;) alert tcp $HOME_NET any -> [195.10.205.16] 1056 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201540; rev:1;) alert tcp $HOME_NET any -> [110.40.192.122] 60030 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201539/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cm87784.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201538; rev:1;) alert tcp $HOME_NET any -> [91.92.246.43] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"91.92.246.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201536; rev:1;) alert tcp $HOME_NET any -> [152.32.212.63] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201535/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201535; rev:1;) alert tcp $HOME_NET any -> [8.219.196.121] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201534; rev:1;) alert tcp $HOME_NET any -> [185.196.8.245] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201533; rev:1;) alert tcp $HOME_NET any -> [39.106.148.186] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201531; rev:1;) alert tcp $HOME_NET any -> [180.141.51.186] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201532; rev:1;) alert tcp $HOME_NET any -> [27.124.53.64] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201530; rev:1;) alert tcp $HOME_NET any -> [45.141.215.40] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201529; rev:1;) alert tcp $HOME_NET any -> [213.65.233.25] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c36258786fdc16da.php"; depth:21; nocase; http.host; content:"77.91.68.247"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201526; rev:1;) alert tcp $HOME_NET any -> [45.155.121.151] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201524/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_10; classtype:trojan-activity; sid:91201524; rev:1;) alert tcp $HOME_NET any -> [213.139.205.14] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201525/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_10; classtype:trojan-activity; sid:91201525; rev:1;) alert tcp $HOME_NET any -> [3.67.112.102] 12153 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201523; rev:1;) alert tcp $HOME_NET any -> [3.127.181.115] 12153 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201521; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 12153 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201522; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 12153 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"killredls.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtq4mmuxodbhmtvi/"; depth:18; nocase; http.host; content:"xxxpakunatationclass5.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201491/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtq4mmuxodbhmtvi/"; depth:18; nocase; http.host; content:"xxxpakunatationclass6.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201492/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtq4mmuxodbhmtvi/"; depth:18; nocase; http.host; content:"xxxpakunatationclass2.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201488/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtq4mmuxodbhmtvi/"; depth:18; nocase; http.host; content:"xxxpakunatationclass3.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201489/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtq4mmuxodbhmtvi/"; depth:18; nocase; http.host; content:"xxxpakunatationclass4.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201490/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtq4mmuxodbhmtvi/"; depth:18; nocase; http.host; content:"185.196.9.197"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201486/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtq4mmuxodbhmtvi/"; depth:18; nocase; http.host; content:"xxxpakunatationclass.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201487/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywfim2vkmmfmnwfh/"; depth:18; nocase; http.host; content:"beresihbtgrs5ewtr.info"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201484/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywfim2vkmmfmnwfh/"; depth:18; nocase; http.host; content:"certbreu45nagbierty.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201485/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywfim2vkmmfmnwfh/"; depth:18; nocase; http.host; content:"berionderh6figer.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201482/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywfim2vkmmfmnwfh/"; depth:18; nocase; http.host; content:"adetero6orlher.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201483/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywfim2vkmmfmnwfh/"; depth:18; nocase; http.host; content:"supersafer6.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201481/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"barbriki76782.info"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201493/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"oelikixanni14.live"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201494/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"bonjoorvipacz.pro"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201495/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feov2v/"; depth:8; nocase; http.host; content:"longlakeweb.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"longlakeweb.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lander/chrome_1695206714/_cf.php"; depth:33; nocase; http.host; content:"longlakeweb.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201498/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201498; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nightscoutsergi.mooo.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201517; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"01invoicefull234.dnsdojo.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201360; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"advertenciactc2023.dnsdojo.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201364; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adjuntodocumento3224.from-mt.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"01advertenciactc2023.dnsdojo.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201363; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"citaadju23nta.likes-pie.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201365; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"advertenciactc2023.selfip.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201368; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"comprobantepagoectonico.selfip.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201369; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ccrrufahnyrakhbuhwyqye.online"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201371; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ducminhsg.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201372; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flyfggfdbvcbvcbc.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201373; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mydatayxnhzcs.tech"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201375; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hotvncvbnxc.website"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201374; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nhatminhvina.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201376; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t.flyfggfdbvcbvcbc.online"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jetmailx.ddnsguru.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maypainer.loseyourip.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywfim2vkmmfmnwfh/"; depth:18; nocase; http.host; content:"loliternakond.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201480/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myinfo2.giize.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mysystem2102account.dnsalias.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201394; rev:1;) alert tcp $HOME_NET any -> [34.74.162.235] 8007 (msg:"ThreatFox Mekotio botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201395; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lander/chrome_1695206714/_cf.php"; depth:33; nocase; http.host; content:"jonathanbonnici.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"hoooldanos.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3a7qlvn"; depth:9; nocase; http.host; content:"jonathanbonnici.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"europapokal2024.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bobbycloud.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lander/chrome_1695206714/_index.php"; depth:36; nocase; http.host; content:"jonathanbonnici.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"advertenciact.from-wy.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201336; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"advertenciactc2023.from-wy.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201337; rev:1;) alert tcp $HOME_NET any -> [82.165.201.41] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201518/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201518; rev:1;) alert tcp $HOME_NET any -> [193.37.69.51] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201516/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201516; rev:1;) alert tcp $HOME_NET any -> [23.105.219.90] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201515/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201515; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adhufdauifadhj13.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"adhufdauifadhj13.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201513; rev:1;) alert tcp $HOME_NET any -> [180.112.5.254] 8008 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201512; rev:1;) alert tcp $HOME_NET any -> [1.14.65.18] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201511; rev:1;) alert tcp $HOME_NET any -> [43.139.107.237] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201510; rev:1;) alert tcp $HOME_NET any -> [185.51.171.119] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201509/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201509; rev:1;) alert tcp $HOME_NET any -> [41.96.108.235] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201508/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201508; rev:1;) alert tcp $HOME_NET any -> [41.230.154.248] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201507/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201507; rev:1;) alert tcp $HOME_NET any -> [121.132.24.12] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201506/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201506; rev:1;) alert tcp $HOME_NET any -> [31.117.219.190] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201505/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201505; rev:1;) alert tcp $HOME_NET any -> [187.147.126.231] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201504/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201504; rev:1;) alert tcp $HOME_NET any -> [213.139.205.146] 6388 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201503/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201503; rev:1;) alert tcp $HOME_NET any -> [3.76.100.131] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201502/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201502; rev:1;) alert tcp $HOME_NET any -> [162.0.228.202] 4443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201501/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201501; rev:1;) alert tcp $HOME_NET any -> [63.250.42.18] 587 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201500/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201500; rev:1;) alert tcp $HOME_NET any -> [146.190.67.179] 50233 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201499/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201499; rev:1;) alert tcp $HOME_NET any -> [3.75.95.65] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201479; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.131.152.90.157.clients.your-server.de"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201478; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.163.246.75.5.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201477; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.243.6.203.116.clients.your-server.de"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201475; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"html-pdf-converter.prod.k8s.p7n.io"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201476; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.151.34.201.195.clients.your-server.de"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201474; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.4.209.75.5.clients.your-server.de"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.233.188.130.94.clients.your-server.de"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.laughing-shannon.23-88-45-254.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201472; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"objective-margulis.23-88-45-254.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201470; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.96.10.203.116.clients.your-server.de"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201468; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laughing-shannon.23-88-45-254.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201469; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.189.116.12.49.clients.your-server.de"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"join.naxtm.cfd"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201465; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.avisclair.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201466; rev:1;) alert tcp $HOME_NET any -> [116.203.165.60] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201464; rev:1;) alert tcp $HOME_NET any -> [110.41.131.105] 24567 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201463; rev:1;) alert tcp $HOME_NET any -> [18.219.71.131] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201462; rev:1;) alert tcp $HOME_NET any -> [103.234.72.147] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.cstest.buzz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201460; rev:1;) alert tcp $HOME_NET any -> [3.95.172.216] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201459; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.microsofts.live"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201458; rev:1;) alert tcp $HOME_NET any -> [194.247.187.77] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201457; rev:1;) alert tcp $HOME_NET any -> [101.43.49.244] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201456; rev:1;) alert tcp $HOME_NET any -> [123.56.73.195] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201455; rev:1;) alert tcp $HOME_NET any -> [185.196.8.245] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201454; rev:1;) alert tcp $HOME_NET any -> [101.42.247.160] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201453; rev:1;) alert tcp $HOME_NET any -> [121.37.198.25] 2347 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201452; rev:1;) alert tcp $HOME_NET any -> [139.180.136.28] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201451; rev:1;) alert tcp $HOME_NET any -> [193.232.55.103] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201450; rev:1;) alert tcp $HOME_NET any -> [1.94.40.140] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201449; rev:1;) alert tcp $HOME_NET any -> [3.95.172.216] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201448; rev:1;) alert tcp $HOME_NET any -> [1.117.93.65] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201447; rev:1;) alert tcp $HOME_NET any -> [60.204.216.3] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201446; rev:1;) alert tcp $HOME_NET any -> [38.165.8.81] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201445; rev:1;) alert tcp $HOME_NET any -> [114.103.158.104] 2222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201444; rev:1;) alert tcp $HOME_NET any -> [103.142.87.104] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201443; rev:1;) alert tcp $HOME_NET any -> [46.161.40.125] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201442; rev:1;) alert tcp $HOME_NET any -> [107.174.253.49] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201441; rev:1;) alert tcp $HOME_NET any -> [155.94.163.39] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201440; rev:1;) alert tcp $HOME_NET any -> [146.235.200.132] 40000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201439; rev:1;) alert tcp $HOME_NET any -> [139.180.156.126] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201438; rev:1;) alert tcp $HOME_NET any -> [139.199.171.96] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201437; rev:1;) alert tcp $HOME_NET any -> [110.41.16.127] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201435; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tesx.cloud-panelmb.biz.id"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201436; rev:1;) alert tcp $HOME_NET any -> [101.200.84.39] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201434; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-95-172-216.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"65.49.210.124.16clouds.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goocoinorg.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201432; rev:1;) alert tcp $HOME_NET any -> [82.180.131.188] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201430; rev:1;) alert tcp $HOME_NET any -> [110.42.213.116] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201429; rev:1;) alert tcp $HOME_NET any -> [206.237.1.241] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201428; rev:1;) alert tcp $HOME_NET any -> [42.51.45.241] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201427; rev:1;) alert tcp $HOME_NET any -> [206.237.30.140] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201426; rev:1;) alert tcp $HOME_NET any -> [116.196.117.137] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201425; rev:1;) alert tcp $HOME_NET any -> [124.223.220.137] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201424; rev:1;) alert tcp $HOME_NET any -> [43.143.56.207] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201423; rev:1;) alert tcp $HOME_NET any -> [47.99.154.45] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201422; rev:1;) alert tcp $HOME_NET any -> [39.98.91.137] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201421; rev:1;) alert tcp $HOME_NET any -> [47.116.122.78] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201420; rev:1;) alert tcp $HOME_NET any -> [47.103.49.39] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201419; rev:1;) alert tcp $HOME_NET any -> [162.14.125.5] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201418; rev:1;) alert tcp $HOME_NET any -> [124.220.32.134] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201417; rev:1;) alert tcp $HOME_NET any -> [47.98.172.144] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201416; rev:1;) alert tcp $HOME_NET any -> [189.129.231.102] 2222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201415; rev:1;) alert tcp $HOME_NET any -> [185.196.9.57] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201414/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_10; classtype:trojan-activity; sid:91201414; rev:1;) alert tcp $HOME_NET any -> [91.92.240.152] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201413/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_10; classtype:trojan-activity; sid:91201413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-225-109-232.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201412; rev:1;) alert tcp $HOME_NET any -> [18.166.249.66] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201411; rev:1;) alert tcp $HOME_NET any -> [212.118.40.208] 1200 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201410; rev:1;) alert tcp $HOME_NET any -> [206.237.0.49] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"host.md-faisal.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201408; rev:1;) alert tcp $HOME_NET any -> [43.249.8.44] 7071 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201407; rev:1;) alert tcp $HOME_NET any -> [156.240.108.178] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201406; rev:1;) alert tcp $HOME_NET any -> [194.233.31.117] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201405; rev:1;) alert tcp $HOME_NET any -> [103.53.126.17] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201404; rev:1;) alert tcp $HOME_NET any -> [20.237.228.234] 8000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201403; rev:1;) alert tcp $HOME_NET any -> [136.243.151.21] 75 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201402; rev:1;) alert tcp $HOME_NET any -> [144.126.149.221] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201401; rev:1;) alert tcp $HOME_NET any -> [45.88.186.47] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201400; rev:1;) alert tcp $HOME_NET any -> [191.246.186.145] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.werbeagenturbraunschweig.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-35-178-199-73.eu-west-2.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-232-77-201.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201396; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"112.126.71.239"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.130.70.58"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"microsoft.updatestore.live"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft.updatestore.live"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"15.168.63.98"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201386; rev:1;) alert tcp $HOME_NET any -> [65.21.217.216] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201385/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201385; rev:1;) alert tcp $HOME_NET any -> [13.233.115.58] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201384/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sysvb/metap"; depth:12; nocase; http.host; content:"137.220.52.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"178.236.246.9"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/was/forec"; depth:10; nocase; http.host; content:"128.140.59.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"dayzilons.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201380; rev:1;) alert tcp $HOME_NET any -> [94.49.183.29] 3460 (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201379/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201379; rev:1;) alert tcp $HOME_NET any -> [82.156.136.115] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201378/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1hlhcc/redem"; depth:13; nocase; http.host; content:"149.28.104.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zei/pyrol"; depth:10; nocase; http.host; content:"49.13.6.174"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201366; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pvugr/scyph"; depth:12; nocase; http.host; content:"168.119.154.12"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201367; rev:1;) alert tcp $HOME_NET any -> [213.21.220.222] 8080 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201362; rev:1;) alert tcp $HOME_NET any -> [207.32.217.190] 46434 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201359; rev:1;) alert tcp $HOME_NET any -> [124.223.52.82] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201356/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"119.45.250.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"139.224.188.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-lj2mtzly-1318135905.gz.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-lj2mtzly-1318135905.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"175.178.14.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"82.156.136.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"192.144.231.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201335/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201335; rev:1;) alert tcp $HOME_NET any -> [8.219.196.121] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201334/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201334; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"n0tion.link"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"n0tion.link"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"114.132.56.13"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201331/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"121.40.243.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"175.178.14.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201329; rev:1;) alert tcp $HOME_NET any -> [194.147.140.205] 1994 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"123.207.20.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"5.8.18.237"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"45.152.67.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.99.34.158"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"92.63.196.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201323; rev:1;) alert tcp $HOME_NET any -> [124.71.5.199] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201322; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.siegemachine.cn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201321; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.siegemachine.cn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201320; rev:1;) alert tcp $HOME_NET any -> [150.109.103.16] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnslog.twittermisc.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201318; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"176.113.115.99"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201317; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40d570f44e84a454.php"; depth:21; nocase; http.host; content:"bernardofata.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201314; rev:1;) alert tcp $HOME_NET any -> [5.42.67.8] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"115.159.221.202"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"123.207.20.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"154.213.65.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201310; rev:1;) alert tcp $HOME_NET any -> [91.245.255.55] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201309/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201309; rev:1;) alert tcp $HOME_NET any -> [3.79.97.135] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201308/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201308; rev:1;) alert tcp $HOME_NET any -> [101.35.104.211] 9876 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201307/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201307; rev:1;) alert tcp $HOME_NET any -> [163.44.43.131] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201306/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201306; rev:1;) alert tcp $HOME_NET any -> [5.42.75.166] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201305; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.42.75.166"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201304; rev:1;) alert tcp $HOME_NET any -> [185.149.146.159] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201303/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201303; rev:1;) alert tcp $HOME_NET any -> [47.74.157.112] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201302/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201302; rev:1;) alert tcp $HOME_NET any -> [64.176.37.32] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201301/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201301; rev:1;) alert tcp $HOME_NET any -> [139.84.226.182] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201300/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201300; rev:1;) alert tcp $HOME_NET any -> [103.12.133.137] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201299/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201299; rev:1;) alert tcp $HOME_NET any -> [200.109.11.231] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201298/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201298; rev:1;) alert tcp $HOME_NET any -> [85.243.247.137] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201297/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201297; rev:1;) alert tcp $HOME_NET any -> [70.49.35.198] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201296/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201296; rev:1;) alert tcp $HOME_NET any -> [74.12.145.206] 2083 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201295/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201295; rev:1;) alert tcp $HOME_NET any -> [102.113.44.220] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201294/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201294; rev:1;) alert tcp $HOME_NET any -> [70.48.203.137] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201293/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201293; rev:1;) alert tcp $HOME_NET any -> [77.124.85.166] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201292/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201292; rev:1;) alert tcp $HOME_NET any -> [75.130.192.54] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201291/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201291; rev:1;) alert tcp $HOME_NET any -> [154.246.187.75] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201290/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201290; rev:1;) alert tcp $HOME_NET any -> [3.93.54.41] 8443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201289/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201289; rev:1;) alert tcp $HOME_NET any -> [139.144.16.233] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201288/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201288; rev:1;) alert tcp $HOME_NET any -> [89.22.173.93] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201287/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201287; rev:1;) alert tcp $HOME_NET any -> [18.198.246.147] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201286/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201286; rev:1;) alert tcp $HOME_NET any -> [45.140.146.58] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201285/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201285; rev:1;) alert tcp $HOME_NET any -> [213.139.205.146] 5000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201284/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201284; rev:1;) alert tcp $HOME_NET any -> [3.76.100.131] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201283/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201283; rev:1;) alert tcp $HOME_NET any -> [3.76.100.131] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201282/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201282; rev:1;) alert tcp $HOME_NET any -> [3.76.100.131] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201280/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201280; rev:1;) alert tcp $HOME_NET any -> [3.76.100.131] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201281/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201281; rev:1;) alert tcp $HOME_NET any -> [151.236.20.194] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201279/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201279; rev:1;) alert tcp $HOME_NET any -> [23.152.0.64] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201278/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marmitariasaobernado.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"contabilidade3irmaos.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1201277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sloptu/rigktjy/paid.php"; depth:24; nocase; http.host; content:"bagsrad.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201275/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_10; classtype:trojan-activity; sid:91201275; rev:1;) alert tcp $HOME_NET any -> [142.132.204.231] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201260; rev:1;) alert tcp $HOME_NET any -> [157.90.152.131] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201261; rev:1;) alert tcp $HOME_NET any -> [116.203.166.75] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201262; rev:1;) alert tcp $HOME_NET any -> [195.201.251.173] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201263; rev:1;) alert tcp $HOME_NET any -> [116.203.6.243] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201264; rev:1;) alert tcp $HOME_NET any -> [89.38.135.11] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201265; rev:1;) alert tcp $HOME_NET any -> [168.119.173.77] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201266; rev:1;) alert tcp $HOME_NET any -> [5.75.246.163] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201267; rev:1;) alert tcp $HOME_NET any -> [195.201.34.151] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201268; rev:1;) alert tcp $HOME_NET any -> [116.202.182.32] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201269; rev:1;) alert tcp $HOME_NET any -> [5.75.208.206] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201270; rev:1;) alert tcp $HOME_NET any -> [195.201.249.33] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201271; rev:1;) alert tcp $HOME_NET any -> [5.75.188.83] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201272; rev:1;) alert tcp $HOME_NET any -> [5.75.209.4] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201273; rev:1;) alert tcp $HOME_NET any -> [23.88.45.254] 443 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ntq2zdezm2fjmjy2/"; depth:18; nocase; http.host; content:"discount44today.online"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201189/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ntq2zdezm2fjmjy2/"; depth:18; nocase; http.host; content:"mobile0team0stat.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201191/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"jnukikmna5125.live"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201192/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"aganimsharse671x.live"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201194/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"kijuolobtreshu31.pro"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201193/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogy2ywu5otm4otq3/"; depth:18; nocase; http.host; content:"194.33.191.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201195/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogy2ywu5otm4otq3/"; depth:18; nocase; http.host; content:"abisdumore.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201196/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogy2ywu5otm4otq3/"; depth:18; nocase; http.host; content:"abiciisswwee.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201197/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogy2ywu5otm4otq3/"; depth:18; nocase; http.host; content:"babacimmnapiyosun.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201198/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogy2ywu5otm4otq3/"; depth:18; nocase; http.host; content:"ekmeka232kmek.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201199/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odrimzk3njg3zthk/"; depth:18; nocase; http.host; content:"94.156.65.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201200/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201200; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odrimzk3njg3zthk/"; depth:18; nocase; http.host; content:"scorpionxxxtention.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201201/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odrimzk3njg3zthk/"; depth:18; nocase; http.host; content:"scorpionxxxtention.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201202/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odrimzk3njg3zthk/"; depth:18; nocase; http.host; content:"scorpionxxxtention.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201203/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201203; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odrimzk3njg3zthk/"; depth:18; nocase; http.host; content:"scorpionxxxtentionss.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201204/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201204; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"gokilllahhhh.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201206/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201206; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"bobnoopopo.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201207/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"junggvrebvqqpo.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201208/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"junggvbvqqnetokpo.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201211/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"junggpervbvqqqqqqpo.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201209/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"junggvbvqqgrouppo.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201210/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201210; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"junggvbvq.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201212/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"junggvbvq5656.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201213/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201213; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"jungjunjunggvbvq.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201214/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ntq2zdezm2fjmjy2/"; depth:18; nocase; http.host; content:"easyforpro901002.pro"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201190/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201190; rev:1;) alert tcp $HOME_NET any -> [212.23.221.72] 7797 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201217; rev:1;) alert tcp $HOME_NET any -> [185.170.144.159] 6918 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201215; rev:1;) alert tcp $HOME_NET any -> [95.181.173.164] 9397 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201218; rev:1;) alert tcp $HOME_NET any -> [5.42.92.88] 80 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201219; rev:1;) alert tcp $HOME_NET any -> [195.10.205.17] 24867 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201184; rev:1;) alert tcp $HOME_NET any -> [185.250.45.93] 8925 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201220; rev:1;) alert tcp $HOME_NET any -> [31.192.236.94] 6642 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201221; rev:1;) alert tcp $HOME_NET any -> [87.121.221.145] 9271 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201222; rev:1;) alert tcp $HOME_NET any -> [91.103.253.174] 1199 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201223/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201223; rev:1;) alert tcp $HOME_NET any -> [172.86.98.101] 80 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201225; rev:1;) alert tcp $HOME_NET any -> [91.103.252.25] 1746 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201224; rev:1;) alert tcp $HOME_NET any -> [91.103.252.25] 1033 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201226; rev:1;) alert tcp $HOME_NET any -> [94.156.102.175] 443 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201227; rev:1;) alert tcp $HOME_NET any -> [163.123.142.243] 80 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201228; rev:1;) alert tcp $HOME_NET any -> [45.9.74.71] 80 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201229; rev:1;) alert tcp $HOME_NET any -> [45.95.146.72] 55555 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201237/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_10; classtype:trojan-activity; sid:91201237; rev:1;) alert tcp $HOME_NET any -> [134.122.132.23] 8082 (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201259/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_10; classtype:trojan-activity; sid:91201259; rev:1;) alert tcp $HOME_NET any -> [124.221.50.168] 801 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201258/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201258; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 15960 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201256; rev:1;) alert tcp $HOME_NET any -> [3.127.59.75] 15960 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201257; rev:1;) alert tcp $HOME_NET any -> [110.42.213.232] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201255/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201255; rev:1;) alert tcp $HOME_NET any -> [3.136.65.236] 19321 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201253/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201253; rev:1;) alert tcp $HOME_NET any -> [3.131.147.49] 19321 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201254/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201254; rev:1;) alert tcp $HOME_NET any -> [3.133.207.110] 19321 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201252/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201252; rev:1;) alert tcp $HOME_NET any -> [18.208.171.170] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201251/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201251; rev:1;) alert tcp $HOME_NET any -> [104.128.95.227] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201250/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201250; rev:1;) alert tcp $HOME_NET any -> [18.198.77.177] 15960 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201248/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201248; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 15960 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201249; rev:1;) alert tcp $HOME_NET any -> [35.158.159.254] 15960 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201247; rev:1;) alert tcp $HOME_NET any -> [23.24.116.18] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201246/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201246; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"118821cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/check"; depth:6; nocase; http.host; content:"150.109.103.16"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_10; classtype:trojan-activity; sid:91201244; rev:1;) alert tcp $HOME_NET any -> [89.230.242.182] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201243/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201243; rev:1;) alert tcp $HOME_NET any -> [20.25.104.50] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201242/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201242; rev:1;) alert tcp $HOME_NET any -> [185.123.100.212] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201241/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_10; classtype:trojan-activity; sid:91201241; rev:1;) alert tcp $HOME_NET any -> [119.81.84.106] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201240/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91201240; rev:1;) alert tcp $HOME_NET any -> [35.157.144.183] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201239/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91201239; rev:1;) alert tcp $HOME_NET any -> [43.198.248.158] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201238/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91201238; rev:1;) alert tcp $HOME_NET any -> [5.42.67.8] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"dev.theokanegroup.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fks/index.php"; depth:14; nocase; http.host; content:"5.42.92.190"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201234/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_09; classtype:trojan-activity; sid:91201234; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.103.252.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201233; rev:1;) alert tcp $HOME_NET any -> [45.12.2.242] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201232/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91201232; rev:1;) alert tcp $HOME_NET any -> [52.90.237.81] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201231/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91201231; rev:1;) alert tcp $HOME_NET any -> [79.141.171.240] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201205/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_09; classtype:trojan-activity; sid:91201205; rev:1;) alert tcp $HOME_NET any -> [5.42.92.51] 19057 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201188; rev:1;) alert tcp $HOME_NET any -> [186.227.195.81] 6692 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201187; rev:1;) alert tcp $HOME_NET any -> [46.161.40.125] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201186; rev:1;) alert tcp $HOME_NET any -> [162.62.117.155] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201185; rev:1;) alert tcp $HOME_NET any -> [105.108.15.91] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201183/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91201183; rev:1;) alert tcp $HOME_NET any -> [102.159.123.198] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201182/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91201182; rev:1;) alert tcp $HOME_NET any -> [45.243.214.108] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201181/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91201181; rev:1;) alert tcp $HOME_NET any -> [41.62.219.196] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201180/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91201180; rev:1;) alert tcp $HOME_NET any -> [197.2.130.184] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201179/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91201179; rev:1;) alert tcp $HOME_NET any -> [154.246.187.75] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201178/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91201178; rev:1;) alert tcp $HOME_NET any -> [86.144.119.95] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201177/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91201177; rev:1;) alert tcp $HOME_NET any -> [149.109.244.197] 2087 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201176/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91201176; rev:1;) alert tcp $HOME_NET any -> [37.97.228.227] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201175/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91201175; rev:1;) alert tcp $HOME_NET any -> [34.204.9.79] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201174/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91201174; rev:1;) alert tcp $HOME_NET any -> [51.158.107.162] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201173/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91201173; rev:1;) alert tcp $HOME_NET any -> [51.254.53.14] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201172/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91201172; rev:1;) alert tcp $HOME_NET any -> [108.59.198.233] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201171/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91201171; rev:1;) alert tcp $HOME_NET any -> [121.5.147.57] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201169; rev:1;) alert tcp $HOME_NET any -> [43.138.181.49] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201170; rev:1;) alert tcp $HOME_NET any -> [202.79.168.65] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201168; rev:1;) alert tcp $HOME_NET any -> [43.139.42.219] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201166; rev:1;) alert tcp $HOME_NET any -> [1.14.95.143] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201167; rev:1;) alert tcp $HOME_NET any -> [39.106.141.206] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201164; rev:1;) alert tcp $HOME_NET any -> [111.231.28.30] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201165; rev:1;) alert tcp $HOME_NET any -> [101.43.169.72] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201163; rev:1;) alert tcp $HOME_NET any -> [111.231.26.117] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201161; rev:1;) alert tcp $HOME_NET any -> [47.236.19.63] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201162; rev:1;) alert tcp $HOME_NET any -> [198.46.149.44] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201160; rev:1;) alert tcp $HOME_NET any -> [154.12.81.151] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201159; rev:1;) alert tcp $HOME_NET any -> [111.230.46.249] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201157; rev:1;) alert tcp $HOME_NET any -> [107.172.78.195] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201158; rev:1;) alert tcp $HOME_NET any -> [162.14.81.81] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201156; rev:1;) alert tcp $HOME_NET any -> [20.48.42.49] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201155; rev:1;) alert tcp $HOME_NET any -> [119.91.65.104] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201153; rev:1;) alert tcp $HOME_NET any -> [8.210.65.48] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201154; rev:1;) alert tcp $HOME_NET any -> [123.249.102.40] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201152; rev:1;) alert tcp $HOME_NET any -> [163.197.211.75] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201151; rev:1;) alert tcp $HOME_NET any -> [120.53.84.242] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201150; rev:1;) alert tcp $HOME_NET any -> [111.229.134.243] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201149; rev:1;) alert tcp $HOME_NET any -> [154.91.85.240] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201148; rev:1;) alert tcp $HOME_NET any -> [114.132.74.172] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201147; rev:1;) alert tcp $HOME_NET any -> [124.220.49.74] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201146; rev:1;) alert tcp $HOME_NET any -> [121.37.206.95] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201145; rev:1;) alert tcp $HOME_NET any -> [101.34.222.38] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201144; rev:1;) alert tcp $HOME_NET any -> [149.28.220.194] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201143; rev:1;) alert tcp $HOME_NET any -> [125.124.189.8] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201142; rev:1;) alert tcp $HOME_NET any -> [180.140.153.89] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201141; rev:1;) alert tcp $HOME_NET any -> [150.158.36.50] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201140; rev:1;) alert tcp $HOME_NET any -> [106.13.13.1] 60001 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201138; rev:1;) alert tcp $HOME_NET any -> [124.70.158.176] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201139; rev:1;) alert tcp $HOME_NET any -> [106.13.13.1] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201137; rev:1;) alert tcp $HOME_NET any -> [124.222.63.238] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201135; rev:1;) alert tcp $HOME_NET any -> [124.221.23.101] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201136; rev:1;) alert tcp $HOME_NET any -> [45.205.3.120] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201133/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201133; rev:1;) alert tcp $HOME_NET any -> [134.122.169.3] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201134/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201134; rev:1;) alert tcp $HOME_NET any -> [101.43.25.21] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201132; rev:1;) alert tcp $HOME_NET any -> [101.34.41.126] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201130; rev:1;) alert tcp $HOME_NET any -> [45.82.79.48] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201131; rev:1;) alert tcp $HOME_NET any -> [1.94.50.200] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201129/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201129; rev:1;) alert tcp $HOME_NET any -> [47.115.201.35] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201127; rev:1;) alert tcp $HOME_NET any -> [39.105.5.221] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201128; rev:1;) alert tcp $HOME_NET any -> [23.105.212.241] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201125; rev:1;) alert tcp $HOME_NET any -> [47.97.6.61] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201126/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201126; rev:1;) alert tcp $HOME_NET any -> [124.221.115.51] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201124; rev:1;) alert tcp $HOME_NET any -> [43.135.1.12] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201122; rev:1;) alert tcp $HOME_NET any -> [115.126.59.119] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201123; rev:1;) alert tcp $HOME_NET any -> [106.52.97.36] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201121; rev:1;) alert tcp $HOME_NET any -> [139.9.200.244] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201119; rev:1;) alert tcp $HOME_NET any -> [43.139.167.77] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201120; rev:1;) alert tcp $HOME_NET any -> [172.190.93.64] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201118; rev:1;) alert tcp $HOME_NET any -> [124.221.12.53] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201116; rev:1;) alert tcp $HOME_NET any -> [60.204.247.114] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201117; rev:1;) alert tcp $HOME_NET any -> [1.117.60.33] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201115; rev:1;) alert tcp $HOME_NET any -> [124.222.14.232] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201113; rev:1;) alert tcp $HOME_NET any -> [106.14.141.187] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201114; rev:1;) alert tcp $HOME_NET any -> [107.148.47.5] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201112; rev:1;) alert tcp $HOME_NET any -> [141.11.95.43] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201110/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201110; rev:1;) alert tcp $HOME_NET any -> [194.113.226.58] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201111; rev:1;) alert tcp $HOME_NET any -> [124.220.161.214] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201109/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201109; rev:1;) alert tcp $HOME_NET any -> [124.119.23.169] 65431 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201107; rev:1;) alert tcp $HOME_NET any -> [43.143.87.41] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201108; rev:1;) alert tcp $HOME_NET any -> [108.165.211.153] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201106; rev:1;) alert tcp $HOME_NET any -> [61.75.17.84] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201104; rev:1;) alert tcp $HOME_NET any -> [139.224.62.94] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201105; rev:1;) alert tcp $HOME_NET any -> [198.98.62.146] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201103/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201103; rev:1;) alert tcp $HOME_NET any -> [43.138.143.146] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201101; rev:1;) alert tcp $HOME_NET any -> [180.102.25.46] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201102/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201102; rev:1;) alert tcp $HOME_NET any -> [103.37.234.38] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201100; rev:1;) alert tcp $HOME_NET any -> [121.4.83.152] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201098; rev:1;) alert tcp $HOME_NET any -> [119.91.227.123] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201099; rev:1;) alert tcp $HOME_NET any -> [107.174.69.212] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201097; rev:1;) alert tcp $HOME_NET any -> [124.220.58.73] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201095; rev:1;) alert tcp $HOME_NET any -> [62.210.125.101] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201096; rev:1;) alert tcp $HOME_NET any -> [38.6.173.33] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201094; rev:1;) alert tcp $HOME_NET any -> [116.198.52.236] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201092/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201092; rev:1;) alert tcp $HOME_NET any -> [47.113.218.234] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201093/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201093; rev:1;) alert tcp $HOME_NET any -> [49.113.78.40] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201091/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201091; rev:1;) alert tcp $HOME_NET any -> [101.35.197.155] 50010 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201089/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201089; rev:1;) alert tcp $HOME_NET any -> [47.118.33.14] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201090/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201090; rev:1;) alert tcp $HOME_NET any -> [49.113.77.13] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201088; rev:1;) alert tcp $HOME_NET any -> [117.50.46.103] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201086; rev:1;) alert tcp $HOME_NET any -> [43.138.235.42] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201087/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201087; rev:1;) alert tcp $HOME_NET any -> [1.15.134.123] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201085; rev:1;) alert tcp $HOME_NET any -> [117.78.2.200] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201083; rev:1;) alert tcp $HOME_NET any -> [23.105.204.184] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201084; rev:1;) alert tcp $HOME_NET any -> [124.223.64.202] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201082/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201082; rev:1;) alert tcp $HOME_NET any -> [72.44.76.52] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201080; rev:1;) alert tcp $HOME_NET any -> [8.130.128.17] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201081; rev:1;) alert tcp $HOME_NET any -> [118.24.124.26] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201079/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201079; rev:1;) alert tcp $HOME_NET any -> [82.156.10.245] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201077; rev:1;) alert tcp $HOME_NET any -> [43.139.9.72] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201078/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201078; rev:1;) alert tcp $HOME_NET any -> [121.43.96.206] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201076/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201076; rev:1;) alert tcp $HOME_NET any -> [159.75.138.102] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201074/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201074; rev:1;) alert tcp $HOME_NET any -> [172.245.205.21] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201075/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201075; rev:1;) alert tcp $HOME_NET any -> [182.92.130.250] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201073; rev:1;) alert tcp $HOME_NET any -> [82.156.188.211] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201071; rev:1;) alert tcp $HOME_NET any -> [101.43.51.99] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201072/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201072; rev:1;) alert tcp $HOME_NET any -> [124.223.110.215] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201070; rev:1;) alert tcp $HOME_NET any -> [211.159.166.52] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201068; rev:1;) alert tcp $HOME_NET any -> [209.141.62.122] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201069; rev:1;) alert tcp $HOME_NET any -> [121.41.93.246] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201066; rev:1;) alert tcp $HOME_NET any -> [119.91.219.120] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201067; rev:1;) alert tcp $HOME_NET any -> [173.249.197.51] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201065; rev:1;) alert tcp $HOME_NET any -> [192.3.39.32] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201063; rev:1;) alert tcp $HOME_NET any -> [156.245.136.161] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201064; rev:1;) alert tcp $HOME_NET any -> [45.134.83.58] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201062; rev:1;) alert tcp $HOME_NET any -> [114.115.156.105] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201060/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201060; rev:1;) alert tcp $HOME_NET any -> [1.15.56.125] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201061; rev:1;) alert tcp $HOME_NET any -> [116.196.98.0] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201059/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201059; rev:1;) alert tcp $HOME_NET any -> [45.152.66.115] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201057/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201057; rev:1;) alert tcp $HOME_NET any -> [43.143.123.81] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201058/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201058; rev:1;) alert tcp $HOME_NET any -> [42.194.226.38] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201055/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201055; rev:1;) alert tcp $HOME_NET any -> [123.249.14.140] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201056/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201056; rev:1;) alert tcp $HOME_NET any -> [116.62.119.33] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201054/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201054; rev:1;) alert tcp $HOME_NET any -> [110.40.220.2] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201052/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201052; rev:1;) alert tcp $HOME_NET any -> [163.197.217.129] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201053/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201053; rev:1;) alert tcp $HOME_NET any -> [124.222.93.123] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201051; rev:1;) alert tcp $HOME_NET any -> [175.24.205.182] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201050/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201050; rev:1;) alert tcp $HOME_NET any -> [124.223.13.142] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201048/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201048; rev:1;) alert tcp $HOME_NET any -> [110.42.140.177] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201049; rev:1;) alert tcp $HOME_NET any -> [1.92.92.107] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201047; rev:1;) alert tcp $HOME_NET any -> [123.207.13.11] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201045; rev:1;) alert tcp $HOME_NET any -> [122.51.73.163] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201046/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201046; rev:1;) alert tcp $HOME_NET any -> [14.29.193.58] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201044; rev:1;) alert tcp $HOME_NET any -> [103.37.234.41] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201042/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201042; rev:1;) alert tcp $HOME_NET any -> [106.52.67.167] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201043/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201043; rev:1;) alert tcp $HOME_NET any -> [137.220.133.105] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201041/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201041; rev:1;) alert tcp $HOME_NET any -> [150.158.35.233] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201039/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201039; rev:1;) alert tcp $HOME_NET any -> [8.140.205.192] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201040; rev:1;) alert tcp $HOME_NET any -> [8.140.178.180] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201037/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201037; rev:1;) alert tcp $HOME_NET any -> [118.89.91.181] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201038/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201038; rev:1;) alert tcp $HOME_NET any -> [81.68.237.230] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201036; rev:1;) alert tcp $HOME_NET any -> [116.204.91.166] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201034; rev:1;) alert tcp $HOME_NET any -> [64.176.3.15] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201035; rev:1;) alert tcp $HOME_NET any -> [120.46.223.146] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201033; rev:1;) alert tcp $HOME_NET any -> [129.211.30.174] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201031; rev:1;) alert tcp $HOME_NET any -> [124.223.34.106] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201032; rev:1;) alert tcp $HOME_NET any -> [47.243.248.83] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201030; rev:1;) alert tcp $HOME_NET any -> [101.42.164.92] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201028; rev:1;) alert tcp $HOME_NET any -> [1.14.194.105] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201029; rev:1;) alert tcp $HOME_NET any -> [43.136.171.160] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201026; rev:1;) alert tcp $HOME_NET any -> [43.138.51.97] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201027; rev:1;) alert tcp $HOME_NET any -> [43.143.95.143] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201025; rev:1;) alert tcp $HOME_NET any -> [103.185.249.119] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201023; rev:1;) alert tcp $HOME_NET any -> [124.222.215.77] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201024; rev:1;) alert tcp $HOME_NET any -> [206.119.117.215] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201022; rev:1;) alert tcp $HOME_NET any -> [43.143.215.220] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201020; rev:1;) alert tcp $HOME_NET any -> [121.40.170.102] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201021; rev:1;) alert tcp $HOME_NET any -> [119.91.140.120] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201018/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201018; rev:1;) alert tcp $HOME_NET any -> [121.40.255.95] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201019; rev:1;) alert tcp $HOME_NET any -> [39.98.180.254] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201016/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201016; rev:1;) alert tcp $HOME_NET any -> [156.247.9.31] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201017/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"156.247.9.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1201013/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201013; rev:1;) alert tcp $HOME_NET any -> [120.79.11.13] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201014/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201014; rev:1;) alert tcp $HOME_NET any -> [123.249.37.103] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201015/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201015; rev:1;) alert tcp $HOME_NET any -> [123.57.77.11] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201012/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201012; rev:1;) alert tcp $HOME_NET any -> [206.233.135.134] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201010/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201010; rev:1;) alert tcp $HOME_NET any -> [43.163.196.51] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201011/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201011; rev:1;) alert tcp $HOME_NET any -> [117.50.174.75] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201008/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201008; rev:1;) alert tcp $HOME_NET any -> [182.92.153.175] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201009/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201009; rev:1;) alert tcp $HOME_NET any -> [159.75.70.33] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201007/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201007; rev:1;) alert tcp $HOME_NET any -> [1.14.71.236] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201005/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201005; rev:1;) alert tcp $HOME_NET any -> [175.24.33.207] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201006/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201006; rev:1;) alert tcp $HOME_NET any -> [121.4.93.148] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201004/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201004; rev:1;) alert tcp $HOME_NET any -> [62.234.45.201] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201002/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201002; rev:1;) alert tcp $HOME_NET any -> [43.143.138.7] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201003/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201003; rev:1;) alert tcp $HOME_NET any -> [101.43.75.159] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201001/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201001; rev:1;) alert tcp $HOME_NET any -> [120.46.202.173] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200999; rev:1;) alert tcp $HOME_NET any -> [139.9.75.217] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1201000/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91201000; rev:1;) alert tcp $HOME_NET any -> [35.78.65.63] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200997/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200997; rev:1;) alert tcp $HOME_NET any -> [45.76.217.151] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200998; rev:1;) alert tcp $HOME_NET any -> [103.143.28.36] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200996/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200996; rev:1;) alert tcp $HOME_NET any -> [154.90.57.191] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200994; rev:1;) alert tcp $HOME_NET any -> [139.224.200.60] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200995/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200995; rev:1;) alert tcp $HOME_NET any -> [120.48.111.149] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200993; rev:1;) alert tcp $HOME_NET any -> [101.42.246.105] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200991/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200991; rev:1;) alert tcp $HOME_NET any -> [43.138.39.212] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200992/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200992; rev:1;) alert tcp $HOME_NET any -> [163.197.246.68] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200989/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200989; rev:1;) alert tcp $HOME_NET any -> [107.151.244.97] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200990/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200990; rev:1;) alert tcp $HOME_NET any -> [172.245.154.219] 51555 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200988/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200988; rev:1;) alert tcp $HOME_NET any -> [106.13.206.236] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200986/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200986; rev:1;) alert tcp $HOME_NET any -> [45.136.15.43] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200987/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200987; rev:1;) alert tcp $HOME_NET any -> [103.233.9.199] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200985/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200985; rev:1;) alert tcp $HOME_NET any -> [169.239.128.187] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200983/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200983; rev:1;) alert tcp $HOME_NET any -> [172.245.126.188] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200984/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200984; rev:1;) alert tcp $HOME_NET any -> [60.204.219.208] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200982/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200982; rev:1;) alert tcp $HOME_NET any -> [82.156.166.227] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200980; rev:1;) alert tcp $HOME_NET any -> [117.50.187.242] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200981/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200981; rev:1;) alert tcp $HOME_NET any -> [194.163.188.30] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200979/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200979; rev:1;) alert tcp $HOME_NET any -> [23.224.182.203] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200977; rev:1;) alert tcp $HOME_NET any -> [47.115.200.199] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200978; rev:1;) alert tcp $HOME_NET any -> [42.194.192.253] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200976/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200976; rev:1;) alert tcp $HOME_NET any -> [39.98.62.58] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200974/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200974; rev:1;) alert tcp $HOME_NET any -> [43.159.49.100] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200975; rev:1;) alert tcp $HOME_NET any -> [107.173.154.18] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200973/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200973; rev:1;) alert tcp $HOME_NET any -> [103.37.234.40] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200972/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200972; rev:1;) alert tcp $HOME_NET any -> [139.224.11.79] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200970/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200970; rev:1;) alert tcp $HOME_NET any -> [47.113.224.170] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200971; rev:1;) alert tcp $HOME_NET any -> [82.156.29.83] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200969/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200969; rev:1;) alert tcp $HOME_NET any -> [101.43.15.210] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200967; rev:1;) alert tcp $HOME_NET any -> [74.120.172.129] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200968; rev:1;) alert tcp $HOME_NET any -> [212.129.223.209] 58000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200966; rev:1;) alert tcp $HOME_NET any -> [119.91.216.218] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200964/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200964; rev:1;) alert tcp $HOME_NET any -> [150.158.138.113] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200965/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200965; rev:1;) alert tcp $HOME_NET any -> [154.214.126.12] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200963/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200963; rev:1;) alert tcp $HOME_NET any -> [178.211.139.43] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200961/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200961; rev:1;) alert tcp $HOME_NET any -> [47.101.190.20] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200962/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200962; rev:1;) alert tcp $HOME_NET any -> [60.251.145.96] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200960; rev:1;) alert tcp $HOME_NET any -> [101.43.38.242] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200958/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200958; rev:1;) alert tcp $HOME_NET any -> [121.4.12.202] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200959; rev:1;) alert tcp $HOME_NET any -> [122.9.160.41] 8999 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200957; rev:1;) alert tcp $HOME_NET any -> [175.197.65.52] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200956; rev:1;) alert tcp $HOME_NET any -> [103.37.234.39] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200955; rev:1;) alert tcp $HOME_NET any -> [42.194.190.162] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200954/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200954; rev:1;) alert tcp $HOME_NET any -> [134.175.82.197] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200952/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200952; rev:1;) alert tcp $HOME_NET any -> [45.148.244.206] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200953/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200953; rev:1;) alert tcp $HOME_NET any -> [152.136.35.240] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200951/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200951; rev:1;) alert tcp $HOME_NET any -> [150.158.41.176] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200949; rev:1;) alert tcp $HOME_NET any -> [103.146.50.130] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200950; rev:1;) alert tcp $HOME_NET any -> [13.54.184.24] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200948; rev:1;) alert tcp $HOME_NET any -> [118.195.198.108] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200946; rev:1;) alert tcp $HOME_NET any -> [114.115.150.178] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200947/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200947; rev:1;) alert tcp $HOME_NET any -> [117.50.183.136] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200945/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200945; rev:1;) alert tcp $HOME_NET any -> [142.171.116.115] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200943/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200943; rev:1;) alert tcp $HOME_NET any -> [42.194.134.61] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200944/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200944; rev:1;) alert tcp $HOME_NET any -> [1.15.180.75] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200942/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200942; rev:1;) alert tcp $HOME_NET any -> [39.108.154.219] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200940/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200940; rev:1;) alert tcp $HOME_NET any -> [154.8.205.42] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200941/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200941; rev:1;) alert tcp $HOME_NET any -> [38.54.40.156] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200938/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200938; rev:1;) alert tcp $HOME_NET any -> [107.174.186.22] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200939/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200939; rev:1;) alert tcp $HOME_NET any -> [23.95.216.185] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200937/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200937; rev:1;) alert tcp $HOME_NET any -> [101.201.69.129] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200935/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200935; rev:1;) alert tcp $HOME_NET any -> [101.43.90.184] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200936/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200936; rev:1;) alert tcp $HOME_NET any -> [101.42.27.149] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200934/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200934; rev:1;) alert tcp $HOME_NET any -> [175.178.158.230] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200932/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200932; rev:1;) alert tcp $HOME_NET any -> [110.41.130.64] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200933/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200933; rev:1;) alert tcp $HOME_NET any -> [45.152.66.136] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200931/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200931; rev:1;) alert tcp $HOME_NET any -> [1.14.65.206] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200929/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200929; rev:1;) alert tcp $HOME_NET any -> [114.116.231.82] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200930/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200930; rev:1;) alert tcp $HOME_NET any -> [124.223.64.107] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200928; rev:1;) alert tcp $HOME_NET any -> [116.198.18.134] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200926; rev:1;) alert tcp $HOME_NET any -> [8.217.122.103] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200927/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200927; rev:1;) alert tcp $HOME_NET any -> [124.223.14.29] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200925; rev:1;) alert tcp $HOME_NET any -> [1.15.184.125] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200923/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200923; rev:1;) alert tcp $HOME_NET any -> [64.176.45.237] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200924/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200924; rev:1;) alert tcp $HOME_NET any -> [81.68.96.108] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200922/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200922; rev:1;) alert tcp $HOME_NET any -> [121.89.195.38] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200920/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200920; rev:1;) alert tcp $HOME_NET any -> [123.249.41.106] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200921; rev:1;) alert tcp $HOME_NET any -> [43.132.237.202] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200918/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200918; rev:1;) alert tcp $HOME_NET any -> [47.99.151.161] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200919; rev:1;) alert tcp $HOME_NET any -> [117.85.8.36] 8008 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200917/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200917; rev:1;) alert tcp $HOME_NET any -> [101.43.129.115] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200915/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200915; rev:1;) alert tcp $HOME_NET any -> [124.221.153.250] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200916/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200916; rev:1;) alert tcp $HOME_NET any -> [101.34.52.52] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200914/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200914; rev:1;) alert tcp $HOME_NET any -> [38.147.172.103] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200912/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200912; rev:1;) alert tcp $HOME_NET any -> [49.235.123.49] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200913/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200913; rev:1;) alert tcp $HOME_NET any -> [123.60.186.136] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200911/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200911; rev:1;) alert tcp $HOME_NET any -> [139.155.94.177] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200909/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200909; rev:1;) alert tcp $HOME_NET any -> [124.223.62.233] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200910/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200910; rev:1;) alert tcp $HOME_NET any -> [124.70.18.96] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200908/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200908; rev:1;) alert tcp $HOME_NET any -> [23.105.218.197] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200906; rev:1;) alert tcp $HOME_NET any -> [45.42.215.230] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200907/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200907; rev:1;) alert tcp $HOME_NET any -> [45.42.215.229] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200905; rev:1;) alert tcp $HOME_NET any -> [139.196.124.59] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200903; rev:1;) alert tcp $HOME_NET any -> [43.138.195.98] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200904/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200904; rev:1;) alert tcp $HOME_NET any -> [49.233.117.156] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200902/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200902; rev:1;) alert tcp $HOME_NET any -> [8.130.166.74] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200900/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200900; rev:1;) alert tcp $HOME_NET any -> [106.53.97.219] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200901/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200901; rev:1;) alert tcp $HOME_NET any -> [81.71.162.183] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200899; rev:1;) alert tcp $HOME_NET any -> [107.172.96.29] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200897; rev:1;) alert tcp $HOME_NET any -> [49.232.248.80] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200898; rev:1;) alert tcp $HOME_NET any -> [43.143.62.167] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200896; rev:1;) alert tcp $HOME_NET any -> [23.224.182.206] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200894; rev:1;) alert tcp $HOME_NET any -> [122.152.237.101] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200895; rev:1;) alert tcp $HOME_NET any -> [43.138.46.20] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200892; rev:1;) alert tcp $HOME_NET any -> [182.42.93.29] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200893; rev:1;) alert tcp $HOME_NET any -> [137.175.78.5] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200891/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200891; rev:1;) alert tcp $HOME_NET any -> [124.220.74.14] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200889; rev:1;) alert tcp $HOME_NET any -> [120.55.60.15] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200890/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200890; rev:1;) alert tcp $HOME_NET any -> [106.55.55.203] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200888/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200888; rev:1;) alert tcp $HOME_NET any -> [182.61.37.161] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200886/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200886; rev:1;) alert tcp $HOME_NET any -> [124.71.1.66] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200887/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200887; rev:1;) alert tcp $HOME_NET any -> [216.24.246.30] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200885/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200885; rev:1;) alert tcp $HOME_NET any -> [188.116.22.196] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200883/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200883; rev:1;) alert tcp $HOME_NET any -> [117.89.254.54] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200884/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200884; rev:1;) alert tcp $HOME_NET any -> [162.14.116.65] 61010 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200882/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200882; rev:1;) alert tcp $HOME_NET any -> [110.40.154.100] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200880/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200880; rev:1;) alert tcp $HOME_NET any -> [89.116.100.79] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200881/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200881; rev:1;) alert tcp $HOME_NET any -> [154.12.81.213] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200879/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200879; rev:1;) alert tcp $HOME_NET any -> [8.130.109.15] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200877/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200877; rev:1;) alert tcp $HOME_NET any -> [43.138.212.90] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200878/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200878; rev:1;) alert tcp $HOME_NET any -> [114.116.29.168] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200876/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200876; rev:1;) alert tcp $HOME_NET any -> [81.70.101.91] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200874/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200874; rev:1;) alert tcp $HOME_NET any -> [1.13.171.183] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200875; rev:1;) alert tcp $HOME_NET any -> [43.138.30.109] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200872/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200872; rev:1;) alert tcp $HOME_NET any -> [101.43.72.227] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200873/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200873; rev:1;) alert tcp $HOME_NET any -> [47.93.33.71] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200871/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200871; rev:1;) alert tcp $HOME_NET any -> [148.135.103.126] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200869/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200869; rev:1;) alert tcp $HOME_NET any -> [101.43.211.190] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200870/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200870; rev:1;) alert tcp $HOME_NET any -> [149.88.80.151] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200868/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200868; rev:1;) alert tcp $HOME_NET any -> [101.200.171.5] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200866; rev:1;) alert tcp $HOME_NET any -> [120.78.89.246] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200867; rev:1;) alert tcp $HOME_NET any -> [62.234.11.31] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200865/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200865; rev:1;) alert tcp $HOME_NET any -> [47.115.218.124] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200864; rev:1;) alert tcp $HOME_NET any -> [165.154.161.150] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200862/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200862; rev:1;) alert tcp $HOME_NET any -> [47.101.219.152] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200863/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200863; rev:1;) alert tcp $HOME_NET any -> [110.40.177.201] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200861/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200861; rev:1;) alert tcp $HOME_NET any -> [8.130.66.61] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200859/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200859; rev:1;) alert tcp $HOME_NET any -> [198.44.184.150] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200860/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200860; rev:1;) alert tcp $HOME_NET any -> [43.136.235.58] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200858/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200858; rev:1;) alert tcp $HOME_NET any -> [150.158.25.152] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200856/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200856; rev:1;) alert tcp $HOME_NET any -> [66.135.11.244] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200857/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200857; rev:1;) alert tcp $HOME_NET any -> [152.136.174.227] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200855/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200855; rev:1;) alert tcp $HOME_NET any -> [42.192.211.60] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200853/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200853; rev:1;) alert tcp $HOME_NET any -> [124.71.26.183] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200854/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200854; rev:1;) alert tcp $HOME_NET any -> [47.116.79.214] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200852/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200852; rev:1;) alert tcp $HOME_NET any -> [103.231.14.158] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200850/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200850; rev:1;) alert tcp $HOME_NET any -> [47.108.106.199] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200851/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200851; rev:1;) alert tcp $HOME_NET any -> [154.8.197.200] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200849/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200849; rev:1;) alert tcp $HOME_NET any -> [159.75.91.140] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200847; rev:1;) alert tcp $HOME_NET any -> [47.74.37.212] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200848; rev:1;) alert tcp $HOME_NET any -> [47.99.62.237] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200845; rev:1;) alert tcp $HOME_NET any -> [154.9.231.194] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200846; rev:1;) alert tcp $HOME_NET any -> [124.221.133.56] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200844/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200844; rev:1;) alert tcp $HOME_NET any -> [47.115.228.148] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200842; rev:1;) alert tcp $HOME_NET any -> [110.42.192.76] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200843; rev:1;) alert tcp $HOME_NET any -> [43.138.179.199] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200841; rev:1;) alert tcp $HOME_NET any -> [8.216.65.10] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200839; rev:1;) alert tcp $HOME_NET any -> [47.109.24.4] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200840; rev:1;) alert tcp $HOME_NET any -> [101.34.207.161] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200838; rev:1;) alert tcp $HOME_NET any -> [103.116.245.130] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200836; rev:1;) alert tcp $HOME_NET any -> [119.23.78.17] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200837; rev:1;) alert tcp $HOME_NET any -> [139.159.203.44] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200835; rev:1;) alert tcp $HOME_NET any -> [36.137.213.118] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200833; rev:1;) alert tcp $HOME_NET any -> [222.112.82.141] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200834; rev:1;) alert tcp $HOME_NET any -> [47.115.225.234] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200831; rev:1;) alert tcp $HOME_NET any -> [198.98.51.221] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200832; rev:1;) alert tcp $HOME_NET any -> [124.223.187.73] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200830; rev:1;) alert tcp $HOME_NET any -> [23.224.182.202] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200828; rev:1;) alert tcp $HOME_NET any -> [103.207.166.77] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200829; rev:1;) alert tcp $HOME_NET any -> [43.138.182.38] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200827; rev:1;) alert tcp $HOME_NET any -> [1.12.75.100] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200825/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200825; rev:1;) alert tcp $HOME_NET any -> [82.156.8.240] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200826/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200826; rev:1;) alert tcp $HOME_NET any -> [198.23.196.215] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200824/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200824; rev:1;) alert tcp $HOME_NET any -> [129.159.33.86] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200822; rev:1;) alert tcp $HOME_NET any -> [101.33.243.179] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200823/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200823; rev:1;) alert tcp $HOME_NET any -> [47.105.34.43] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200821/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200821; rev:1;) alert tcp $HOME_NET any -> [124.71.171.238] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200819; rev:1;) alert tcp $HOME_NET any -> [117.50.187.73] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200820; rev:1;) alert tcp $HOME_NET any -> [114.115.129.145] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200818/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200818; rev:1;) alert tcp $HOME_NET any -> [45.207.39.212] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200816; rev:1;) alert tcp $HOME_NET any -> [23.224.182.204] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200817/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200817; rev:1;) alert tcp $HOME_NET any -> [8.130.127.102] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200815; rev:1;) alert tcp $HOME_NET any -> [206.119.172.87] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200813/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200813; rev:1;) alert tcp $HOME_NET any -> [101.35.48.211] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200814/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200814; rev:1;) alert tcp $HOME_NET any -> [210.37.80.217] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200811/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200811; rev:1;) alert tcp $HOME_NET any -> [47.100.229.207] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200812/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200812; rev:1;) alert tcp $HOME_NET any -> [163.197.247.252] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200810; rev:1;) alert tcp $HOME_NET any -> [1.117.175.65] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200808; rev:1;) alert tcp $HOME_NET any -> [8.137.19.128] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200809; rev:1;) alert tcp $HOME_NET any -> [132.226.173.162] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200807; rev:1;) alert tcp $HOME_NET any -> [149.28.129.16] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200805; rev:1;) alert tcp $HOME_NET any -> [175.24.175.89] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200806; rev:1;) alert tcp $HOME_NET any -> [23.224.182.205] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200804/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200804; rev:1;) alert tcp $HOME_NET any -> [110.41.142.241] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200802; rev:1;) alert tcp $HOME_NET any -> [115.126.98.74] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200803; rev:1;) alert tcp $HOME_NET any -> [39.107.93.206] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200801; rev:1;) alert tcp $HOME_NET any -> [81.70.5.157] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200799; rev:1;) alert tcp $HOME_NET any -> [20.205.107.249] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200800; rev:1;) alert tcp $HOME_NET any -> [111.229.184.32] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200798; rev:1;) alert tcp $HOME_NET any -> [45.82.78.76] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200796; rev:1;) alert tcp $HOME_NET any -> [101.35.42.14] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200797; rev:1;) alert tcp $HOME_NET any -> [101.37.24.170] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200795; rev:1;) alert tcp $HOME_NET any -> [47.92.84.59] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200793; rev:1;) alert tcp $HOME_NET any -> [111.229.10.212] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200794; rev:1;) alert tcp $HOME_NET any -> [120.55.191.186] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200792; rev:1;) alert tcp $HOME_NET any -> [165.154.57.87] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200790; rev:1;) alert tcp $HOME_NET any -> [23.105.214.104] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200791; rev:1;) alert tcp $HOME_NET any -> [152.136.143.158] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200789; rev:1;) alert tcp $HOME_NET any -> [203.160.52.164] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200787; rev:1;) alert tcp $HOME_NET any -> [121.4.87.127] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200788; rev:1;) alert tcp $HOME_NET any -> [103.37.234.42] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200786; rev:1;) alert tcp $HOME_NET any -> [123.60.67.177] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200784; rev:1;) alert tcp $HOME_NET any -> [123.60.48.76] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200785; rev:1;) alert tcp $HOME_NET any -> [175.178.112.8] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200783; rev:1;) alert tcp $HOME_NET any -> [45.81.34.65] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200781; rev:1;) alert tcp $HOME_NET any -> [103.143.28.37] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200782; rev:1;) alert tcp $HOME_NET any -> [42.192.90.239] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200780; rev:1;) alert tcp $HOME_NET any -> [101.43.8.103] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200778; rev:1;) alert tcp $HOME_NET any -> [103.207.166.64] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200779; rev:1;) alert tcp $HOME_NET any -> [120.46.35.190] 9500 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200777; rev:1;) alert tcp $HOME_NET any -> [1.14.12.127] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200775/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200775; rev:1;) alert tcp $HOME_NET any -> [121.37.225.44] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200776; rev:1;) alert tcp $HOME_NET any -> [149.104.18.121] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200774; rev:1;) alert tcp $HOME_NET any -> [124.222.173.45] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200773; rev:1;) alert tcp $HOME_NET any -> [117.89.254.57] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200771; rev:1;) alert tcp $HOME_NET any -> [120.201.231.90] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200772; rev:1;) alert tcp $HOME_NET any -> [107.172.143.55] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200770/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200770; rev:1;) alert tcp $HOME_NET any -> [101.42.39.110] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200769/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200769; rev:1;) alert tcp $HOME_NET any -> [14.116.159.128] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200767; rev:1;) alert tcp $HOME_NET any -> [81.69.222.99] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200768; rev:1;) alert tcp $HOME_NET any -> [141.164.60.2] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200765; rev:1;) alert tcp $HOME_NET any -> [116.212.120.16] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200766/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200766; rev:1;) alert tcp $HOME_NET any -> [150.158.40.14] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200764; rev:1;) alert tcp $HOME_NET any -> [81.70.29.125] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200762/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200762; rev:1;) alert tcp $HOME_NET any -> [118.31.78.67] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200763; rev:1;) alert tcp $HOME_NET any -> [101.42.141.237] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200761/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200761; rev:1;) alert tcp $HOME_NET any -> [82.156.153.115] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200759; rev:1;) alert tcp $HOME_NET any -> [142.171.165.110] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200760; rev:1;) alert tcp $HOME_NET any -> [62.234.60.192] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200758; rev:1;) alert tcp $HOME_NET any -> [103.143.28.35] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200756/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200756; rev:1;) alert tcp $HOME_NET any -> [43.139.168.217] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200757/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200757; rev:1;) alert tcp $HOME_NET any -> [1.116.129.79] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200755; rev:1;) alert tcp $HOME_NET any -> [172.96.195.47] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200753; rev:1;) alert tcp $HOME_NET any -> [47.96.252.193] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200754; rev:1;) alert tcp $HOME_NET any -> [154.221.17.44] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200752; rev:1;) alert tcp $HOME_NET any -> [119.91.210.96] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200750; rev:1;) alert tcp $HOME_NET any -> [43.138.107.242] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200751; rev:1;) alert tcp $HOME_NET any -> [39.105.121.115] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200749; rev:1;) alert tcp $HOME_NET any -> [124.221.85.42] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200747; rev:1;) alert tcp $HOME_NET any -> [124.222.208.63] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200748; rev:1;) alert tcp $HOME_NET any -> [1.13.23.114] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200746; rev:1;) alert tcp $HOME_NET any -> [49.73.42.88] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200744; rev:1;) alert tcp $HOME_NET any -> [124.222.244.97] 60443 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200745; rev:1;) alert tcp $HOME_NET any -> [173.249.201.243] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200742; rev:1;) alert tcp $HOME_NET any -> [101.33.210.14] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200743; rev:1;) alert tcp $HOME_NET any -> [43.134.77.110] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200741; rev:1;) alert tcp $HOME_NET any -> [123.60.74.61] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200739; rev:1;) alert tcp $HOME_NET any -> [39.104.20.54] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200740; rev:1;) alert tcp $HOME_NET any -> [111.230.19.96] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200738; rev:1;) alert tcp $HOME_NET any -> [103.133.177.130] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200736; rev:1;) alert tcp $HOME_NET any -> [101.35.198.64] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200737; rev:1;) alert tcp $HOME_NET any -> [47.93.172.190] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200735; rev:1;) alert tcp $HOME_NET any -> [43.136.166.140] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200733; rev:1;) alert tcp $HOME_NET any -> [47.108.254.239] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200734; rev:1;) alert tcp $HOME_NET any -> [120.79.67.194] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200732; rev:1;) alert tcp $HOME_NET any -> [123.60.72.189] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200730; rev:1;) alert tcp $HOME_NET any -> [204.44.87.225] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200731; rev:1;) alert tcp $HOME_NET any -> [158.247.216.122] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200729; rev:1;) alert tcp $HOME_NET any -> [122.51.97.82] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200727; rev:1;) alert tcp $HOME_NET any -> [112.74.76.111] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200728; rev:1;) alert tcp $HOME_NET any -> [103.207.166.75] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200726/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200726; rev:1;) alert tcp $HOME_NET any -> [123.207.203.249] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200724; rev:1;) alert tcp $HOME_NET any -> [47.109.83.50] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200725; rev:1;) alert tcp $HOME_NET any -> [150.158.181.243] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200722; rev:1;) alert tcp $HOME_NET any -> [112.74.43.190] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200723; rev:1;) alert tcp $HOME_NET any -> [139.198.188.232] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200721; rev:1;) alert tcp $HOME_NET any -> [154.9.253.55] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200720; rev:1;) alert tcp $HOME_NET any -> [107.172.90.70] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200719; rev:1;) alert tcp $HOME_NET any -> [121.5.64.8] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200717; rev:1;) alert tcp $HOME_NET any -> [89.116.246.177] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200718/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200718; rev:1;) alert tcp $HOME_NET any -> [114.132.222.201] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200716/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200716; rev:1;) alert tcp $HOME_NET any -> [8.130.24.188] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200715/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200715; rev:1;) alert tcp $HOME_NET any -> [139.155.90.81] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200714; rev:1;) alert tcp $HOME_NET any -> [43.138.159.166] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200713; rev:1;) alert tcp $HOME_NET any -> [162.14.209.70] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200712/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200712; rev:1;) alert tcp $HOME_NET any -> [101.35.55.223] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200711/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200711; rev:1;) alert tcp $HOME_NET any -> [82.157.247.79] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200710/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200710; rev:1;) alert tcp $HOME_NET any -> [47.120.35.131] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200709; rev:1;) alert tcp $HOME_NET any -> [1.14.96.24] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200708/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200708; rev:1;) alert tcp $HOME_NET any -> [170.39.194.124] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200707/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200707; rev:1;) alert tcp $HOME_NET any -> [34.87.124.185] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200706/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200706; rev:1;) alert tcp $HOME_NET any -> [39.108.114.127] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200705; rev:1;) alert tcp $HOME_NET any -> [175.27.156.88] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200704/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200704; rev:1;) alert tcp $HOME_NET any -> [114.115.136.195] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200703/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200703; rev:1;) alert tcp $HOME_NET any -> [119.91.31.246] 65501 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200702/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200702; rev:1;) alert tcp $HOME_NET any -> [117.50.178.215] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200701/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200701; rev:1;) alert tcp $HOME_NET any -> [107.172.78.188] 2053 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200700; rev:1;) alert tcp $HOME_NET any -> [1.13.15.130] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200699; rev:1;) alert tcp $HOME_NET any -> [120.79.157.3] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200697; rev:1;) alert tcp $HOME_NET any -> [107.173.248.142] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200698/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200698; rev:1;) alert tcp $HOME_NET any -> [121.5.63.55] 52013 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200696; rev:1;) alert tcp $HOME_NET any -> [49.232.193.10] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200694; rev:1;) alert tcp $HOME_NET any -> [60.204.240.191] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200695; rev:1;) alert tcp $HOME_NET any -> [124.220.19.159] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200693/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200693; rev:1;) alert tcp $HOME_NET any -> [36.111.166.231] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200691/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200691; rev:1;) alert tcp $HOME_NET any -> [45.8.159.163] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200692/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200692; rev:1;) alert tcp $HOME_NET any -> [150.158.13.245] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200690/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200690; rev:1;) alert tcp $HOME_NET any -> [49.232.196.197] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200688/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200688; rev:1;) alert tcp $HOME_NET any -> [175.178.35.25] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200689/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200689; rev:1;) alert tcp $HOME_NET any -> [8.143.2.128] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200687/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200687; rev:1;) alert tcp $HOME_NET any -> [172.104.97.100] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200685/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200685; rev:1;) alert tcp $HOME_NET any -> [1.14.8.189] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200686/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200686; rev:1;) alert tcp $HOME_NET any -> [106.52.253.80] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200684/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200684; rev:1;) alert tcp $HOME_NET any -> [163.53.216.216] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200682/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200682; rev:1;) alert tcp $HOME_NET any -> [66.112.211.69] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200683/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200683; rev:1;) alert tcp $HOME_NET any -> [101.132.153.56] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200680/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200680; rev:1;) alert tcp $HOME_NET any -> [101.33.231.180] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200681/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200681; rev:1;) alert tcp $HOME_NET any -> [118.89.125.163] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200679/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200679; rev:1;) alert tcp $HOME_NET any -> [150.158.162.113] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200677/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200677; rev:1;) alert tcp $HOME_NET any -> [42.193.52.56] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200678/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200678; rev:1;) alert tcp $HOME_NET any -> [139.84.135.87] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200676/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200676; rev:1;) alert tcp $HOME_NET any -> [150.158.31.222] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200674; rev:1;) alert tcp $HOME_NET any -> [43.139.227.213] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200675/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200675; rev:1;) alert tcp $HOME_NET any -> [43.139.225.42] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200673; rev:1;) alert tcp $HOME_NET any -> [139.144.79.120] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200671; rev:1;) alert tcp $HOME_NET any -> [47.94.20.209] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200672/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200672; rev:1;) alert tcp $HOME_NET any -> [162.14.107.239] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200670; rev:1;) alert tcp $HOME_NET any -> [116.211.120.25] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200668; rev:1;) alert tcp $HOME_NET any -> [82.157.67.48] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200669/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200669; rev:1;) alert tcp $HOME_NET any -> [175.178.226.60] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200667; rev:1;) alert tcp $HOME_NET any -> [43.143.230.92] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200665/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200665; rev:1;) alert tcp $HOME_NET any -> [112.124.6.100] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200666/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200666; rev:1;) alert tcp $HOME_NET any -> [81.70.204.117] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200664; rev:1;) alert tcp $HOME_NET any -> [146.190.32.151] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200662/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200662; rev:1;) alert tcp $HOME_NET any -> [154.82.92.47] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200663; rev:1;) alert tcp $HOME_NET any -> [39.99.154.30] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200661; rev:1;) alert tcp $HOME_NET any -> [124.223.17.79] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200659/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200659; rev:1;) alert tcp $HOME_NET any -> [124.71.84.65] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200660/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200660; rev:1;) alert tcp $HOME_NET any -> [124.71.155.49] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200658; rev:1;) alert tcp $HOME_NET any -> [116.63.163.221] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200657/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200657; rev:1;) alert tcp $HOME_NET any -> [47.94.151.18] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200656; rev:1;) alert tcp $HOME_NET any -> [43.143.107.163] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200654/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200654; rev:1;) alert tcp $HOME_NET any -> [198.148.120.72] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200655; rev:1;) alert tcp $HOME_NET any -> [106.52.235.23] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200653; rev:1;) alert tcp $HOME_NET any -> [148.135.109.215] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200651; rev:1;) alert tcp $HOME_NET any -> [101.200.233.32] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200652; rev:1;) alert tcp $HOME_NET any -> [101.34.19.31] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200650; rev:1;) alert tcp $HOME_NET any -> [148.135.68.145] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200648; rev:1;) alert tcp $HOME_NET any -> [47.102.111.71] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200649; rev:1;) alert tcp $HOME_NET any -> [190.92.242.131] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200647/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200647; rev:1;) alert tcp $HOME_NET any -> [116.204.72.140] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200645; rev:1;) alert tcp $HOME_NET any -> [182.92.234.147] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200646; rev:1;) alert tcp $HOME_NET any -> [1.117.49.216] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200644; rev:1;) alert tcp $HOME_NET any -> [43.139.190.82] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200642; rev:1;) alert tcp $HOME_NET any -> [43.139.241.58] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200643; rev:1;) alert tcp $HOME_NET any -> [162.14.83.232] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200641/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200641; rev:1;) alert tcp $HOME_NET any -> [119.91.26.244] 60001 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200639; rev:1;) alert tcp $HOME_NET any -> [101.132.180.62] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200640/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200640; rev:1;) alert tcp $HOME_NET any -> [47.254.195.44] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200638; rev:1;) alert tcp $HOME_NET any -> [1.15.181.217] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200636/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200636; rev:1;) alert tcp $HOME_NET any -> [124.221.66.51] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200637; rev:1;) alert tcp $HOME_NET any -> [101.34.26.70] 60000 (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200635; rev:1;) alert tcp $HOME_NET any -> [141.164.56.189] 1194 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200634/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_09; classtype:trojan-activity; sid:91200634; rev:1;) alert tcp $HOME_NET any -> [95.179.182.147] 2078 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200633/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_09; classtype:trojan-activity; sid:91200633; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sermon.pastorbriantubbs.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200631; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"modification.grebcocontractors.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200632; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jordanmikejeforse.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200630; rev:1;) alert tcp $HOME_NET any -> [141.255.159.209] 333 (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200629; rev:1;) alert tcp $HOME_NET any -> [94.156.69.95] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.181.159.13"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200627; rev:1;) alert tcp $HOME_NET any -> [134.122.189.32] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200623/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200623; rev:1;) alert tcp $HOME_NET any -> [36.255.221.118] 58443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200624/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200624; rev:1;) alert tcp $HOME_NET any -> [104.194.129.178] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200625/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200625; rev:1;) alert tcp $HOME_NET any -> [104.194.129.178] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200626/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200626; rev:1;) alert tcp $HOME_NET any -> [158.247.241.217] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200618/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200618; rev:1;) alert tcp $HOME_NET any -> [158.247.202.188] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200619/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200619; rev:1;) alert tcp $HOME_NET any -> [156.236.114.202] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200620/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200620; rev:1;) alert tcp $HOME_NET any -> [156.236.114.202] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200621/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200621; rev:1;) alert tcp $HOME_NET any -> [156.236.114.202] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200622/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200622; rev:1;) alert tcp $HOME_NET any -> [139.180.193.182] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200611/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200611; rev:1;) alert tcp $HOME_NET any -> [149.88.75.49] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200612/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200612; rev:1;) alert tcp $HOME_NET any -> [149.88.75.49] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200613/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200613; rev:1;) alert tcp $HOME_NET any -> [45.77.244.237] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200614/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200614; rev:1;) alert tcp $HOME_NET any -> [95.85.91.50] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200615/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200615; rev:1;) alert tcp $HOME_NET any -> [95.85.91.50] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200616/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200616; rev:1;) alert tcp $HOME_NET any -> [95.85.91.50] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200617/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200617; rev:1;) alert tcp $HOME_NET any -> [134.122.189.25] 53 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200606/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200606; rev:1;) alert tcp $HOME_NET any -> [134.122.189.25] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200607/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200607; rev:1;) alert tcp $HOME_NET any -> [16.163.146.134] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200608/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200608; rev:1;) alert tcp $HOME_NET any -> [139.180.193.182] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200609/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200609; rev:1;) alert tcp $HOME_NET any -> [139.180.193.182] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200610/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200610; rev:1;) alert tcp $HOME_NET any -> [144.202.27.95] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200597/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200597; rev:1;) alert tcp $HOME_NET any -> [148.66.50.42] 4443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200598/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200598; rev:1;) alert tcp $HOME_NET any -> [101.99.88.70] 4443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200599/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200599; rev:1;) alert tcp $HOME_NET any -> [158.247.213.14] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200600/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200600; rev:1;) alert tcp $HOME_NET any -> [148.66.50.43] 4443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200601/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200601; rev:1;) alert tcp $HOME_NET any -> [88.218.192.21] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200602/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200602; rev:1;) alert tcp $HOME_NET any -> [47.242.188.74] 4443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200603/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200603; rev:1;) alert tcp $HOME_NET any -> [218.3.254.252] 44444 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200604/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200604; rev:1;) alert tcp $HOME_NET any -> [103.51.110.5] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200605/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200605; rev:1;) alert tcp $HOME_NET any -> [154.7.64.169] 44444 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200594/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200594; rev:1;) alert tcp $HOME_NET any -> [167.179.108.149] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200595/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200595; rev:1;) alert tcp $HOME_NET any -> [45.76.189.91] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200596/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"77.91.124.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200593/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200593; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"77.91.124.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200592/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200592; rev:1;) alert tcp $HOME_NET any -> [77.91.124.229] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200590/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200590; rev:1;) alert tcp $HOME_NET any -> [77.91.124.233] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200591/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200591; rev:1;) alert tcp $HOME_NET any -> [192.248.148.31] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200589/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200589; rev:1;) alert tcp $HOME_NET any -> [116.62.164.213] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200588; rev:1;) alert tcp $HOME_NET any -> [198.98.48.31] 50421 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200587/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200587; rev:1;) alert tcp $HOME_NET any -> [69.197.142.158] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200586/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_09; classtype:trojan-activity; sid:91200586; rev:1;) alert tcp $HOME_NET any -> [195.123.233.165] 8443 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200585/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_09; classtype:trojan-activity; sid:91200585; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"jordanmikejeforse.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200584/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200584; rev:1;) alert tcp $HOME_NET any -> [65.20.84.254] 1378 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200583/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200583; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3b7d27a7af0da219.php"; depth:21; nocase; http.host; content:"128.140.84.205"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200582/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200582; rev:1;) alert tcp $HOME_NET any -> [211.53.230.67] 80 (msg:"ThreatFox STOP botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200525/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200525; rev:1;) alert tcp $HOME_NET any -> [189.232.58.103] 80 (msg:"ThreatFox STOP botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200526/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200526; rev:1;) alert tcp $HOME_NET any -> [190.187.52.42] 80 (msg:"ThreatFox STOP botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200527/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200527; rev:1;) alert tcp $HOME_NET any -> [171.22.28.216] 45922 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200569/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200569; rev:1;) alert tcp $HOME_NET any -> [172.67.163.21] 80 (msg:"ThreatFox Lumma Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200560/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"turankil.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200573; rev:1;) alert tcp $HOME_NET any -> [49.13.94.164] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200581/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200581; rev:1;) alert tcp $HOME_NET any -> [88.218.62.219] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200580/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200580; rev:1;) alert tcp $HOME_NET any -> [195.2.79.117] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200579/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"host-195-2-79-117.hosted-by-vdsina.ru"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200578/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200578; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2144905.hosted-by-vdsina.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200576/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.videolan.pw"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200577/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"videolan.pw"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200575/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"host-88-218-62-219.hosted-by-vdsina.ru"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200574/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200574; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/launchers/skyplanet/launcher.exe"; depth:43; nocase; http.host; content:"82.115.223.78"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200572/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_09; classtype:trojan-activity; sid:91200572; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tc1n0/insup"; depth:12; nocase; http.host; content:"49.13.31.229"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200570/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200570; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wtouf67/gurra"; depth:14; nocase; http.host; content:"49.13.75.67"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200571/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"estafetagoappd.cyou"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200568/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"estafetagoappc.cyou"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200566/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.estafetagoappd.cyou"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200567/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"estafetagoappa.cyou"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200565/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"estafetagoappb.cyou"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.estafetagoappb.cyou"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.estafetagoappa.cyou"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200562/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.estafetagoappc.cyou"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200561/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200561; rev:1;) alert tcp $HOME_NET any -> [149.28.49.170] 23399 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200554/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200554; rev:1;) alert tcp $HOME_NET any -> [65.20.77.19] 5242 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200555; rev:1;) alert tcp $HOME_NET any -> [154.12.255.254] 23399 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200556/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200556; rev:1;) alert tcp $HOME_NET any -> [158.247.215.68] 2225 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200557/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200557; rev:1;) alert tcp $HOME_NET any -> [95.179.206.77] 13782 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200558; rev:1;) alert tcp $HOME_NET any -> [217.69.14.55] 13724 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200559/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200559; rev:1;) alert tcp $HOME_NET any -> [3.225.154.79] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200553; rev:1;) alert tcp $HOME_NET any -> [54.225.109.232] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200552; rev:1;) alert tcp $HOME_NET any -> [52.200.215.250] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200551; rev:1;) alert tcp $HOME_NET any -> [34.197.124.207] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200550; rev:1;) alert tcp $HOME_NET any -> [44.205.115.29] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200549; rev:1;) alert tcp $HOME_NET any -> [23.20.237.225] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200548; rev:1;) alert tcp $HOME_NET any -> [52.44.101.45] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200547; rev:1;) alert tcp $HOME_NET any -> [107.22.57.188] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200545; rev:1;) alert tcp $HOME_NET any -> [52.202.66.46] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200546; rev:1;) alert tcp $HOME_NET any -> [18.233.30.106] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200544; rev:1;) alert tcp $HOME_NET any -> [3.210.191.185] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200543; rev:1;) alert tcp $HOME_NET any -> [3.227.200.25] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-233-30-106.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-44-194-84-95.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-73-117-241.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-107-22-57-188.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-230-101-130.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-202-66-46.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-197-198-218.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-197-124-207.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-200-215-250.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"http-inputs-triad.splunkcloud.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200532; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-225-154-79.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200530; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-236-216-39.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-86-72-244.compute-1.amazonaws.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200529; rev:1;) alert tcp $HOME_NET any -> [172.162.233.190] 8081 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200528; rev:1;) alert tcp $HOME_NET any -> [194.49.94.103] 58001 (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200524; rev:1;) alert tcp $HOME_NET any -> [94.156.67.162] 8086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200523/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199568528949"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.251.173"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secgoxrp"; depth:9; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200520; rev:1;) alert tcp $HOME_NET any -> [195.201.251.173] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200519; rev:1;) alert tcp $HOME_NET any -> [123.60.99.12] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200518; rev:1;) alert tcp $HOME_NET any -> [123.60.99.12] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200517; rev:1;) alert tcp $HOME_NET any -> [103.234.72.147] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200516; rev:1;) alert tcp $HOME_NET any -> [150.109.103.16] 808 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200515; rev:1;) alert tcp $HOME_NET any -> [43.130.70.58] 8003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200514; rev:1;) alert tcp $HOME_NET any -> [43.130.70.58] 8001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200513; rev:1;) alert tcp $HOME_NET any -> [185.196.8.245] 2087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200512; rev:1;) alert tcp $HOME_NET any -> [114.55.147.35] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200511; rev:1;) alert tcp $HOME_NET any -> [103.108.107.231] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200510; rev:1;) alert tcp $HOME_NET any -> [120.78.206.231] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200509; rev:1;) alert tcp $HOME_NET any -> [129.211.211.145] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200508; rev:1;) alert tcp $HOME_NET any -> [155.94.235.41] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200507; rev:1;) alert tcp $HOME_NET any -> [95.214.25.121] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200506; rev:1;) alert tcp $HOME_NET any -> [95.214.25.121] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200505; rev:1;) alert tcp $HOME_NET any -> [124.221.30.137] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200504; rev:1;) alert tcp $HOME_NET any -> [43.143.241.241] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200503; rev:1;) alert tcp $HOME_NET any -> [43.143.241.241] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200502; rev:1;) alert tcp $HOME_NET any -> [18.185.157.235] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200501; rev:1;) alert tcp $HOME_NET any -> [52.204.111.102] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200500/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200500; rev:1;) alert tcp $HOME_NET any -> [103.52.154.151] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200499; rev:1;) alert tcp $HOME_NET any -> [104.193.69.167] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200498/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_09; classtype:trojan-activity; sid:91200498; rev:1;) alert tcp $HOME_NET any -> [64.176.47.148] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200497/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_09; classtype:trojan-activity; sid:91200497; rev:1;) alert tcp $HOME_NET any -> [193.84.248.79] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200496; rev:1;) alert tcp $HOME_NET any -> [213.142.151.240] 8181 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zgbn19mx"; depth:9; nocase; http.host; content:"jonathanbonnici.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvmd54/"; depth:8; nocase; http.host; content:"jonathanbonnici.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jonathanbonnici.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200492; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rxalp.direct.quickconnect.to"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200491; rev:1;) alert tcp $HOME_NET any -> [85.206.172.156] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200490; rev:1;) alert tcp $HOME_NET any -> [182.253.153.225] 10549 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200489/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200489; rev:1;) alert tcp $HOME_NET any -> [91.109.190.8] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200488; rev:1;) alert tcp $HOME_NET any -> [1.94.40.140] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200487/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u1sd"; depth:5; nocase; http.host; content:"vpn.handyfang.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200486/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_09; classtype:trojan-activity; sid:91200486; rev:1;) alert tcp $HOME_NET any -> [174.75.163.190] 8554 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200485/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200485; rev:1;) alert tcp $HOME_NET any -> [3.73.132.208] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200484/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update"; depth:7; nocase; http.host; content:"150.109.103.16"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"estafetagoappc.cyou"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"estafetagoappd.cyou"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"92.63.196.46"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0872673.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"101.43.49.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"92.63.196.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"116.62.24.245"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"92.63.196.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"124.221.76.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"162.14.73.248"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.138.118.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200474; rev:1;) alert tcp $HOME_NET any -> [180.184.69.31] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200473/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"31.44.184.232"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"10.127.255.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"123.60.151.249"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"154.204.56.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"52.2.208.222"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release"; depth:8; nocase; http.host; content:"62.234.54.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200465; rev:1;) alert tcp $HOME_NET any -> [5.255.108.225] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"funtermedia.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/read/_admin/92umhkqr"; depth:21; nocase; http.host; content:"funtermedia.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200462; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/check"; depth:6; nocase; http.host; content:"update.twittermisc.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200460; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.twittermisc.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200461; rev:1;) alert tcp $HOME_NET any -> [163.44.43.131] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200459/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200459; rev:1;) alert tcp $HOME_NET any -> [185.221.67.36] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/start/proxy/nx9ppccu7uft"; depth:25; nocase; http.host; content:"zamtel.co.zm.global.prod.fastly.net"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zamtel.co.zm.global.prod.fastly.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-i90zbgul-1300518372.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-i90zbgul-1300518372.bj.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200455; rev:1;) alert tcp $HOME_NET any -> [167.86.127.180] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200453; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns.n0reply.eu.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.139.61.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200451; rev:1;) alert tcp $HOME_NET any -> [57.180.177.13] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.ncats.link"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200449; rev:1;) alert tcp $HOME_NET any -> [167.179.74.154] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a.osslog.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200447; rev:1;) alert tcp $HOME_NET any -> [152.32.135.165] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200446; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.163microsoft.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200445; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.163microsoft.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200444; rev:1;) alert tcp $HOME_NET any -> [18.197.239.109] 14456 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200443; rev:1;) alert tcp $HOME_NET any -> [3.69.157.220] 14456 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200442; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 14456 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200441; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 14456 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200440; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"163.181.39.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200439; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"114.132.56.13"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"121.40.243.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200437; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"146.190.72.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200436; rev:1;) alert tcp $HOME_NET any -> [77.91.76.20] 33144 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200435; rev:1;) alert tcp $HOME_NET any -> [168.119.173.77] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"168.119.173.77"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200433; rev:1;) alert tcp $HOME_NET any -> [54.91.93.203] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200432/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200432; rev:1;) alert tcp $HOME_NET any -> [193.59.38.44] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200431; rev:1;) alert tcp $HOME_NET any -> [124.221.110.117] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200430/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200430; rev:1;) alert tcp $HOME_NET any -> [106.225.224.89] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200429/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200429; rev:1;) alert tcp $HOME_NET any -> [156.240.108.109] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200428/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200428; rev:1;) alert tcp $HOME_NET any -> [103.169.85.3] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200427/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200427; rev:1;) alert tcp $HOME_NET any -> [102.156.219.115] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200426/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200426; rev:1;) alert tcp $HOME_NET any -> [151.30.39.68] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200425/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200425; rev:1;) alert tcp $HOME_NET any -> [74.12.145.206] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200424/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200424; rev:1;) alert tcp $HOME_NET any -> [20.119.98.226] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200423/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200423; rev:1;) alert tcp $HOME_NET any -> [103.57.250.152] 3014 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200422/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200422; rev:1;) alert tcp $HOME_NET any -> [104.238.34.130] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200421/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200421; rev:1;) alert tcp $HOME_NET any -> [104.238.34.130] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200420/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200420; rev:1;) alert tcp $HOME_NET any -> [76.223.68.71] 10012 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200419/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200419; rev:1;) alert tcp $HOME_NET any -> [51.254.53.14] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200418/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_09; classtype:trojan-activity; sid:91200418; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoary/mlight/paid.php"; depth:22; nocase; http.host; content:"bagsrad.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200417; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qoary/mlight/paid.php"; depth:22; nocase; http.host; content:"bagsrad.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200416/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_09; classtype:trojan-activity; sid:91200416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"naamberso.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200255/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200255; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvmd54/"; depth:8; nocase; http.host; content:"mcguffinboots.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zgbn19mx"; depth:9; nocase; http.host; content:"mcguffinboots.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lander/chrome_1695206714/_index.php"; depth:36; nocase; http.host; content:"mcguffinboots.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200273; rev:1;) alert tcp $HOME_NET any -> [95.164.22.207] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200415/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200415; rev:1;) alert tcp $HOME_NET any -> [116.211.148.181] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200414; rev:1;) alert tcp $HOME_NET any -> [167.86.127.180] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200413; rev:1;) alert tcp $HOME_NET any -> [167.86.127.180] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200412; rev:1;) alert tcp $HOME_NET any -> [139.224.188.165] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200410; rev:1;) alert tcp $HOME_NET any -> [8.130.79.38] 5432 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200411; rev:1;) alert tcp $HOME_NET any -> [154.3.0.166] 8889 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200409; rev:1;) alert tcp $HOME_NET any -> [39.107.241.121] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200408; rev:1;) alert tcp $HOME_NET any -> [217.12.202.85] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200407; rev:1;) alert tcp $HOME_NET any -> [121.37.214.255] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200406; rev:1;) alert tcp $HOME_NET any -> [39.100.84.221] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200404; rev:1;) alert tcp $HOME_NET any -> [121.37.214.255] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200405; rev:1;) alert tcp $HOME_NET any -> [39.100.84.221] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200403; rev:1;) alert tcp $HOME_NET any -> [154.8.204.80] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200402; rev:1;) alert tcp $HOME_NET any -> [124.221.183.95] 47788 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200400; rev:1;) alert tcp $HOME_NET any -> [139.159.203.44] 8003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200401; rev:1;) alert tcp $HOME_NET any -> [47.98.20.26] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200399; rev:1;) alert tcp $HOME_NET any -> [47.98.20.26] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200398; rev:1;) alert tcp $HOME_NET any -> [49.7.216.160] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200397; rev:1;) alert tcp $HOME_NET any -> [194.116.215.112] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200396; rev:1;) alert tcp $HOME_NET any -> [194.116.215.112] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200395; rev:1;) alert tcp $HOME_NET any -> [134.209.164.110] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200394; rev:1;) alert tcp $HOME_NET any -> [45.142.166.65] 1006 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200393; rev:1;) alert tcp $HOME_NET any -> [111.230.104.164] 2077 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200392; rev:1;) alert tcp $HOME_NET any -> [111.230.104.164] 2023 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200391; rev:1;) alert tcp $HOME_NET any -> [124.71.5.199] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200389; rev:1;) alert tcp $HOME_NET any -> [113.141.87.112] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200390; rev:1;) alert tcp $HOME_NET any -> [2.58.242.249] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200388; rev:1;) alert tcp $HOME_NET any -> [139.159.191.210] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200387; rev:1;) alert tcp $HOME_NET any -> [178.250.189.145] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200385; rev:1;) alert tcp $HOME_NET any -> [116.205.227.126] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200386; rev:1;) alert tcp $HOME_NET any -> [109.107.189.12] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200384; rev:1;) alert tcp $HOME_NET any -> [109.107.189.12] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200383; rev:1;) alert tcp $HOME_NET any -> [8.134.142.129] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200382; rev:1;) alert tcp $HOME_NET any -> [8.134.142.129] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200381; rev:1;) alert tcp $HOME_NET any -> [54.216.197.185] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200379; rev:1;) alert tcp $HOME_NET any -> [140.143.142.93] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200380; rev:1;) alert tcp $HOME_NET any -> [175.24.165.197] 6667 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200378; rev:1;) alert tcp $HOME_NET any -> [101.42.8.97] 1111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200377; rev:1;) alert tcp $HOME_NET any -> [119.91.109.228] 8011 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200376; rev:1;) alert tcp $HOME_NET any -> [95.214.25.170] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200375; rev:1;) alert tcp $HOME_NET any -> [47.100.65.174] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200374; rev:1;) alert tcp $HOME_NET any -> [95.164.19.116] 8085 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200373; rev:1;) alert tcp $HOME_NET any -> [47.107.62.126] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200372; rev:1;) alert tcp $HOME_NET any -> [47.107.62.126] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200371; rev:1;) alert tcp $HOME_NET any -> [154.213.65.25] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200370; rev:1;) alert tcp $HOME_NET any -> [124.222.218.72] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200369; rev:1;) alert tcp $HOME_NET any -> [101.34.62.198] 8020 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200368; rev:1;) alert tcp $HOME_NET any -> [114.132.220.82] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200367; rev:1;) alert tcp $HOME_NET any -> [8.142.115.47] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200366; rev:1;) alert tcp $HOME_NET any -> [156.224.25.216] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200365; rev:1;) alert tcp $HOME_NET any -> [101.43.170.225] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200364; rev:1;) alert tcp $HOME_NET any -> [23.98.137.196] 8639 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200363; rev:1;) alert tcp $HOME_NET any -> [101.43.142.116] 9922 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200362; rev:1;) alert tcp $HOME_NET any -> [54.227.115.91] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200361; rev:1;) alert tcp $HOME_NET any -> [8.218.157.182] 2185 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200360; rev:1;) alert tcp $HOME_NET any -> [123.172.50.34] 62443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200359; rev:1;) alert tcp $HOME_NET any -> [103.149.200.212] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200358; rev:1;) alert tcp $HOME_NET any -> [39.104.232.76] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200357; rev:1;) alert tcp $HOME_NET any -> [120.24.59.15] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200356; rev:1;) alert tcp $HOME_NET any -> [38.54.56.18] 45456 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200354; rev:1;) alert tcp $HOME_NET any -> [23.94.0.77] 2053 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200355; rev:1;) alert tcp $HOME_NET any -> [43.142.19.171] 12345 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200353; rev:1;) alert tcp $HOME_NET any -> [172.94.104.164] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200352; rev:1;) alert tcp $HOME_NET any -> [139.99.67.164] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200351; rev:1;) alert tcp $HOME_NET any -> [3.75.100.6] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200349; rev:1;) alert tcp $HOME_NET any -> [114.103.158.104] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200350; rev:1;) alert tcp $HOME_NET any -> [47.109.61.130] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200348; rev:1;) alert tcp $HOME_NET any -> [116.62.104.22] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200347; rev:1;) alert tcp $HOME_NET any -> [47.113.220.217] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200345; rev:1;) alert tcp $HOME_NET any -> [124.220.110.22] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200346; rev:1;) alert tcp $HOME_NET any -> [118.31.32.71] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200344; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev.theokanegroup.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200343; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-254-233-190.us-gov-east-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200341; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cj.gudongchunjingshui.cn"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200342; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grafana.clubpro.space"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200340; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"151-248-118-52.cloudvps.regruhosting.ru"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200339; rev:1;) alert tcp $HOME_NET any -> [8.219.229.99] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200338; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c27.vslai.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200337; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-121-37-214-255.compute.hwclouds-dns.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200336; rev:1;) alert tcp $HOME_NET any -> [188.127.237.46] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200335/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_09; classtype:trojan-activity; sid:91200335; rev:1;) alert tcp $HOME_NET any -> [115.110.249.115] 20034 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200334; rev:1;) alert tcp $HOME_NET any -> [216.128.177.23] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200333/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_09; classtype:trojan-activity; sid:91200333; rev:1;) alert tcp $HOME_NET any -> [183.162.222.8] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200332/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_09; classtype:trojan-activity; sid:91200332; rev:1;) alert tcp $HOME_NET any -> [156.251.17.118] 8880 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200331/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200331; rev:1;) alert tcp $HOME_NET any -> [43.128.4.110] 8888 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200330; rev:1;) alert tcp $HOME_NET any -> [43.239.251.54] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200329; rev:1;) alert tcp $HOME_NET any -> [64.253.87.233] 4433 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200328; rev:1;) alert tcp $HOME_NET any -> [93.123.85.37] 5060 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200327; rev:1;) alert tcp $HOME_NET any -> [156.224.27.245] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200326; rev:1;) alert tcp $HOME_NET any -> [152.136.128.162] 8889 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200325; rev:1;) alert tcp $HOME_NET any -> [185.141.63.166] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200324; rev:1;) alert tcp $HOME_NET any -> [35.226.165.138] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200323; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"240.49.225.35.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200322; rev:1;) alert tcp $HOME_NET any -> [173.254.240.26] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200321; rev:1;) alert tcp $HOME_NET any -> [91.92.246.222] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200320; rev:1;) alert tcp $HOME_NET any -> [85.215.218.19] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200319; rev:1;) alert tcp $HOME_NET any -> [183.80.186.171] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200318; rev:1;) alert tcp $HOME_NET any -> [172.171.254.153] 5000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200317; rev:1;) alert tcp $HOME_NET any -> [206.72.202.109] 1604 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200316; rev:1;) alert tcp $HOME_NET any -> [43.249.193.131] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200315; rev:1;) alert tcp $HOME_NET any -> [8.129.179.142] 22 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200314; rev:1;) alert tcp $HOME_NET any -> [186.102.163.66] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200313; rev:1;) alert tcp $HOME_NET any -> [185.196.8.53] 6000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200312; rev:1;) alert tcp $HOME_NET any -> [178.33.203.39] 5010 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200311; rev:1;) alert tcp $HOME_NET any -> [51.89.242.53] 100 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200310; rev:1;) alert tcp $HOME_NET any -> [190.28.166.77] 2000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200308; rev:1;) alert tcp $HOME_NET any -> [161.97.151.222] 2004 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200309; rev:1;) alert tcp $HOME_NET any -> [107.172.76.170] 8909 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200307; rev:1;) alert tcp $HOME_NET any -> [91.109.182.5] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200306; rev:1;) alert tcp $HOME_NET any -> [187.24.70.241] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200305; rev:1;) alert tcp $HOME_NET any -> [185.81.157.238] 366 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200303; rev:1;) alert tcp $HOME_NET any -> [187.24.70.241] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200304; rev:1;) alert tcp $HOME_NET any -> [147.189.173.111] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200302; rev:1;) alert tcp $HOME_NET any -> [5.75.182.255] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200301/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200301; rev:1;) alert tcp $HOME_NET any -> [37.1.211.248] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200300; rev:1;) alert tcp $HOME_NET any -> [181.214.240.179] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200299/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"salesforcesupport.eastus.cloudapp.azure.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200298/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.225.71.99.88.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200297/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200297; rev:1;) alert tcp $HOME_NET any -> [110.42.206.10] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200296/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200296; rev:1;) alert tcp $HOME_NET any -> [47.100.215.156] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200294/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.alexis-dasilva.pro"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"151.174.226.35.bc.googleusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.106.47.140.128.clients.your-server.de"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.107.185.243.136.clients.your-server.de"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200290; rev:1;) alert tcp $HOME_NET any -> [60.204.151.215] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200291/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.159-65-168-135.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200289; rev:1;) alert tcp $HOME_NET any -> [184.72.153.18] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_09; classtype:trojan-activity; sid:91200288; rev:1;) alert tcp $HOME_NET any -> [3.88.110.150] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200287/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200287; rev:1;) alert tcp $HOME_NET any -> [24.199.125.165] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200286/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200286; rev:1;) alert tcp $HOME_NET any -> [38.145.203.10] 1111 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200285/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200285; rev:1;) alert tcp $HOME_NET any -> [15.168.63.98] 8066 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200284/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200284; rev:1;) alert tcp $HOME_NET any -> [54.163.5.232] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200283/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200283; rev:1;) alert tcp $HOME_NET any -> [171.5.180.134] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200282/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_09; classtype:trojan-activity; sid:91200282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"nshdpoud.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200281; rev:1;) alert tcp $HOME_NET any -> [192.3.39.32] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200280/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200280; rev:1;) alert tcp $HOME_NET any -> [154.204.56.105] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200279/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200279; rev:1;) alert tcp $HOME_NET any -> [62.234.54.38] 8033 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200278/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200278; rev:1;) alert tcp $HOME_NET any -> [41.97.223.104] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200277; rev:1;) alert tcp $HOME_NET any -> [5.189.253.223] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200276/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_08; classtype:trojan-activity; sid:91200276; rev:1;) alert tcp $HOME_NET any -> [176.96.9.11] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200275/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0871177.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200274; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 59417 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200270/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200270; rev:1;) alert tcp $HOME_NET any -> [39.100.79.80] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200269/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91200269; rev:1;) alert tcp $HOME_NET any -> [86.98.21.129] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200268/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91200268; rev:1;) alert tcp $HOME_NET any -> [5.14.207.99] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200267/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91200267; rev:1;) alert tcp $HOME_NET any -> [108.4.77.65] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200266/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91200266; rev:1;) alert tcp $HOME_NET any -> [138.197.202.47] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200265/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91200265; rev:1;) alert tcp $HOME_NET any -> [49.12.207.253] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200264/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91200264; rev:1;) alert tcp $HOME_NET any -> [46.246.1.155] 7443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200263/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91200263; rev:1;) alert tcp $HOME_NET any -> [165.22.184.182] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200262/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91200262; rev:1;) alert tcp $HOME_NET any -> [104.238.60.84] 3346 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200261/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91200261; rev:1;) alert tcp $HOME_NET any -> [103.20.235.195] 2815 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200260/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91200260; rev:1;) alert tcp $HOME_NET any -> [103.57.250.152] 5749 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200259/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91200259; rev:1;) alert tcp $HOME_NET any -> [3.70.6.51] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200258/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91200258; rev:1;) alert tcp $HOME_NET any -> [165.22.0.181] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200257/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91200257; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"305friend.caesarsgroup.top"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200256/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91200256; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 58749 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200254/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200254; rev:1;) alert tcp $HOME_NET any -> [38.41.53.167] 84 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200253/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200253; rev:1;) alert tcp $HOME_NET any -> [5.182.87.160] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200252/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91200252; rev:1;) alert tcp $HOME_NET any -> [164.52.216.101] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200251/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_08; classtype:trojan-activity; sid:91200251; rev:1;) alert tcp $HOME_NET any -> [124.71.202.107] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200250/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200250; rev:1;) alert tcp $HOME_NET any -> [121.199.21.219] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200249/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200249; rev:1;) alert tcp $HOME_NET any -> [123.249.115.56] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200248/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200248; rev:1;) alert tcp $HOME_NET any -> [112.126.71.239] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200247/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200247; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zang1.almashreaq.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200246; rev:1;) alert tcp $HOME_NET any -> [41.104.212.15] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200245/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200245; rev:1;) alert tcp $HOME_NET any -> [47.99.79.203] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200244/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200244; rev:1;) alert tcp $HOME_NET any -> [47.104.179.218] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200243/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200243; rev:1;) alert tcp $HOME_NET any -> [103.79.77.62] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200242/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200242; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"homeservicetreking.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200238; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"homeservicetreking.com"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1200239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200239; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"homeservicetreking.com"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1200240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200240; rev:1;) alert tcp $HOME_NET any -> [134.122.54.242] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200241/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200241; rev:1;) alert tcp $HOME_NET any -> [107.173.214.76] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200237/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c36258786fdc16da.php"; depth:21; nocase; http.host; content:"77.91.124.154"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200236; rev:1;) alert tcp $HOME_NET any -> [13.58.48.135] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200235; rev:1;) alert tcp $HOME_NET any -> [3.208.31.134] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200234/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200234; rev:1;) alert tcp $HOME_NET any -> [144.76.163.55] 15648 (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200233; rev:1;) alert tcp $HOME_NET any -> [52.2.208.222] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200232/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-fddzhrcc-1320999622.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200230; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-fddzhrcc-1320999622.gz.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200231; rev:1;) alert tcp $HOME_NET any -> [20.252.43.59] 4403 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200229/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_08; classtype:trojan-activity; sid:91200229; rev:1;) alert tcp $HOME_NET any -> [85.239.54.206] 8081 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200228/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200228; rev:1;) alert tcp $HOME_NET any -> [109.107.189.167] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200227/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200227; rev:1;) alert tcp $HOME_NET any -> [77.105.147.90] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200226/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91200226; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mistyyy.hopto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fbkw.tk"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199801; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuveehackedurpc.ddns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199798; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dontreachme.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199799; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eta.ne.virus.ne.trogaj.mena.kstati.putinso.site"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199800; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jewstew.hopto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myvpsvps.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joe.katana.lol"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199809; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orcushack.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199811/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199811; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orcustop4ik.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199812/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199812; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ozones.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199814/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199814; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poulty55.chickenkiller.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199815; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"powerdirector.store"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199816; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"putinso.site"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199817/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199817; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qstorm.chickenkiller.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199818/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199818; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raiday.ml"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199819; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rat.bcn-pool.us"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199820; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s1.kekw.tk"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199822; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s1.putinso.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199823/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199823; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"satanishere-48375.portmap.io"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199824/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199824; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"server-cheatchard.ddns.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199825/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199825; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sonkalicloud.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tcp.access.ly"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199829; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tecster.cloudns.cx"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199830; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vacation-family.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199832; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.microsoftupdateserver1.ga"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199833; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"graphics-absorption.at.playit.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199803/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199803; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"isnadsknsbs-38398.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199805; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"client1111.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199797; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"animals-sewing.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199795; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azxsdc.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199796; rev:1;) alert tcp $HOME_NET any -> [100.126.50.154] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199794; rev:1;) alert tcp $HOME_NET any -> [178.218.146.89] 839 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hdalulnc.e3.luyouxia.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199793/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199793; rev:1;) alert tcp $HOME_NET any -> [149.28.130.206] 53 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200205; rev:1;) alert tcp $HOME_NET any -> [23.225.71.115] 8000 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200204; rev:1;) alert tcp $HOME_NET any -> [43.132.173.7] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200203; rev:1;) alert tcp $HOME_NET any -> [185.189.241.208] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200201; rev:1;) alert tcp $HOME_NET any -> [45.74.6.9] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200206; rev:1;) alert tcp $HOME_NET any -> [47.117.177.231] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200207; rev:1;) alert tcp $HOME_NET any -> [65.20.107.216] 8080 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200211; rev:1;) alert tcp $HOME_NET any -> [154.211.14.156] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200208; rev:1;) alert tcp $HOME_NET any -> [38.54.23.192] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200210; rev:1;) alert tcp $HOME_NET any -> [43.229.112.205] 65000 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200209; rev:1;) alert tcp $HOME_NET any -> [118.69.111.118] 8080 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200212; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"adfincolniclo.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1200182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200182; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"siliconerumble.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adfincolniclo.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1200180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200180; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"adfincolniclo.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1200181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200181; rev:1;) alert tcp $HOME_NET any -> [194.147.140.185] 23591 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200178; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"siliconerumble.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1200186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"siliconerumble.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1200187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"moomagou.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"makrsides.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"howlcars.fun"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200198; rev:1;) alert tcp $HOME_NET any -> [171.228.209.167] 56999 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199768/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_08; classtype:trojan-activity; sid:91199768; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"botnet.ngocronglau.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199769/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_08; classtype:trojan-activity; sid:91199769; rev:1;) alert tcp $HOME_NET any -> [146.70.80.79] 80 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199774; rev:1;) alert tcp $HOME_NET any -> [212.237.217.136] 80 (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199775/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199775; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"38.242.217.252"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1199779/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91199779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cilgindayi34.xyz"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1199781/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91199781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ihanetkasalarsizi-com.tk"; depth:24; nocase; reference:url, threatfox.abuse.ch/ioc/1199780/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91199780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rqoesitey/hlight/paid.php"; depth:26; nocase; http.host; content:"bagsrad.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200225; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/626e62981e663996.php"; depth:21; nocase; http.host; content:"vewver.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200224; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/provider_windowsuniversal.php"; depth:30; nocase; http.host; content:"82.146.57.75"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200223/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200223; rev:1;) alert tcp $HOME_NET any -> [94.131.111.240] 14301 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200222; rev:1;) alert tcp $HOME_NET any -> [34.88.205.25] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200221/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200221; rev:1;) alert tcp $HOME_NET any -> [43.139.61.204] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200220/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200220; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/305friend/five/fre.php"; depth:35; nocase; http.host; content:"305friend.caesarsgroup.top"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200219; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"whxzqkbbtzvdyxdeseoiyujzs.co"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200218/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_08; classtype:trojan-activity; sid:91200218; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"uohhunkmnfhbimtagizqgwpmv.to"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200217/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_08; classtype:trojan-activity; sid:91200217; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"nnzqahmamqucusarjveovbuyt.cyou"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200216/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_08; classtype:trojan-activity; sid:91200216; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"kkudndkwatnfevcaqeefytqnh.top"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200215/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_08; classtype:trojan-activity; sid:91200215; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"163.5.169.23"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200214/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_08; classtype:trojan-activity; sid:91200214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cfg/"; depth:5; nocase; http.host; content:"163.5.169.23"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200213; rev:1;) alert tcp $HOME_NET any -> [3.121.85.105] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200200/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200200; rev:1;) alert tcp $HOME_NET any -> [167.71.65.13] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200199/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"8.219.229.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.129.173.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200194; rev:1;) alert tcp $HOME_NET any -> [91.92.252.212] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200193/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91200193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"165.227.141.64"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"121.40.66.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"139.159.203.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"139.159.203.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"119.45.250.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"85.209.11.162"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200184; rev:1;) alert tcp $HOME_NET any -> [91.92.252.212] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"38.180.70.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200179; rev:1;) alert tcp $HOME_NET any -> [104.248.88.38] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200177/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200177; rev:1;) alert tcp $HOME_NET any -> [116.203.165.60] 2087 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200176; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.165.60"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200175; rev:1;) alert tcp $HOME_NET any -> [116.203.165.60] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200174/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200174; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.165.60"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200173; rev:1;) alert tcp $HOME_NET any -> [80.66.66.42] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200172/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200172; rev:1;) alert tcp $HOME_NET any -> [123.207.20.16] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200171/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200171; rev:1;) alert tcp $HOME_NET any -> [194.147.140.140] 1769 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200170; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3886d2276f6914c4.php"; depth:21; nocase; http.host; content:"severinofragola.icu"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1200169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91200169; rev:1;) alert tcp $HOME_NET any -> [45.140.146.58] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1200167/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91200167; rev:1;) alert tcp $HOME_NET any -> [106.225.224.88] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199865/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199865; rev:1;) alert tcp $HOME_NET any -> [45.144.138.129] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199864/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199864; rev:1;) alert tcp $HOME_NET any -> [45.32.42.214] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199863/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199863; rev:1;) alert tcp $HOME_NET any -> [106.225.224.85] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199862/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199862; rev:1;) alert tcp $HOME_NET any -> [106.225.224.84] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199861/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199861; rev:1;) alert tcp $HOME_NET any -> [106.225.224.51] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199860/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199860; rev:1;) alert tcp $HOME_NET any -> [106.225.224.83] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199859/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199859; rev:1;) alert tcp $HOME_NET any -> [45.11.47.243] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199858/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199858; rev:1;) alert tcp $HOME_NET any -> [149.129.178.71] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199857/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199857; rev:1;) alert tcp $HOME_NET any -> [106.225.224.87] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199856/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199856; rev:1;) alert tcp $HOME_NET any -> [172.162.233.190] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199855/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199855; rev:1;) alert tcp $HOME_NET any -> [179.13.2.154] 4444 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199854/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199854; rev:1;) alert tcp $HOME_NET any -> [78.19.233.36] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199853/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199853; rev:1;) alert tcp $HOME_NET any -> [154.247.78.2] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199852/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199852; rev:1;) alert tcp $HOME_NET any -> [50.99.8.5] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199851/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199851; rev:1;) alert tcp $HOME_NET any -> [187.213.192.166] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199850/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199850; rev:1;) alert tcp $HOME_NET any -> [197.0.105.119] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199849/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199849; rev:1;) alert tcp $HOME_NET any -> [23.137.248.37] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199848/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199848; rev:1;) alert tcp $HOME_NET any -> [34.151.215.152] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199847/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199847; rev:1;) alert tcp $HOME_NET any -> [35.93.4.222] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199846/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199846; rev:1;) alert tcp $HOME_NET any -> [185.193.125.118] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199845/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199845; rev:1;) alert tcp $HOME_NET any -> [128.140.47.106] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199844/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199844; rev:1;) alert tcp $HOME_NET any -> [208.123.119.123] 5214 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199843/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199843; rev:1;) alert tcp $HOME_NET any -> [65.109.166.117] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199842/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199842; rev:1;) alert tcp $HOME_NET any -> [68.183.152.119] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199841/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199841; rev:1;) alert tcp $HOME_NET any -> [139.59.72.48] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199840/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199840; rev:1;) alert tcp $HOME_NET any -> [65.109.86.55] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199839/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_08; classtype:trojan-activity; sid:91199839; rev:1;) alert tcp $HOME_NET any -> [107.191.60.95] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199838/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91199838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40d570f44e84a454.php"; depth:21; nocase; http.host; content:"arturogillotti.icu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199837; rev:1;) alert tcp $HOME_NET any -> [3.126.224.214] 15752 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199836; rev:1;) alert tcp $HOME_NET any -> [3.124.67.191] 15752 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c36258786fdc16da.php"; depth:21; nocase; http.host; content:"5.42.92.215"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"dnalnoomnus.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199791/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_08; classtype:trojan-activity; sid:91199791; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"dnalnoomnus.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199790/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_08; classtype:trojan-activity; sid:91199790; rev:1;) alert tcp $HOME_NET any -> [194.147.140.145] 1997 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_08; classtype:trojan-activity; sid:91199789; rev:1;) alert tcp $HOME_NET any -> [62.234.30.15] 10443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199788/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91199788; rev:1;) alert tcp $HOME_NET any -> [149.210.20.118] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199787/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_08; classtype:trojan-activity; sid:91199787; rev:1;) alert tcp $HOME_NET any -> [45.120.177.164] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"casioblue.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199783; rev:1;) alert tcp $HOME_NET any -> [91.215.85.23] 23525 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199782; rev:1;) alert tcp $HOME_NET any -> [60.204.243.217] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"60.204.243.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199777; rev:1;) alert tcp $HOME_NET any -> [8.213.198.149] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199776/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199776; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2dd77469.php"; depth:13; nocase; http.host; content:"cx51464.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199773; rev:1;) alert tcp $HOME_NET any -> [192.99.44.107] 8080 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199772; rev:1;) alert tcp $HOME_NET any -> [185.217.98.121] 80 (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199771; rev:1;) alert tcp $HOME_NET any -> [77.72.85.57] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199770/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_07; classtype:trojan-activity; sid:91199770; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.138.118.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199767; rev:1;) alert tcp $HOME_NET any -> [217.76.162.101] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199766/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199766; rev:1;) alert tcp $HOME_NET any -> [46.29.162.56] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199765/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199765; rev:1;) alert tcp $HOME_NET any -> [78.176.228.137] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199764/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199764; rev:1;) alert tcp $HOME_NET any -> [217.165.14.70] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199763/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199763; rev:1;) alert tcp $HOME_NET any -> [85.97.84.158] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199762/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199762; rev:1;) alert tcp $HOME_NET any -> [90.4.113.105] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199761/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199761; rev:1;) alert tcp $HOME_NET any -> [105.224.22.55] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199760/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199760; rev:1;) alert tcp $HOME_NET any -> [74.12.146.52] 2083 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199759/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199759; rev:1;) alert tcp $HOME_NET any -> [102.159.26.170] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199758/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199758; rev:1;) alert tcp $HOME_NET any -> [45.9.148.192] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199757/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199757; rev:1;) alert tcp $HOME_NET any -> [80.78.24.47] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199756/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199756; rev:1;) alert tcp $HOME_NET any -> [194.169.175.238] 9443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199755/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199755; rev:1;) alert tcp $HOME_NET any -> [54.93.236.31] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199754/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199754; rev:1;) alert tcp $HOME_NET any -> [64.226.72.6] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199753/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199753; rev:1;) alert tcp $HOME_NET any -> [23.152.0.64] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199752/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199752; rev:1;) alert tcp $HOME_NET any -> [157.90.129.60] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199751/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199751; rev:1;) alert tcp $HOME_NET any -> [62.72.18.9] 11807 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199750/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199750; rev:1;) alert tcp $HOME_NET any -> [91.206.178.75] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199749/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199749; rev:1;) alert tcp $HOME_NET any -> [91.206.178.75] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199748/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199748; rev:1;) alert tcp $HOME_NET any -> [45.77.221.80] 55638 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199747/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199747; rev:1;) alert tcp $HOME_NET any -> [13.59.217.103] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199746; rev:1;) alert tcp $HOME_NET any -> [216.120.201.106] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199745; rev:1;) alert tcp $HOME_NET any -> [18.221.245.196] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199744; rev:1;) alert tcp $HOME_NET any -> [3.135.234.20] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poop.ndgnetlabs.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.ndgnetlabs.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199741; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x9rz"; depth:5; nocase; http.host; content:"121.37.21.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199740/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_07; classtype:trojan-activity; sid:91199740; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp.48.txt"; depth:11; nocase; http.host; content:"193.176.179.41"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199738; rev:1;) alert tcp $HOME_NET any -> [185.216.70.232] 28121 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lliean.faqserv.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"a-iran.fartit.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l-i-r-n.itsaol.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"testqq.fartit.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"acm.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asv.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"atv.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199737; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"asv.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199729; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"atv.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199730; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"acm.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199728; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"a-iran.fartit.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199727; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"lliean.faqserv.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199726/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199726; rev:1;) alert tcp $HOME_NET any -> [158.247.246.182] 2226 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199725; rev:1;) alert tcp $HOME_NET any -> [80.66.89.149] 32143 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199724; rev:1;) alert tcp $HOME_NET any -> [45.77.163.191] 14378 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199717; rev:1;) alert tcp $HOME_NET any -> [31.117.133.147] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199716/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199716; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 11278 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199715/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199715; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zgbn19mx"; depth:9; nocase; http.host; content:"ov.d693na2y4mpkhr34.vip"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199714; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zgbn19mx"; depth:9; nocase; http.host; content:"u513fdanj.website"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199713; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvmd54/"; depth:8; nocase; http.host; content:"ov.d693na2y4mpkhr34.vip"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199712/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199712; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvmd54/"; depth:8; nocase; http.host; content:"u513fdanj.website"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199711/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u513fdanj.website"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ov.d693na2y4mpkhr34.vip"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199710/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"licencesolutions.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199707/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_07; classtype:trojan-activity; sid:91199707; rev:1;) alert tcp $HOME_NET any -> [64.225.73.12] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199706/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nathwood23.mysynology.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199705; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"178.128.123.154"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199704/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199704; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"101.43.122.252"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199703/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199703; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"175.178.14.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199702/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199702; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"175.178.14.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199701/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199701; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"162.14.107.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199700; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"114.67.242.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"106.15.235.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199698/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199698; rev:1;) alert tcp $HOME_NET any -> [43.131.45.17] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199697/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199697; rev:1;) alert tcp $HOME_NET any -> [212.192.15.215] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199696/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"139.224.188.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.242.158.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199694; rev:1;) alert tcp $HOME_NET any -> [91.92.252.13] 4244 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199693/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"temoolda.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199692/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199692; rev:1;) alert tcp $HOME_NET any -> [103.71.154.163] 6000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199691/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199691; rev:1;) alert tcp $HOME_NET any -> [3.124.67.191] 13427 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199690/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199690; rev:1;) alert tcp $HOME_NET any -> [3.67.15.169] 13427 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199689/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199689; rev:1;) alert tcp $HOME_NET any -> [35.157.111.131] 13427 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199688/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199688; rev:1;) alert tcp $HOME_NET any -> [91.92.244.149] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199687/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"simikkzd.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199686/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"foulertech.online"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199685/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/518893e599328c52.php"; depth:21; nocase; http.host; content:"94.142.138.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199684/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"netovrema.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199683/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199683; rev:1;) alert tcp $HOME_NET any -> [134.122.8.156] 81 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199682/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"voloknus.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199681/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199681; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"store.bestselllerservice.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199679/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"120.78.155.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199680/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199680; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grafielucho.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199642; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mistulinno.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"henryjackson.icu"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1199644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"kevinrobinson.top"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1199645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"williammoore.top"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1199646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.233.232.98"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1199648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"95.216.187.218"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1199649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"157.90.24.248"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1199650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.142.138.179"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1199651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.243.201"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1199652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.75.165.104"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1199653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"raymonddixon.icu"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1199654/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ronaldrichards.icu"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1199655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"devinjason.top"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1199656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"robertjohnson.top"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1199657/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bidbur.com"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1199658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.215.85.189"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1199659/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"jaimemcgee.top"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1199660/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"howardwood.top"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1199661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"buuuzar.ru"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"harold.ns01.info"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1199664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"harold.ns01.info"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1199665/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199665; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adata.hopto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199666/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.140.198.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199678/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199678; rev:1;) alert tcp $HOME_NET any -> [95.214.27.6] 3348 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199677/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_07; classtype:trojan-activity; sid:91199677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"139.159.203.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199676/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199676; rev:1;) alert tcp $HOME_NET any -> [155.248.183.38] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199675/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"45.145.4.97"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"121.43.189.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199673; rev:1;) alert tcp $HOME_NET any -> [123.56.251.79] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199672/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"service-ltwr9lk5-1319740527.sh.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199670; rev:1;) alert tcp $HOME_NET any -> [198.55.113.202] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199669/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_07; classtype:trojan-activity; sid:91199669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"121.43.189.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199667; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gagorun.website"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gdsgwefewrewr.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"markuami.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199639; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hfdhdfgrre.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199640/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199640; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hfdhfdhdfhdfa.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199641/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199641; rev:1;) alert tcp $HOME_NET any -> [200.114.107.96] 16464 (msg:"ThreatFox ZeroAccess botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199636/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.130.226.220"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1199620/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.130.227.202"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1199621/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"hadfadf87yuadfad.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1199623/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199623; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"jeraldsin3dsajdklafdmonk.com"; depth:28; nocase; reference:url, threatfox.abuse.ch/ioc/1199624/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"onlineserviceboonkers.com"; depth:25; nocase; reference:url, threatfox.abuse.ch/ioc/1199625/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199625; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"profitcentronline.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1199626/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"sftp.bitepieces.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1199628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"projecktupdatemonk.com"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1199627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"sftp.firestarted.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1199629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"sftp.noheroway.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1199630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"showmoreresultonliner.com"; depth:25; nocase; reference:url, threatfox.abuse.ch/ioc/1199631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"shsukadadyuikmmonk.com"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1199632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"taochinashowwers.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1199633/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"tottalonlineservis.com"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1199634/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199634; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"voodmastrelinux.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1199635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"92.63.196.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199619/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.105.69.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199618/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199618; rev:1;) alert tcp $HOME_NET any -> [198.144.189.74] 443 (msg:"ThreatFox IRATA payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199617; rev:1;) alert tcp $HOME_NET any -> [198.144.189.74] 80 (msg:"ThreatFox IRATA payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199616/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adt.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199615/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"eds.ydns.eu"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"atc.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199613/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199613; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"afc.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"afe.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199612/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"dsfa.fartit.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199609/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199609; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"acb.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199610/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199610; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dsfa.fartit.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199602/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199602; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"acb.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199603/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199603; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"afc.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199604/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"afe.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199605/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199605; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"atc.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199606; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eds.ydns.eu"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199607/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199607; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adt.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199608/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.138.118.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199601/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"107.174.253.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199600/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199600; rev:1;) alert tcp $HOME_NET any -> [213.179.32.9] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199599/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199599; rev:1;) alert tcp $HOME_NET any -> [194.116.215.112] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199598/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199598; rev:1;) alert tcp $HOME_NET any -> [8.219.229.99] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199597/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199597; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"8.219.229.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199596/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199596; rev:1;) alert tcp $HOME_NET any -> [183.255.43.126] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199595/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199595; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"120.48.62.132"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199594/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199594; rev:1;) alert tcp $HOME_NET any -> [106.54.228.198] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199593/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199593; rev:1;) alert tcp $HOME_NET any -> [119.24.45.206] 16464 (msg:"ThreatFox ZeroAccess botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199592/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199592; rev:1;) alert tcp $HOME_NET any -> [62.234.29.194] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199591/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"8sjimonstersboonkonline.com"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1199590/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zgbn19mx"; depth:9; nocase; http.host; content:"u513fdanj.online"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199589/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvmd54/"; depth:8; nocase; http.host; content:"u513fdanj.online"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199588; rev:1;) alert tcp $HOME_NET any -> [132.145.106.12] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199587/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199587; rev:1;) alert tcp $HOME_NET any -> [41.208.73.44] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199586/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199586; rev:1;) alert tcp $HOME_NET any -> [77.244.249.77] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199585/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199585; rev:1;) alert tcp $HOME_NET any -> [122.51.46.83] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199584/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199584; rev:1;) alert tcp $HOME_NET any -> [74.48.78.38] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199583/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199583; rev:1;) alert tcp $HOME_NET any -> [43.249.8.44] 7070 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199582/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199582; rev:1;) alert tcp $HOME_NET any -> [201.137.203.252] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199581/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199581; rev:1;) alert tcp $HOME_NET any -> [81.154.154.248] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199580/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199580; rev:1;) alert tcp $HOME_NET any -> [39.40.157.96] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199579/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199579; rev:1;) alert tcp $HOME_NET any -> [70.49.35.13] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199578/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199578; rev:1;) alert tcp $HOME_NET any -> [41.96.101.186] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199577/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199577; rev:1;) alert tcp $HOME_NET any -> [151.48.190.104] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199576/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199576; rev:1;) alert tcp $HOME_NET any -> [187.233.51.230] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199575/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199575; rev:1;) alert tcp $HOME_NET any -> [107.152.44.183] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199574/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199574; rev:1;) alert tcp $HOME_NET any -> [94.237.24.72] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199573/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199573; rev:1;) alert tcp $HOME_NET any -> [20.55.94.241] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199572/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199572; rev:1;) alert tcp $HOME_NET any -> [34.232.77.201] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199571/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199571; rev:1;) alert tcp $HOME_NET any -> [23.152.0.64] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199569/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199569; rev:1;) alert tcp $HOME_NET any -> [23.152.0.64] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199570/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199570; rev:1;) alert tcp $HOME_NET any -> [193.31.28.88] 993 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199568/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199568; rev:1;) alert tcp $HOME_NET any -> [112.29.180.28] 10036 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199567/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199567; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/view.asp"; depth:9; nocase; http.host; content:"www.we11point.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo/%s.jpg"; depth:13; nocase; http.host; content:"www.we11point.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73354587f0a8b50c.php"; depth:21; nocase; http.host; content:"91.92.243.201"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199547; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.103.252.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199546; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.103.252.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199552; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"38.180.70.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199553; rev:1;) alert tcp $HOME_NET any -> [194.49.94.77] 22888 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199555; rev:1;) alert tcp $HOME_NET any -> [185.196.8.154] 8331 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199566/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_07; classtype:trojan-activity; sid:91199566; rev:1;) alert tcp $HOME_NET any -> [156.96.44.204] 9866 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199445; rev:1;) alert tcp $HOME_NET any -> [5.181.156.60] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199444; rev:1;) alert tcp $HOME_NET any -> [135.181.11.41] 3837 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199450; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 10524 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"days-jd.gl.at.ply.gg"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199457; rev:1;) alert tcp $HOME_NET any -> [193.149.129.136] 55556 (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199467; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u513fdanj.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"u513fdanj.site"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_07; classtype:trojan-activity; sid:91199542; rev:1;) alert tcp $HOME_NET any -> [139.224.188.139] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199565/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199565; rev:1;) alert tcp $HOME_NET any -> [91.92.242.146] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199564/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199564; rev:1;) alert tcp $HOME_NET any -> [62.113.115.249] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199563/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199563; rev:1;) alert tcp $HOME_NET any -> [13.233.201.152] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199562/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199562; rev:1;) alert tcp $HOME_NET any -> [18.234.237.31] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199561/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"305.ebnsina.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199560/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_07; classtype:trojan-activity; sid:91199560; rev:1;) alert tcp $HOME_NET any -> [208.100.26.240] 16464 (msg:"ThreatFox ZeroAccess botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199559/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199559; rev:1;) alert tcp $HOME_NET any -> [139.159.203.44] 8086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199558/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199558; rev:1;) alert tcp $HOME_NET any -> [91.92.255.12] 25050 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199557/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_07; classtype:trojan-activity; sid:91199557; rev:1;) alert tcp $HOME_NET any -> [43.155.118.60] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199556/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199556; rev:1;) alert tcp $HOME_NET any -> [222.190.108.207] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199554/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_07; classtype:trojan-activity; sid:91199554; rev:1;) alert tcp $HOME_NET any -> [109.190.79.33] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199551/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199551; rev:1;) alert tcp $HOME_NET any -> [107.20.33.202] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199550/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199550; rev:1;) alert tcp $HOME_NET any -> [192.3.255.42] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199549/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199549; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"45.144.136.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199548; rev:1;) alert tcp $HOME_NET any -> [38.54.115.233] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199545/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199545; rev:1;) alert tcp $HOME_NET any -> [45.144.136.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199540/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199540; rev:1;) alert tcp $HOME_NET any -> [18.184.58.217] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199539/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199539; rev:1;) alert tcp $HOME_NET any -> [102.156.247.195] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199538/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199538; rev:1;) alert tcp $HOME_NET any -> [153.94.75.179] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199537/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199537; rev:1;) alert tcp $HOME_NET any -> [154.247.162.40] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199536/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199536; rev:1;) alert tcp $HOME_NET any -> [74.12.146.52] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199535/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199535; rev:1;) alert tcp $HOME_NET any -> [109.153.244.129] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199534/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199534; rev:1;) alert tcp $HOME_NET any -> [31.117.18.15] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199533/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199533; rev:1;) alert tcp $HOME_NET any -> [92.191.244.29] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199532/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199532; rev:1;) alert tcp $HOME_NET any -> [192.119.68.243] 443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199531/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199531; rev:1;) alert tcp $HOME_NET any -> [5.61.58.44] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199530/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199530; rev:1;) alert tcp $HOME_NET any -> [198.46.188.120] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199529/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199529; rev:1;) alert tcp $HOME_NET any -> [45.9.148.206] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199528/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199528; rev:1;) alert tcp $HOME_NET any -> [146.190.72.135] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199527; rev:1;) alert tcp $HOME_NET any -> [159.75.172.79] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199526; rev:1;) alert tcp $HOME_NET any -> [149.40.49.119] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199525; rev:1;) alert tcp $HOME_NET any -> [107.174.253.49] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199524; rev:1;) alert tcp $HOME_NET any -> [47.120.1.150] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199522; rev:1;) alert tcp $HOME_NET any -> [38.147.172.183] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199523; rev:1;) alert tcp $HOME_NET any -> [178.236.246.246] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199521; rev:1;) alert tcp $HOME_NET any -> [118.31.8.186] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199520; rev:1;) alert tcp $HOME_NET any -> [116.63.137.199] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199519; rev:1;) alert tcp $HOME_NET any -> [121.40.243.103] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199518; rev:1;) alert tcp $HOME_NET any -> [95.214.25.170] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199517; rev:1;) alert tcp $HOME_NET any -> [8.130.102.19] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199515; rev:1;) alert tcp $HOME_NET any -> [8.210.236.92] 4956 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199516; rev:1;) alert tcp $HOME_NET any -> [8.146.198.147] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199514; rev:1;) alert tcp $HOME_NET any -> [111.231.14.228] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199513; rev:1;) alert tcp $HOME_NET any -> [54.146.202.241] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199512; rev:1;) alert tcp $HOME_NET any -> [47.120.1.247] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199511; rev:1;) alert tcp $HOME_NET any -> [87.237.52.123] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199510; rev:1;) alert tcp $HOME_NET any -> [42.123.125.151] 83 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199509; rev:1;) alert tcp $HOME_NET any -> [45.32.110.254] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199507; rev:1;) alert tcp $HOME_NET any -> [121.196.150.68] 7778 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199508; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bwyb.love"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199506; rev:1;) alert tcp $HOME_NET any -> [101.43.186.153] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199505; rev:1;) alert tcp $HOME_NET any -> [107.172.43.155] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199504; rev:1;) alert tcp $HOME_NET any -> [23.225.116.214] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199503; rev:1;) alert tcp $HOME_NET any -> [124.220.42.214] 8000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199502; rev:1;) alert tcp $HOME_NET any -> [195.123.233.152] 2351 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199501; rev:1;) alert tcp $HOME_NET any -> [61.147.93.153] 999 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199500/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_06; classtype:trojan-activity; sid:91199500; rev:1;) alert tcp $HOME_NET any -> [54.210.22.254] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199499/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_06; classtype:trojan-activity; sid:91199499; rev:1;) alert tcp $HOME_NET any -> [77.72.85.16] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199498/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_06; classtype:trojan-activity; sid:91199498; rev:1;) alert tcp $HOME_NET any -> [20.163.158.142] 443 (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199497; rev:1;) alert tcp $HOME_NET any -> [20.163.158.142] 80 (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199496; rev:1;) alert tcp $HOME_NET any -> [93.123.85.34] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199495; rev:1;) alert tcp $HOME_NET any -> [91.92.250.116] 25 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199494; rev:1;) alert tcp $HOME_NET any -> [154.38.113.75] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199493; rev:1;) alert tcp $HOME_NET any -> [209.203.54.177] 8000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199492; rev:1;) alert tcp $HOME_NET any -> [185.81.157.12] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199491; rev:1;) alert tcp $HOME_NET any -> [185.81.157.12] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199490; rev:1;) alert tcp $HOME_NET any -> [185.81.157.12] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199489/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199489; rev:1;) alert tcp $HOME_NET any -> [191.88.249.96] 2018 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199488; rev:1;) alert tcp $HOME_NET any -> [91.109.182.7] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199487; rev:1;) alert tcp $HOME_NET any -> [159.65.168.135] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199486; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"11.ip-217-182-170.eu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199485; rev:1;) alert tcp $HOME_NET any -> [3.95.181.157] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199484/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199484; rev:1;) alert tcp $HOME_NET any -> [161.35.144.209] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199483/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199483; rev:1;) alert tcp $HOME_NET any -> [79.137.202.225] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199482/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199482; rev:1;) alert tcp $HOME_NET any -> [178.16.139.77] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199481; rev:1;) alert tcp $HOME_NET any -> [195.201.251.173] 2087 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199478; rev:1;) alert tcp $HOME_NET any -> [195.201.44.59] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199479; rev:1;) alert tcp $HOME_NET any -> [78.47.151.182] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.44.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.151.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199474; rev:1;) alert tcp $HOME_NET any -> [94.130.188.233] 2087 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199475; rev:1;) alert tcp $HOME_NET any -> [116.203.6.243] 2087 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199476; rev:1;) alert tcp $HOME_NET any -> [5.75.246.163] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.251.173"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.6.243"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.246.163"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.130.188.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199469; rev:1;) alert tcp $HOME_NET any -> [54.232.16.248] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199468/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199468; rev:1;) alert tcp $HOME_NET any -> [45.61.138.149] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199466/; target:src_ip; metadata: confidence_level 60, first_seen 2023_11_06; classtype:trojan-activity; sid:91199466; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlgg.itsaol.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199462; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlks.fartit.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199463; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ir-irn.vizvaz.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199464; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"c-iran.dns05.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"c-iran.dns05.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adlks.fartit.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"ir-irn.vizvaz.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"adlgg.itsaol.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199458; rev:1;) alert tcp $HOME_NET any -> [91.92.255.16] 80 (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199455/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199455; rev:1;) alert tcp $HOME_NET any -> [136.244.98.80] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199451; rev:1;) alert tcp $HOME_NET any -> [45.76.103.152] 13720 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199452; rev:1;) alert tcp $HOME_NET any -> [207.246.111.127] 13786 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199453; rev:1;) alert tcp $HOME_NET any -> [149.248.53.65] 2221 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/43851895e447afd7.php"; depth:21; nocase; http.host; content:"91.215.85.189"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"107.174.253.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199448; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"8.134.71.235"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199447; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"45.76.160.245"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199446; rev:1;) alert tcp $HOME_NET any -> [46.240.140.66] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199443/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mana/inc/61b46e405d2c1c.php"; depth:28; nocase; http.host; content:"91.92.255.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199442; rev:1;) alert tcp $HOME_NET any -> [5.196.99.128] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199441/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199441; rev:1;) alert tcp $HOME_NET any -> [128.46.157.229] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199440/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199440; rev:1;) alert tcp $HOME_NET any -> [139.159.203.44] 8069 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199439/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199439; rev:1;) alert tcp $HOME_NET any -> [141.255.145.247] 333 (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199438; rev:1;) alert tcp $HOME_NET any -> [107.174.253.49] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199437/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199437; rev:1;) alert tcp $HOME_NET any -> [109.248.206.157] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199436; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"efmdwkmwke.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199435; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zgbn19mx"; depth:9; nocase; http.host; content:"efmdwkmwkq.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199434; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvmd54/"; depth:8; nocase; http.host; content:"efmdwkmwkq.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199433; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmesc.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199430; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seomoi.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199431; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jasondixon.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199432; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"it-franch-result.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"delooyp.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199428; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tophatauc.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199429; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dslam.net"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199426; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"im-inter.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"acs-group.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anime-con.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsstar.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lrxzklwmzxe.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"voice.gameteamfinder.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"en.softaipro.fun"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cricket-live.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199417; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sports-et-loisirs.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leaf-japan.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"london-sport.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199420; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gameteamfinder.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199412; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/77"; depth:3; nocase; http.host; content:"193.164.223.77"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/77"; depth:3; nocase; http.host; content:"194.146.84.244"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/77"; depth:3; nocase; http.host; content:"107.151.94.70"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/77"; depth:3; nocase; http.host; content:"107.151.94.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199410; rev:1;) alert tcp $HOME_NET any -> [141.11.232.26] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199416/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199416; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/305/five/fre.php"; depth:29; nocase; http.host; content:"305.ebnsina.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199415; rev:1;) alert tcp $HOME_NET any -> [202.92.4.174] 8000 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199414/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199414; rev:1;) alert tcp $HOME_NET any -> [45.79.249.116] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199403/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199403; rev:1;) alert tcp $HOME_NET any -> [194.49.94.80] 42359 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199406; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"49.232.214.202"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"106.52.253.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199404; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"112.124.53.64"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199402; rev:1;) alert tcp $HOME_NET any -> [107.175.229.139] 8087 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199401; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvmd54/"; depth:8; nocase; http.host; content:"efmdwkmwke.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199398; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zgbn19mx"; depth:9; nocase; http.host; content:"efmdwkmwke.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lander/chrome_1695206714/_index.php"; depth:36; nocase; http.host; content:"efmdwkmwke.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199400; rev:1;) alert tcp $HOME_NET any -> [124.222.223.192] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199397/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199397; rev:1;) alert tcp $HOME_NET any -> [194.147.140.212] 1999 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199396; rev:1;) alert tcp $HOME_NET any -> [94.156.65.197] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199395/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_06; classtype:trojan-activity; sid:91199395; rev:1;) alert tcp $HOME_NET any -> [163.197.199.246] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flow.baidu666.pw"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/case.js"; depth:8; nocase; http.host; content:"flow.baidu666.pw"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199392; rev:1;) alert tcp $HOME_NET any -> [47.242.158.114] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.242.158.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199390; rev:1;) alert tcp $HOME_NET any -> [46.32.37.132] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199389/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199389; rev:1;) alert tcp $HOME_NET any -> [139.99.117.0] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199388/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199388; rev:1;) alert tcp $HOME_NET any -> [94.191.187.105] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199387/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199387; rev:1;) alert tcp $HOME_NET any -> [114.67.242.178] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199386/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199386; rev:1;) alert tcp $HOME_NET any -> [158.247.202.180] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199380; rev:1;) alert tcp $HOME_NET any -> [198.13.58.126] 2223 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199381; rev:1;) alert tcp $HOME_NET any -> [158.247.197.73] 23399 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199382; rev:1;) alert tcp $HOME_NET any -> [65.20.84.3] 2221 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199383; rev:1;) alert tcp $HOME_NET any -> [65.20.84.254] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199384; rev:1;) alert tcp $HOME_NET any -> [104.238.144.171] 2221 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199385; rev:1;) alert tcp $HOME_NET any -> [103.146.231.40] 55555 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199364; rev:1;) alert tcp $HOME_NET any -> [103.255.118.150] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199365; rev:1;) alert tcp $HOME_NET any -> [103.146.231.40] 44444 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199363; rev:1;) alert tcp $HOME_NET any -> [149.88.75.49] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199361; rev:1;) alert tcp $HOME_NET any -> [43.129.188.223] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199362; rev:1;) alert tcp $HOME_NET any -> [8.218.212.77] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199359; rev:1;) alert tcp $HOME_NET any -> [95.174.24.213] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199360; rev:1;) alert tcp $HOME_NET any -> [8.219.186.164] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199357; rev:1;) alert tcp $HOME_NET any -> [45.77.244.237] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199358; rev:1;) alert tcp $HOME_NET any -> [154.7.64.133] 44444 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199355; rev:1;) alert tcp $HOME_NET any -> [103.255.118.149] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199356; rev:1;) alert tcp $HOME_NET any -> [36.255.221.118] 44444 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199353; rev:1;) alert tcp $HOME_NET any -> [158.247.202.188] 995 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199354; rev:1;) alert tcp $HOME_NET any -> [45.76.217.11] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199367; rev:1;) alert tcp $HOME_NET any -> [104.194.129.178] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199366; rev:1;) alert tcp $HOME_NET any -> [103.51.110.5] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199368; rev:1;) alert tcp $HOME_NET any -> [152.32.133.68] 8088 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199369; rev:1;) alert tcp $HOME_NET any -> [158.247.202.188] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199370; rev:1;) alert tcp $HOME_NET any -> [207.148.120.140] 993 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199371; rev:1;) alert tcp $HOME_NET any -> [158.247.202.188] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199372; rev:1;) alert tcp $HOME_NET any -> [103.43.19.239] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199373; rev:1;) alert tcp $HOME_NET any -> [45.77.244.237] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199374; rev:1;) alert tcp $HOME_NET any -> [158.247.241.217] 18443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199375; rev:1;) alert tcp $HOME_NET any -> [158.247.241.217] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199376; rev:1;) alert tcp $HOME_NET any -> [104.194.129.178] 44444 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"showmoreresultonliner.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sftp.noheroway.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199379; rev:1;) alert tcp $HOME_NET any -> [23.225.71.115] 8080 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199306; rev:1;) alert tcp $HOME_NET any -> [118.99.29.173] 65000 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199307; rev:1;) alert tcp $HOME_NET any -> [13.229.238.49] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199308; rev:1;) alert tcp $HOME_NET any -> [43.229.112.202] 65000 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199309; rev:1;) alert tcp $HOME_NET any -> [38.47.116.103] 53 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199310; rev:1;) alert tcp $HOME_NET any -> [185.189.241.208] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199311; rev:1;) alert tcp $HOME_NET any -> [103.135.33.254] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199312; rev:1;) alert tcp $HOME_NET any -> [43.136.245.27] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199313; rev:1;) alert tcp $HOME_NET any -> [45.76.219.71] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199314; rev:1;) alert tcp $HOME_NET any -> [78.141.208.113] 8080 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199316; rev:1;) alert tcp $HOME_NET any -> [13.229.238.49] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199315; rev:1;) alert tcp $HOME_NET any -> [185.189.241.155] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199317; rev:1;) alert tcp $HOME_NET any -> [47.242.189.104] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199318; rev:1;) alert tcp $HOME_NET any -> [18.163.46.232] 53 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199319; rev:1;) alert tcp $HOME_NET any -> [101.36.106.114] 12345 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199320; rev:1;) alert tcp $HOME_NET any -> [20.2.65.28] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199321; rev:1;) alert tcp $HOME_NET any -> [156.234.169.19] 53 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199322; rev:1;) alert tcp $HOME_NET any -> [18.163.46.232] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199323; rev:1;) alert tcp $HOME_NET any -> [43.229.112.206] 65000 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199324; rev:1;) alert tcp $HOME_NET any -> [38.47.220.85] 12345 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199325; rev:1;) alert tcp $HOME_NET any -> [18.163.46.232] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199326; rev:1;) alert tcp $HOME_NET any -> [47.242.189.104] 8080 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199327; rev:1;) alert tcp $HOME_NET any -> [8.130.46.30] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199328; rev:1;) alert tcp $HOME_NET any -> [154.204.24.246] 65000 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199329; rev:1;) alert tcp $HOME_NET any -> [45.74.6.240] 21 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199305; rev:1;) alert tcp $HOME_NET any -> [185.189.241.155] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199303; rev:1;) alert tcp $HOME_NET any -> [45.32.148.180] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199304; rev:1;) alert tcp $HOME_NET any -> [94.103.93.33] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199287/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199287; rev:1;) alert tcp $HOME_NET any -> [103.214.68.60] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199288; rev:1;) alert tcp $HOME_NET any -> [91.103.252.114] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199285/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199285; rev:1;) alert tcp $HOME_NET any -> [94.103.88.64] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199286/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199286; rev:1;) alert tcp $HOME_NET any -> [91.92.246.197] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199283/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199283; rev:1;) alert tcp $HOME_NET any -> [91.103.252.109] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199284; rev:1;) alert tcp $HOME_NET any -> [68.67.203.43] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199281; rev:1;) alert tcp $HOME_NET any -> [77.91.76.6] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199282; rev:1;) alert tcp $HOME_NET any -> [119.29.225.72] 8080 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199330; rev:1;) alert tcp $HOME_NET any -> [8.212.149.44] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199331/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199331; rev:1;) alert tcp $HOME_NET any -> [154.204.24.242] 65000 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199332; rev:1;) alert tcp $HOME_NET any -> [112.121.187.182] 12345 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199333; rev:1;) alert tcp $HOME_NET any -> [149.104.22.138] 8080 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199334; rev:1;) alert tcp $HOME_NET any -> [113.160.186.153] 8080 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199336; rev:1;) alert tcp $HOME_NET any -> [156.234.211.149] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199337; rev:1;) alert tcp $HOME_NET any -> [43.231.113.62] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199338; rev:1;) alert tcp $HOME_NET any -> [64.176.7.223] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199280/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199280; rev:1;) alert tcp $HOME_NET any -> [5.181.159.13] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199278/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199278; rev:1;) alert tcp $HOME_NET any -> [38.180.70.181] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199279/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199279; rev:1;) alert tcp $HOME_NET any -> [146.70.106.36] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199289; rev:1;) alert tcp $HOME_NET any -> [176.113.115.213] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199290; rev:1;) alert tcp $HOME_NET any -> [185.39.18.228] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199291; rev:1;) alert tcp $HOME_NET any -> [185.236.228.34] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199292; rev:1;) alert tcp $HOME_NET any -> [195.10.205.31] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199293; rev:1;) alert tcp $HOME_NET any -> [212.237.217.137] 80 (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199294; rev:1;) alert tcp $HOME_NET any -> [149.104.22.138] 21 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199341; rev:1;) alert tcp $HOME_NET any -> [80.240.28.192] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199339; rev:1;) alert tcp $HOME_NET any -> [47.242.189.104] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199340; rev:1;) alert tcp $HOME_NET any -> [172.111.233.249] 8443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199343; rev:1;) alert tcp $HOME_NET any -> [107.173.63.250] 53 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199342; rev:1;) alert tcp $HOME_NET any -> [46.17.103.152] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199348; rev:1;) alert tcp $HOME_NET any -> [216.128.177.23] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199350; rev:1;) alert tcp $HOME_NET any -> [146.185.219.33] 8443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199351; rev:1;) alert tcp $HOME_NET any -> [165.154.227.192] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199352; rev:1;) alert tcp $HOME_NET any -> [109.248.206.153] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199345; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"efmdwkmwkq.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3886d2276f6914c4.php"; depth:21; nocase; http.host; content:"raymonddixon.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199347; rev:1;) alert tcp $HOME_NET any -> [210.204.137.38] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199344/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199344; rev:1;) alert tcp $HOME_NET any -> [122.51.46.61] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199302/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199302; rev:1;) alert tcp $HOME_NET any -> [79.130.51.242] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199301/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199301; rev:1;) alert tcp $HOME_NET any -> [102.113.96.178] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199300/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199300; rev:1;) alert tcp $HOME_NET any -> [105.108.241.208] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199298/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199298; rev:1;) alert tcp $HOME_NET any -> [105.108.241.208] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199299/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199299; rev:1;) alert tcp $HOME_NET any -> [14.19.159.171] 8443 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199297/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199297; rev:1;) alert tcp $HOME_NET any -> [192.52.166.233] 3993 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199296/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199296; rev:1;) alert tcp $HOME_NET any -> [54.168.147.222] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199295/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_06; classtype:trojan-activity; sid:91199295; rev:1;) alert tcp $HOME_NET any -> [107.174.253.49] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199276/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"yop918kiss.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199244; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/minlen.php"; depth:18; nocase; http.host; content:"andreeasasser.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/qzwewmrqqgqnaww.php"; depth:26; nocase; http.host; content:"andreeasasser.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199272; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/111.php"; depth:8; nocase; http.host; content:"addisonlynch.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199273; rev:1;) alert tcp $HOME_NET any -> [185.163.47.243] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"139.224.188.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_06; classtype:trojan-activity; sid:91199275; rev:1;) alert tcp $HOME_NET any -> [184.73.185.248] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199270/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_06; classtype:trojan-activity; sid:91199270; rev:1;) alert tcp $HOME_NET any -> [136.243.151.123] 1234 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199267; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nord.exe"; depth:9; nocase; http.host; content:"136.243.151.123"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199266; rev:1;) alert tcp $HOME_NET any -> [106.15.45.89] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199265; rev:1;) alert tcp $HOME_NET any -> [156.224.24.144] 15443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199264; rev:1;) alert tcp $HOME_NET any -> [23.94.2.170] 9870 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199263; rev:1;) alert tcp $HOME_NET any -> [140.246.72.2] 9876 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199262; rev:1;) alert tcp $HOME_NET any -> [47.97.6.61] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199261; rev:1;) alert tcp $HOME_NET any -> [47.115.201.46] 50001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199260/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199260; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prometheus.clubpro.space"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199259/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199259; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pwn.safetygarden.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199258; rev:1;) alert tcp $HOME_NET any -> [16.170.253.123] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199257; rev:1;) alert tcp $HOME_NET any -> [138.59.198.231] 5900 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199256; rev:1;) alert tcp $HOME_NET any -> [94.130.130.51] 119 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199255/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199255; rev:1;) alert tcp $HOME_NET any -> [186.102.163.66] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199254/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199254; rev:1;) alert tcp $HOME_NET any -> [197.246.199.238] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199253/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199253; rev:1;) alert tcp $HOME_NET any -> [147.50.253.15] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199252/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91199252; rev:1;) alert tcp $HOME_NET any -> [211.149.226.68] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199251/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91199251; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40d570f44e84a454.php"; depth:21; nocase; http.host; content:"jaimemcgee.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199250; rev:1;) alert tcp $HOME_NET any -> [154.247.17.83] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199249/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_05; classtype:trojan-activity; sid:91199249; rev:1;) alert tcp $HOME_NET any -> [2.88.154.237] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199248/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_05; classtype:trojan-activity; sid:91199248; rev:1;) alert tcp $HOME_NET any -> [102.156.106.100] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199247/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_05; classtype:trojan-activity; sid:91199247; rev:1;) alert tcp $HOME_NET any -> [54.171.28.181] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199246/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_05; classtype:trojan-activity; sid:91199246; rev:1;) alert tcp $HOME_NET any -> [35.88.175.159] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199245/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_05; classtype:trojan-activity; sid:91199245; rev:1;) alert tcp $HOME_NET any -> [31.13.195.125] 10443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199243/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_05; classtype:trojan-activity; sid:91199243; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iran-hhs.fartit.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199238/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199238; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlsh.vizvaz.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199239; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlsjd.faqserv.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199240/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199240; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlwh.itsaol.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199241/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199241; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlddf.dns05.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199242/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199242; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adlddf.dns05.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199237; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adlsjd.faqserv.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199235; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adlwh.itsaol.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199236; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"iran-hhs.fartit.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adlsh.vizvaz.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199234/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199234; rev:1;) alert tcp $HOME_NET any -> [43.155.161.152] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199232/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_05; classtype:trojan-activity; sid:91199232; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"211.159.173.202"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199231/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199231; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"120.79.225.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199230; rev:1;) alert tcp $HOME_NET any -> [68.183.4.191] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/training-beacon"; depth:16; nocase; http.host; content:"142.93.143.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199228; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.139.185.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199227; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"45.76.160.245"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199226; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"154.12.84.90"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199225; rev:1;) alert tcp $HOME_NET any -> [121.37.135.169] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199224/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91199224; rev:1;) alert tcp $HOME_NET any -> [150.158.50.177] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199223/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91199223; rev:1;) alert tcp $HOME_NET any -> [135.125.21.39] 444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199222/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91199222; rev:1;) alert tcp $HOME_NET any -> [206.188.196.49] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199213/; target:src_ip; metadata: confidence_level 60, first_seen 2023_11_05; classtype:trojan-activity; sid:91199213; rev:1;) alert tcp $HOME_NET any -> [192.227.158.38] 80 (msg:"ThreatFox IRATA payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199211; rev:1;) alert tcp $HOME_NET any -> [192.227.158.38] 443 (msg:"ThreatFox IRATA payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199212; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vpn977472420.softether.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199209; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlihh.itsaol.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199210; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adliir.vizvaz.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199195; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"i-iran.itsaol.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199196; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlrs.dns05.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199197; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rogers-returndata.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199198; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iranda.mrbasic.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199199; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlggs.fartit.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199200; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adliris.faqserv.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199201; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adsqe.fartit.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199202; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adllsg.mrface.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199203; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adirir.itsaol.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199204; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlio.vizvaz.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199205; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eblaghs.fartit.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199206; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlsgh.mrbonus.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199207; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahadl.fartit.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sahadl.fartit.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adlihh.itsaol.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199194; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"eblaghs.fartit.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"adlsgh.mrbonus.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adlio.vizvaz.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adllsg.mrface.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199188; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adirir.itsaol.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199189; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adliris.faqserv.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adsqe.fartit.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adlggs.fartit.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adlrs.dns05.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199183; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"iranda.mrbasic.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"i-iran.itsaol.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199182; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adliir.vizvaz.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199181; rev:1;) alert tcp $HOME_NET any -> [106.12.174.99] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199180; rev:1;) alert tcp $HOME_NET any -> [107.189.14.20] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199178; rev:1;) alert tcp $HOME_NET any -> [119.45.250.39] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199179; rev:1;) alert tcp $HOME_NET any -> [43.138.172.146] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199177; rev:1;) alert tcp $HOME_NET any -> [43.138.172.146] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199176; rev:1;) alert tcp $HOME_NET any -> [178.211.139.43] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199175; rev:1;) alert tcp $HOME_NET any -> [106.52.244.189] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199174/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199174; rev:1;) alert tcp $HOME_NET any -> [154.40.45.92] 2052 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199173; rev:1;) alert tcp $HOME_NET any -> [60.204.168.241] 5432 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199171; rev:1;) alert tcp $HOME_NET any -> [20.94.177.31] 8639 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199172; rev:1;) alert tcp $HOME_NET any -> [103.38.83.128] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199170; rev:1;) alert tcp $HOME_NET any -> [43.128.85.89] 3344 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199169; rev:1;) alert tcp $HOME_NET any -> [103.242.3.165] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199168; rev:1;) alert tcp $HOME_NET any -> [91.92.246.224] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199167; rev:1;) alert tcp $HOME_NET any -> [58.53.128.27] 40051 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199166; rev:1;) alert tcp $HOME_NET any -> [47.120.37.45] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199165; rev:1;) alert tcp $HOME_NET any -> [116.204.26.216] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199164; rev:1;) alert tcp $HOME_NET any -> [49.232.214.202] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199162; rev:1;) alert tcp $HOME_NET any -> [118.25.42.149] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199163; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.sunwu.world"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199160; rev:1;) alert tcp $HOME_NET any -> [8.222.155.61] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199161; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-192-20-216.eu-central-1.compute.amazonaws.com"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199159; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.clubpro.space"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199158; rev:1;) alert tcp $HOME_NET any -> [8.212.6.144] 35002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.clubpro.space"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199157; rev:1;) alert tcp $HOME_NET any -> [47.113.220.217] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clients.loadbalance-akamai.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"139-144-113-139.ip.linodeusercontent.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199153; rev:1;) alert tcp $HOME_NET any -> [121.62.16.112] 8000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199152/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_05; classtype:trojan-activity; sid:91199152; rev:1;) alert tcp $HOME_NET any -> [189.129.231.30] 2303 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199151; rev:1;) alert tcp $HOME_NET any -> [189.129.231.30] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199150; rev:1;) alert tcp $HOME_NET any -> [189.129.231.30] 2087 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199149; rev:1;) alert tcp $HOME_NET any -> [189.129.231.30] 2080 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199148; rev:1;) alert tcp $HOME_NET any -> [189.129.231.30] 2079 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199147; rev:1;) alert tcp $HOME_NET any -> [189.129.231.30] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199146; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ts.bagelswap.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199145; rev:1;) alert tcp $HOME_NET any -> [94.156.68.178] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199144; rev:1;) alert tcp $HOME_NET any -> [171.250.185.235] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199143; rev:1;) alert tcp $HOME_NET any -> [161.129.40.95] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199142; rev:1;) alert tcp $HOME_NET any -> [20.92.38.251] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199141; rev:1;) alert tcp $HOME_NET any -> [157.245.23.86] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199140; rev:1;) alert tcp $HOME_NET any -> [85.209.176.26] 1337 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199139; rev:1;) alert tcp $HOME_NET any -> [154.245.216.63] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199138; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xbhdabss.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199137; rev:1;) alert tcp $HOME_NET any -> [91.109.186.2] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199136; rev:1;) alert tcp $HOME_NET any -> [81.214.77.85] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199135; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"intclientpage.co"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199133/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199133; rev:1;) alert tcp $HOME_NET any -> [81.214.77.85] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199134/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199134; rev:1;) alert tcp $HOME_NET any -> [91.92.243.216] 81 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199132; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abb-bank.wiki"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"babacloud.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u6vhsc3ppq/index.php"; depth:21; nocase; http.host; content:"185.172.128.100"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199078/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"zoolboues.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199086; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"efmdwkmwk.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199058/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199058; rev:1;) alert tcp $HOME_NET any -> [109.248.206.122] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199059/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"150.158.13.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199130; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"139.224.188.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199129/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199129; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qq.monolthicpower.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199128; rev:1;) alert tcp $HOME_NET any -> [194.33.191.60] 44675 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199127; rev:1;) alert tcp $HOME_NET any -> [163.197.211.60] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199126/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91199126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowlongpolltest.php"; depth:20; nocase; http.host; content:"host1835875.hostland.pro"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199125; rev:1;) alert tcp $HOME_NET any -> [188.166.78.67] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199124; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/training-beacon"; depth:16; nocase; http.host; content:"142.93.140.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199123; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"1.12.69.169"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199121; rev:1;) alert tcp $HOME_NET any -> [1.12.69.169] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199122; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.92.146.116"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199120; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"47.94.43.210"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199119; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"185.172.128.97"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199118; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"118.24.128.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199117; rev:1;) alert tcp $HOME_NET any -> [3.133.164.208] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199116/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91199116; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199115; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"150.158.50.177"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199114; rev:1;) alert tcp $HOME_NET any -> [58.53.128.27] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199113; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.zhaoyr.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199112; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnm.n0reply.eu.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199110/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199110; rev:1;) alert tcp $HOME_NET any -> [122.10.118.19] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199111; rev:1;) alert tcp $HOME_NET any -> [172.93.165.117] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199109/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199109; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.beta-microsoft.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199108; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.beta-microsoft.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199107; rev:1;) alert tcp $HOME_NET any -> [3.145.13.69] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199106; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"extreme.enove-dental.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199105; rev:1;) alert tcp $HOME_NET any -> [54.87.220.26] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199104/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91199104; rev:1;) alert tcp $HOME_NET any -> [45.141.57.28] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199103/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91199103; rev:1;) alert tcp $HOME_NET any -> [104.243.32.65] 8080 (msg:"ThreatFox Bandit Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199102/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91199102; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alureza.nl"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199101; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in.php"; depth:7; nocase; http.host; content:"iran-hk.mrface.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amin/"; depth:6; nocase; http.host; content:"alureza.nl"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199099; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amin/log.php"; depth:13; nocase; http.host; content:"alureza.nl"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amin/web.txt"; depth:13; nocase; http.host; content:"alureza.nl"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199097; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"10.127.255.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199096; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drnull.ngrok.dev"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"drnull.ngrok.dev"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/-1002043555897"; depth:22; nocase; http.host; content:"drnull.ngrok.dev"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199093/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199093; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1002043555897"; depth:19; nocase; http.host; content:"drnull.ngrok.dev"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199092/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1002043555897"; depth:19; nocase; http.host; content:"drnull.ngrok.dev"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199091/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199091; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sezar/"; depth:7; nocase; http.host; content:"gr1.apkyrm.pro"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199090/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sezar/log.php"; depth:14; nocase; http.host; content:"gr1.apkyrm.pro"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199089/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sezar/web.txt"; depth:14; nocase; http.host; content:"gr1.apkyrm.pro"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199088; rev:1;) alert tcp $HOME_NET any -> [37.255.148.138] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199087/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91199087; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in.php"; depth:7; nocase; http.host; content:"iran-hh.dns05.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199083; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gr1.apkyrm.pro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199084; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apkyrm.pro"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gr1.apkyrm.pro"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199082/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arslan/"; depth:8; nocase; http.host; content:"gr1.apkyrm.pro"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arslan/web.txt"; depth:15; nocase; http.host; content:"gr1.apkyrm.pro"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arslan/log.php"; depth:15; nocase; http.host; content:"gr1.apkyrm.pro"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199079/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/-1001921881932"; depth:22; nocase; http.host; content:"howtofixit.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199076/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1001921881932"; depth:19; nocase; http.host; content:"howtofixit.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199075/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.php"; depth:8; nocase; http.host; content:"asl.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199074/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/un/"; depth:4; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/un/web.txt"; depth:11; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199072/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/un/phone.txt"; depth:13; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/un/log.php"; depth:11; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"remotiss.online"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"remotiss.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/remot/"; depth:7; nocase; http.host; content:"remotiss.online"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/remot/contact.php"; depth:18; nocase; http.host; content:"remotiss.online"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/remot/contact.php"; depth:18; nocase; http.host; content:"remotiss.online"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/remot/id.txt"; depth:13; nocase; http.host; content:"remotiss.online"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/remot/requests.php"; depth:19; nocase; http.host; content:"remotiss.online"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/remot/sms.php"; depth:14; nocase; http.host; content:"remotiss.online"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/remot/sms.php"; depth:14; nocase; http.host; content:"remotiss.online"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e9c345fc99a4e67e.php"; depth:21; nocase; http.host; content:"robertjohnson.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199060/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blord/"; depth:7; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199057/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blord/web.txt"; depth:14; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199056/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blord/log.php"; depth:14; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199055/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/un/"; depth:4; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199054/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/un/log.php"; depth:11; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199053/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/un/web.txt"; depth:11; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199052/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/view.php"; depth:9; nocase; http.host; content:"asdw.mynetav.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ano/"; depth:5; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199050/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ano/phone.txt"; depth:14; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199048/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ano/log.php"; depth:12; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ano/web.txt"; depth:12; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199047; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cvtuiox.cloud"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1199046/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cvtuiox.cloud"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmd/"; depth:5; nocase; http.host; content:"cvtuiox.cloud"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmd/info.php"; depth:13; nocase; http.host; content:"cvtuiox.cloud"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199042/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tools/mmd.json"; depth:15; nocase; http.host; content:"xdpanel.cloud"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199043/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmd/grape.php"; depth:14; nocase; http.host; content:"cvtuiox.cloud"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199041/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmd/strawberry.php"; depth:19; nocase; http.host; content:"cvtuiox.cloud"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199040; rev:1;) alert tcp $HOME_NET any -> [125.60.95.154] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1199039/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91199039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.php"; depth:8; nocase; http.host; content:"adqq.fartit.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199038/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eric/"; depth:6; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199037/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eric/web.txt"; depth:13; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eric/phone.txt"; depth:15; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eric/log.php"; depth:13; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sal/"; depth:5; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sal/log.php"; depth:12; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sal/web.txt"; depth:12; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tnt/"; depth:5; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199030; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tnt/log.php"; depth:12; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tnt/web.txt"; depth:12; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199028; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arslan/web.txt"; depth:15; nocase; http.host; content:"ap.sarpkyo.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199027/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199027; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arslan/phone.txt"; depth:17; nocase; http.host; content:"ap.sarpkyo.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199026; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arslan/"; depth:8; nocase; http.host; content:"ap.sarpkyo.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199025; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arslan/log.php"; depth:15; nocase; http.host; content:"ap.sarpkyo.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199024; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sou/"; depth:5; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sou/phone.txt"; depth:14; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199022/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199022; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sou/web.txt"; depth:12; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sou/log.php"; depth:12; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199020; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hasan/web.txt"; depth:14; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199018/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199018; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hasan/"; depth:7; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199019/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199019; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hasan/log.php"; depth:14; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199017/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199017; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199016/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199016; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pou/"; depth:5; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199015/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199015; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pou/log.php"; depth:12; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199014/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199014; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pou/web.txt"; depth:12; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199013/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199013; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in.php"; depth:7; nocase; http.host; content:"ladl.isasecret.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199012/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199012; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sina/"; depth:6; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199011/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199011; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sina/log.php"; depth:13; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199010/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199010; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sina/web.txt"; depth:13; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199009/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199009; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sina/phone.txt"; depth:15; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199008/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199008; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/"; depth:8; nocase; http.host; content:"howtofixit.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199007/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199007; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/"; depth:5; nocase; http.host; content:"howtofixit.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199006/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199006; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/-1001970496616"; depth:22; nocase; http.host; content:"howtofixit.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199005/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199005; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1001970496616"; depth:19; nocase; http.host; content:"howtofixit.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199004/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199004; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arshaya/web.txt"; depth:16; nocase; http.host; content:"ap.ronappig.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199003/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arshaya/phone.txt"; depth:18; nocase; http.host; content:"ap.ronappig.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199002/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199002; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arshaya/log.php"; depth:16; nocase; http.host; content:"ap.ronappig.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199001/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199001; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arshaya"; depth:8; nocase; http.host; content:"ap.ronappig.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1199000/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91199000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in.php"; depth:7; nocase; http.host; content:"asd.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91198999; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/may/log.php"; depth:12; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91198998; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/may/phone.txt"; depth:14; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198997/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91198997; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/may/web.txt"; depth:12; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198996/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91198996; rev:1;) alert tcp $HOME_NET any -> [45.66.216.108] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198995/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91198995; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amin/log.php"; depth:13; nocase; http.host; content:"ap.sarpkyo.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91198994; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amin/web.txt"; depth:13; nocase; http.host; content:"ap.sarpkyo.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91198993; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amin/phone.txt"; depth:15; nocase; http.host; content:"ap.sarpkyo.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198992/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91198992; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amin"; depth:5; nocase; http.host; content:"ap.sarpkyo.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198991/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91198991; rev:1;) alert tcp $HOME_NET any -> [35.202.76.152] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198990/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91198990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sfc.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198982/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91198982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sdt.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198983/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91198983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iran-hh.dns05.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198984/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91198984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iran-hk.mrface.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198985/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91198985; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"iran-hh.dns05.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91198980; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"iran-hk.mrface.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198981/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91198981; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"sfc.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91198978; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sdt.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198979/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91198979; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"176.113.115.213"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91198959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.10.205.31"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_05; classtype:trojan-activity; sid:91198960; rev:1;) alert tcp $HOME_NET any -> [154.12.84.90] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198977/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91198977; rev:1;) alert tcp $HOME_NET any -> [103.144.240.21] 6699 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198976/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_05; classtype:trojan-activity; sid:91198976; rev:1;) alert tcp $HOME_NET any -> [37.6.55.225] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198975/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_05; classtype:trojan-activity; sid:91198975; rev:1;) alert tcp $HOME_NET any -> [167.56.65.55] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198974/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_05; classtype:trojan-activity; sid:91198974; rev:1;) alert tcp $HOME_NET any -> [176.44.107.223] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198973/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_05; classtype:trojan-activity; sid:91198973; rev:1;) alert tcp $HOME_NET any -> [154.247.17.83] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198972/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_05; classtype:trojan-activity; sid:91198972; rev:1;) alert tcp $HOME_NET any -> [138.68.148.102] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198971/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_05; classtype:trojan-activity; sid:91198971; rev:1;) alert tcp $HOME_NET any -> [149.154.158.34] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198970/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_05; classtype:trojan-activity; sid:91198970; rev:1;) alert tcp $HOME_NET any -> [163.5.215.221] 10134 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198969/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91198969; rev:1;) alert tcp $HOME_NET any -> [147.50.253.211] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198968/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91198968; rev:1;) alert tcp $HOME_NET any -> [3.93.178.106] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198967/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91198967; rev:1;) alert tcp $HOME_NET any -> [139.196.124.207] 6667 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198966/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91198966; rev:1;) alert tcp $HOME_NET any -> [37.255.148.139] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198965/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91198965; rev:1;) alert tcp $HOME_NET any -> [47.241.79.18] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198964/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91198964; rev:1;) alert tcp $HOME_NET any -> [101.37.20.206] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198963/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91198963; rev:1;) alert tcp $HOME_NET any -> [1.163.31.7] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198962/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91198962; rev:1;) alert tcp $HOME_NET any -> [194.49.94.45] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198961/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_05; classtype:trojan-activity; sid:91198961; rev:1;) alert tcp $HOME_NET any -> [13.233.144.66] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198958/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"42.123.125.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198957; rev:1;) alert tcp $HOME_NET any -> [54.38.116.47] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198956/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198956; rev:1;) alert tcp $HOME_NET any -> [146.59.220.235] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198955/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198955; rev:1;) alert tcp $HOME_NET any -> [45.155.249.38] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198954/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198954; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zgbn19mx"; depth:9; nocase; http.host; content:"3ol33lgbrvyjk3d.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zgbn19mx"; depth:9; nocase; http.host; content:"4m9q0m87vnmx0d1.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvmd54/"; depth:8; nocase; http.host; content:"3ol33lgbrvyjk3d.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198947/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvmd54/"; depth:8; nocase; http.host; content:"4m9q0m87vnmx0d1.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198946; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"uran.fartit.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198943/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198943; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iran-hj.fartit.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198944/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198944; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iran-ha.isasecret.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198945/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198945; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"iran-hj.fartit.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198941/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198941; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"iran-ha.isasecret.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198942/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198942; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"uran.fartit.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198940/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198940; rev:1;) alert tcp $HOME_NET any -> [194.61.120.19] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198939/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198939; rev:1;) alert tcp $HOME_NET any -> [88.99.214.170] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198938/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198938; rev:1;) alert tcp $HOME_NET any -> [184.174.39.43] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198937/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198937; rev:1;) alert tcp $HOME_NET any -> [45.61.137.44] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198936/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198936; rev:1;) alert tcp $HOME_NET any -> [206.188.197.206] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198931/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_04; classtype:trojan-activity; sid:91198931; rev:1;) alert tcp $HOME_NET any -> [206.188.197.52] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198930/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_04; classtype:trojan-activity; sid:91198930; rev:1;) alert tcp $HOME_NET any -> [172.86.75.66] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198929/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_04; classtype:trojan-activity; sid:91198929; rev:1;) alert tcp $HOME_NET any -> [185.216.70.236] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198620/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198620; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.61.138.198"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198560/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enginetools.zip"; depth:16; nocase; http.host; content:"moussedanslabouche.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198574/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198574; rev:1;) alert tcp $HOME_NET any -> [194.180.48.149] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198619/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"oluaskaz.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198623/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198623; rev:1;) alert tcp $HOME_NET any -> [91.92.240.173] 8082 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198904/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198904; rev:1;) alert tcp $HOME_NET any -> [18.230.74.51] 4318 (msg:"ThreatFox Grandoreiro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198925; rev:1;) alert tcp $HOME_NET any -> [18.230.74.51] 4899 (msg:"ThreatFox Grandoreiro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198926; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"remember-and.forgot.her.name"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198928; rev:1;) alert tcp $HOME_NET any -> [24.148.23.13] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198924/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198924; rev:1;) alert tcp $HOME_NET any -> [102.156.156.73] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198923/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198923; rev:1;) alert tcp $HOME_NET any -> [197.14.72.24] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198922/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198922; rev:1;) alert tcp $HOME_NET any -> [121.121.101.31] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198921/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198921; rev:1;) alert tcp $HOME_NET any -> [85.96.53.119] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198920/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198920; rev:1;) alert tcp $HOME_NET any -> [185.198.122.11] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198919/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198919; rev:1;) alert tcp $HOME_NET any -> [104.238.60.64] 4814 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198918/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198918; rev:1;) alert tcp $HOME_NET any -> [91.102.162.229] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198917/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198917; rev:1;) alert tcp $HOME_NET any -> [54.168.147.222] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198916/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198916; rev:1;) alert tcp $HOME_NET any -> [194.49.94.53] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198915/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198915; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"cvm.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198913/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198913; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"cdf.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198914/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198914; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"cfv.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198912/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"iran-hg.itsaol.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198911/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iran-hg.itsaol.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198907/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cfv.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198908/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198908; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cvm.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198909/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdf.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198910/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198910; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.100.190.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198906; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.96.174.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198905; rev:1;) alert tcp $HOME_NET any -> [135.181.11.40] 1928 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198903; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"dnc.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198901/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adsqq.vizvaz.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198902/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198902; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"bec.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198899; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sahgs.faqserv.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198900/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198900; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"efc.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198897; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sahdm.fartit.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ced.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198890/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198890; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"efc.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198891/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198891; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahdm.fartit.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bec.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahgs.faqserv.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dnc.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198895; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adsqq.vizvaz.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198896; rev:1;) alert tcp $HOME_NET any -> [114.132.74.172] 8868 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198889; rev:1;) alert tcp $HOME_NET any -> [154.8.144.203] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198888/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198888; rev:1;) alert tcp $HOME_NET any -> [123.60.88.219] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198887/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198887; rev:1;) alert tcp $HOME_NET any -> [60.204.249.156] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198886/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198886; rev:1;) alert tcp $HOME_NET any -> [156.232.11.248] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198885/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198885; rev:1;) alert tcp $HOME_NET any -> [47.108.227.145] 10002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198884/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198884; rev:1;) alert tcp $HOME_NET any -> [150.230.210.243] 58501 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198883/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198883; rev:1;) alert tcp $HOME_NET any -> [161.35.168.216] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198882/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198882; rev:1;) alert tcp $HOME_NET any -> [199.167.138.253] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198880/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198880; rev:1;) alert tcp $HOME_NET any -> [78.85.17.88] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198881/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198881; rev:1;) alert tcp $HOME_NET any -> [185.172.128.97] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198879/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198879; rev:1;) alert tcp $HOME_NET any -> [45.15.157.126] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198878/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198878; rev:1;) alert tcp $HOME_NET any -> [46.28.93.37] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198876/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198876; rev:1;) alert tcp $HOME_NET any -> [47.113.225.37] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198877/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198877; rev:1;) alert tcp $HOME_NET any -> [110.41.136.64] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"richprodusa.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198874/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198874; rev:1;) alert tcp $HOME_NET any -> [195.123.233.126] 2351 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198873/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198873; rev:1;) alert tcp $HOME_NET any -> [217.195.197.188] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198872/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ts.bagelswap.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198871/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198871; rev:1;) alert tcp $HOME_NET any -> [199.127.60.151] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198870/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198870; rev:1;) alert tcp $HOME_NET any -> [171.250.185.235] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198869/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198869; rev:1;) alert tcp $HOME_NET any -> [74.48.60.99] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198868/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198868; rev:1;) alert tcp $HOME_NET any -> [20.102.192.219] 22533 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198867; rev:1;) alert tcp $HOME_NET any -> [52.188.84.174] 3000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198866; rev:1;) alert tcp $HOME_NET any -> [139.99.80.193] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198865/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198865; rev:1;) alert tcp $HOME_NET any -> [209.145.56.0] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198864; rev:1;) alert tcp $HOME_NET any -> [185.81.157.12] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198863/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198863; rev:1;) alert tcp $HOME_NET any -> [107.172.76.170] 1982 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198862/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198862; rev:1;) alert tcp $HOME_NET any -> [91.92.240.157] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198861/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198861; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"172-232-123-21.ip.linodeusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198860/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198860; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"35.178.199.73.c.hossted.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198859/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198859; rev:1;) alert tcp $HOME_NET any -> [194.49.94.53] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198858/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198858; rev:1;) alert tcp $HOME_NET any -> [41.140.148.78] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198857/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198857; rev:1;) alert tcp $HOME_NET any -> [3.65.147.35] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198856/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198856; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upgrade.zip"; depth:12; nocase; http.host; content:"195.201.255.168"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198854/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198854; rev:1;) alert tcp $HOME_NET any -> [195.201.255.168] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198855/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198855; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.255.168"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198853/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198853; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getfiles.zip"; depth:13; nocase; http.host; content:"157.90.152.131"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198851/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getfiles.zip"; depth:13; nocase; http.host; content:"195.201.34.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198852/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198852; rev:1;) alert tcp $HOME_NET any -> [45.137.22.229] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198850/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198850; rev:1;) alert tcp $HOME_NET any -> [51.222.230.191] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198849/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198849; rev:1;) alert tcp $HOME_NET any -> [216.238.116.187] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198848/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198848; rev:1;) alert tcp $HOME_NET any -> [149.248.79.55] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198847/; target:src_ip; metadata: confidence_level 60, first_seen 2023_11_04; classtype:trojan-activity; sid:91198847; rev:1;) alert tcp $HOME_NET any -> [152.136.165.88] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198846/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198846; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smb.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198845; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahmbe.fartit.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198840; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smc.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198841; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smv.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198842; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cbt.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198843; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"csn.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198844/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198844; rev:1;) alert tcp $HOME_NET any -> [75.127.11.213] 80 (msg:"ThreatFox IRATA payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198838; rev:1;) alert tcp $HOME_NET any -> [75.127.11.213] 443 (msg:"ThreatFox IRATA payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198839; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"smb.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198837; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"csn.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"cbt.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198835; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"smv.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"smc.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198833; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sahmbe.fartit.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198832; rev:1;) alert tcp $HOME_NET any -> [198.23.227.149] 7575 (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198825/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198825; rev:1;) alert tcp $HOME_NET any -> [20.201.94.57] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198810/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sites/eight/paid.php"; depth:21; nocase; http.host; content:"bagsrad.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198809/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_04; classtype:trojan-activity; sid:91198809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sites/eight/paid.php"; depth:21; nocase; http.host; content:"bagsrad.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.10.205.31"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198768; rev:1;) alert tcp $HOME_NET any -> [185.196.8.176] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198767/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198767; rev:1;) alert tcp $HOME_NET any -> [120.46.68.71] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198766/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198766; rev:1;) alert tcp $HOME_NET any -> [198.12.88.138] 80 (msg:"ThreatFox IRATA payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198764; rev:1;) alert tcp $HOME_NET any -> [198.12.88.138] 443 (msg:"ThreatFox IRATA payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198765; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zds.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asl.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.tfs.faqserv.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adldfs.isasecret.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adqq.fartit.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adfq-a.vizvaz.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahaam.faqserv.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tfs.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahmk.mrface.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198756/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198756; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sah.vizvaz.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198757/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dsm.itsaol.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198758; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adl-a.vizvaz.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ladl.isasecret.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198760; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlr.mrbasic.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198761/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e-h-r-a-z-i-61.mynetav.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198762/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198762; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"azxs.vizvaz.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198763; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asdz.fartit.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adf-za.fartit.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198726/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asdz.faqserv.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dhh.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adq.mrbasic.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adfs.dns05.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asqs.itsaol.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adg.vizvaz.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sghdaa.dns2.us"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlgs.vizvaz.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cas.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"402.isasecret.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asl.mrface.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asdw.mynetav.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlsg.mrface.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ad-cx.mrface.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahmsa.dns05.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adffs.faqserv.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adl-shm.faqserv.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asw.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlsfa.mynetav.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlsh.fartit.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dsa.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dsg.dns05.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198700/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198700; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aslqqq.fartit.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198701/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198701; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ad-ird.itsaol.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198702/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198702; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adfs.mrface.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198703/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198703; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahmanb.dns05.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198704/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198704; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adsqe.mrbasic.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198705/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198705; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adls.mrface.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198706/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198706; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahmn.faqserv.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198707/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198707; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlshq.mynetav.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198708/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198708; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asahm.itsaol.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198709/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198709; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ad-irt.vizvaz.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198710/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198710; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahm.mrface.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198711/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198711; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlsf.vizvaz.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198712/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198712; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adsfs.fartit.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198713/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198713; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asn.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198714/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198714; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adle.fartit.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198715/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198715; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asldg.mrbasic.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198716/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198716; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahmns.mrbonus.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198717/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198717; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"csa.itsaol.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198718/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198718; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sahg.itsaol.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ir-az.fartit.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198720; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cpq.mrface.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198721; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlss.dns05.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198722; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adlsj.dns05.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198723; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"irhsh.faqserv.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asd.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198697; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"variz.fartit.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198698/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198698; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ad-ir.dns05.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198699/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198699; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"e-h-r-a-z-i-61.mynetav.org"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198695; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"azxs.vizvaz.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198696; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adlr.mrbasic.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198694; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app1.apk"; depth:9; nocase; http.host; content:"adl-a.vizvaz.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198692/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198692; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"ladl.isasecret.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198693/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198693; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app1.apk"; depth:9; nocase; http.host; content:"dsm.itsaol.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198691/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198691; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sahamedalat.apk"; depth:16; nocase; http.host; content:"sah.vizvaz.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198690/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198690; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sahamedalat.apk"; depth:16; nocase; http.host; content:"sahmk.mrface.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198689/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198689; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sahaam.faqserv.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198688/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198688; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adldfs.isasecret.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198686/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198686; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adqq.fartit.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198687/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198687; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"tfs.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198685/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198685; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"asl.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198684/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198684; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"zds.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198683/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198683; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"adlsh.fartit.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198681/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198681; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham1.apk"; depth:11; nocase; http.host; content:"dsa.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198682/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198682; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"adlsfa.mynetav.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198680/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198680; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"asw.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198679/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198679; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"adffs.faqserv.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198677/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198677; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adl-shm.faqserv.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198678/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sahmsa.dns05.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198676/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198676; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adlsg.mrface.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198674; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"ad-cx.mrface.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198675/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198675; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"asdw.mynetav.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198673; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"asl.mrface.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198672/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198672; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"402.isasecret.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198671; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"adlgs.vizvaz.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198669/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198669; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"cas.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198670; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"asqs.itsaol.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198668; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"dhh.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198666/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198666; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"adq.mrbasic.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198667; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sahamedalat.apk"; depth:16; nocase; http.host; content:"asdz.faqserv.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198665/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198665; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"asdz.fartit.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198664; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"adlsj.dns05.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198662/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198662; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"irhsh.faqserv.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198663; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adlss.dns05.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198661; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sahamedalat.apk"; depth:16; nocase; http.host; content:"cpq.mrface.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198660/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198660; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"ir-az.fartit.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198659/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198659; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sahg.itsaol.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198658; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sahmns.mrbonus.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198656; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"csa.itsaol.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198657/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198657; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adle.fartit.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198654/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198654; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"asldg.mrbasic.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198655; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"asn.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198653; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adsfs.fartit.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198652; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"adlsf.vizvaz.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198651; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"asahm.itsaol.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198649; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sahm.mrface.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198650; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"adlshq.mynetav.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198648; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sahmn.faqserv.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198647/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198647; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"adls.mrface.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198646; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"adsqe.mrbasic.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198645; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sahmanb.dns05.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198644; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"ad-ird.itsaol.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198642; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adfs.mrface.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198643; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"dsg.dns05.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198641/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198641; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"variz.fartit.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198639; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"ad-ir.dns05.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198640/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198640; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"asd.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198638; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"42.51.45.98"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198637; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"43.129.173.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198636/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198636; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"39.105.21.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"124.70.187.37"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198634/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198634; rev:1;) alert tcp $HOME_NET any -> [107.172.16.172] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198633/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198633; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"104.245.213.48"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198632; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"161.35.168.216"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198631; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"38.54.115.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198630; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"165.227.141.64"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198629; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"81.68.249.97"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198628/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198628; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"106.12.174.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198627; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/stream"; depth:11; nocase; http.host; content:"service-b7g5qx9l-1318401771.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198625/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198625; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-b7g5qx9l-1318401771.bj.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198626/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198626; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"8.217.178.80"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198624/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198624; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"81.68.249.97"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198622/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198622; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"54.217.61.189"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198621/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198621; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"5.101.0.241"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198618/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198618; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"5.101.0.241"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198617; rev:1;) alert tcp $HOME_NET any -> [124.71.5.199] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198616/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"383f7cf1ffda442d90690ef402bfda02.apig.cn-east-3.huaweicloudapis.com"; depth:67; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198614; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"383f7cf1ffda442d90690ef402bfda02.apig.cn-east-3.huaweicloudapis.com"; depth:67; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198615/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198615; rev:1;) alert tcp $HOME_NET any -> [183.165.35.133] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198613/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198613; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ymmxc.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198612/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198612; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"www.ymmxc.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198611; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.99.34.158"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198610/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"82.157.149.194"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198609/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198609; rev:1;) alert tcp $HOME_NET any -> [110.43.68.210] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198608/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198608; rev:1;) alert tcp $HOME_NET any -> [220.137.153.238] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198607/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198607; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"106.52.244.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"140.210.214.70"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198605/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198605; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"39.100.84.221"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198604/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198604; rev:1;) alert tcp $HOME_NET any -> [5.42.77.121] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198603/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198603; rev:1;) alert tcp $HOME_NET any -> [18.219.108.95] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198602/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198602; rev:1;) alert tcp $HOME_NET any -> [45.137.155.89] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198601/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198601; rev:1;) alert tcp $HOME_NET any -> [47.113.148.14] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198600/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198600; rev:1;) alert tcp $HOME_NET any -> [58.217.193.45] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198599/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198599; rev:1;) alert tcp $HOME_NET any -> [47.91.89.136] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198598/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198598; rev:1;) alert tcp $HOME_NET any -> [117.52.115.212] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198597/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198597; rev:1;) alert tcp $HOME_NET any -> [95.179.141.41] 1194 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198596/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198596; rev:1;) alert tcp $HOME_NET any -> [23.95.233.180] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198595/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198595; rev:1;) alert tcp $HOME_NET any -> [103.209.129.193] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198594/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198594; rev:1;) alert tcp $HOME_NET any -> [101.34.229.123] 51111 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198593/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198593; rev:1;) alert tcp $HOME_NET any -> [69.92.218.150] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198592/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198592; rev:1;) alert tcp $HOME_NET any -> [102.113.8.88] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198591/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198591; rev:1;) alert tcp $HOME_NET any -> [41.227.68.39] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198590/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198590; rev:1;) alert tcp $HOME_NET any -> [35.178.199.78] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198589/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198589; rev:1;) alert tcp $HOME_NET any -> [194.169.175.238] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198588/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198588; rev:1;) alert tcp $HOME_NET any -> [51.15.195.71] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198587/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198587; rev:1;) alert tcp $HOME_NET any -> [88.214.25.36] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198586/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198586; rev:1;) alert tcp $HOME_NET any -> [104.238.35.163] 2184 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198585/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198585; rev:1;) alert tcp $HOME_NET any -> [149.154.158.34] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198584/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198584; rev:1;) alert tcp $HOME_NET any -> [149.154.158.34] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198583/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198583; rev:1;) alert tcp $HOME_NET any -> [149.56.109.219] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198582/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198582; rev:1;) alert tcp $HOME_NET any -> [54.150.47.200] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198581/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_04; classtype:trojan-activity; sid:91198581; rev:1;) alert tcp $HOME_NET any -> [106.12.174.99] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198580/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198580; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"172.86.66.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198579/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198579; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"176.113.115.213"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198578/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198578; rev:1;) alert tcp $HOME_NET any -> [125.7.199.169] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198577/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198577; rev:1;) alert tcp $HOME_NET any -> [198.211.103.111] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198576/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198576; rev:1;) alert tcp $HOME_NET any -> [47.99.34.158] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198575/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198575; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"nusaproble.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198573; rev:1;) alert tcp $HOME_NET any -> [43.140.208.17] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198572/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198572; rev:1;) alert tcp $HOME_NET any -> [1.12.69.102] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198571/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198571; rev:1;) alert tcp $HOME_NET any -> [51.222.106.173] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198569/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198569; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"172.245.95.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198568/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_04; classtype:trojan-activity; sid:91198568; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1xoe"; depth:5; nocase; http.host; content:"172.245.95.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198567/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_04; classtype:trojan-activity; sid:91198567; rev:1;) alert tcp $HOME_NET any -> [206.71.149.81] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198566/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198566; rev:1;) alert tcp $HOME_NET any -> [146.59.102.99] 34470 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198565/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198565; rev:1;) alert tcp $HOME_NET any -> [180.235.137.45] 8773 (msg:"ThreatFox NetWire RC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198564; rev:1;) alert tcp $HOME_NET any -> [163.5.215.177] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_04; classtype:trojan-activity; sid:91198563; rev:1;) alert tcp $HOME_NET any -> [51.222.230.191] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198562/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198562; rev:1;) alert tcp $HOME_NET any -> [106.15.235.168] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198561/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_04; classtype:trojan-activity; sid:91198561; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"vporanu.fun"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198559/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198559; rev:1;) alert tcp $HOME_NET any -> [192.169.69.25] 3399 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198558; rev:1;) alert tcp $HOME_NET any -> [147.50.253.108] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198557/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198557; rev:1;) alert tcp $HOME_NET any -> [91.206.14.228] 8989 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198556/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198556; rev:1;) alert tcp $HOME_NET any -> [101.43.45.243] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198555/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198555; rev:1;) alert tcp $HOME_NET any -> [107.175.111.199] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198554/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198554; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2018/12/29176388_"; depth:45; nocase; http.host; content:"139.144.113.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198553; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft/owa/"; depth:15; nocase; http.host; content:"zhsq.ppctech.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zhsq.ppctech.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198552; rev:1;) alert tcp $HOME_NET any -> [94.131.111.223] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198550/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198550; rev:1;) alert tcp $HOME_NET any -> [174.137.52.185] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198549/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198549; rev:1;) alert tcp $HOME_NET any -> [176.196.90.145] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198548/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198548; rev:1;) alert tcp $HOME_NET any -> [217.144.103.92] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198547/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198547; rev:1;) alert tcp $HOME_NET any -> [101.34.116.46] 13349 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198546; rev:1;) alert tcp $HOME_NET any -> [89.147.109.80] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198545/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_03; classtype:trojan-activity; sid:91198545; rev:1;) alert tcp $HOME_NET any -> [197.246.196.187] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198544; rev:1;) alert tcp $HOME_NET any -> [186.102.163.66] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198543; rev:1;) alert tcp $HOME_NET any -> [52.151.252.137] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198542; rev:1;) alert tcp $HOME_NET any -> [172.232.123.21] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198541; rev:1;) alert tcp $HOME_NET any -> [168.100.10.217] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198540/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198540; rev:1;) alert tcp $HOME_NET any -> [168.100.11.107] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198539/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198539; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in.php"; depth:7; nocase; http.host; content:"ad-irt.vizvaz.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198538; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mr/log.php"; depth:11; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198537; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mr/web.txt"; depth:11; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198536; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mr/phone.txt"; depth:13; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198535; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1002033294173"; depth:19; nocase; http.host; content:"howtofixit.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198533; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/-1002033294173"; depth:22; nocase; http.host; content:"howtofixit.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198534; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temp/webviewengine.zip"; depth:23; nocase; http.host; content:"ingenieriainsitu.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198494; rev:1;) alert tcp $HOME_NET any -> [5.75.177.255] 23682 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/-1001941112825"; depth:22; nocase; http.host; content:"howtofixit.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198531; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"howtofixit.pw"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198532; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1001941112825"; depth:19; nocase; http.host; content:"howtofixit.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in.php"; depth:7; nocase; http.host; content:"adf-za.fartit.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198527; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a-y.website"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/far/phone.txt"; depth:14; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/far/web.txt"; depth:12; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198524; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/far/log.php"; depth:12; nocase; http.host; content:"a-y.website"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ami/"; depth:5; nocase; http.host; content:"pointernet.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ami/web.txt"; depth:12; nocase; http.host; content:"pointernet.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ami/log.php"; depth:12; nocase; http.host; content:"pointernet.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198520; rev:1;) alert tcp $HOME_NET any -> [103.141.50.67] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198519/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198519; rev:1;) alert tcp $HOME_NET any -> [2.50.16.113] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198518/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198518; rev:1;) alert tcp $HOME_NET any -> [105.103.47.54] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198517/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198517; rev:1;) alert tcp $HOME_NET any -> [3.144.150.19] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198516/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198516; rev:1;) alert tcp $HOME_NET any -> [34.224.40.221] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198515/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198515; rev:1;) alert tcp $HOME_NET any -> [208.123.119.123] 5142 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198514/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198514; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"victorishere.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/-1001919722075"; depth:22; nocase; http.host; content:"victorishere.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1001919722075"; depth:19; nocase; http.host; content:"victorishere.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/-1001830809790"; depth:22; nocase; http.host; content:"polandishere.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198509; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"polandishere.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1001830809790"; depth:19; nocase; http.host; content:"polandishere.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in.php"; depth:7; nocase; http.host; content:"bsf.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sezar/log.php"; depth:14; nocase; http.host; content:"ap.sarpkyo.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sezar/phone.txt"; depth:16; nocase; http.host; content:"ap.sarpkyo.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sezar/web.txt"; depth:14; nocase; http.host; content:"ap.sarpkyo.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198504; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ap.sarpkyo.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198502; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sarpkyo.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ap.sarpkyo.xyz"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1198501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etanol/phone.txt"; depth:17; nocase; http.host; content:"ap.sarpkyo.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198500/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198500; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etanol/log.php"; depth:15; nocase; http.host; content:"ap.sarpkyo.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198499; rev:1;) alert tcp $HOME_NET any -> [176.135.30.40] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198498/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198498; rev:1;) alert tcp $HOME_NET any -> [91.92.250.219] 22233 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198497; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shiro/animation/processordlecentral.php"; depth:40; nocase; http.host; content:"78.47.204.48"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198496; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/man/panelnew/gate.php"; depth:22; nocase; http.host; content:"seelend.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/antidatapythonrule/searcherlogpython/djangopoolanticut/messagehtopserver/bin/local/searcherdjango/cpuframecam/rulesearcherpythonprogram/requestpoll.php"; depth:152; nocase; http.host; content:"78.24.216.97"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198493; rev:1;) alert tcp $HOME_NET any -> [82.115.223.14] 8030 (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/os//7.jpg"; depth:10; nocase; http.host; content:"9enternecera.ru.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40d570f44e84a454.php"; depth:21; nocase; http.host; content:"williammoore.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/os//5.jpg"; depth:10; nocase; http.host; content:"9enternecera.ru.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198489/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/os//3.jpg"; depth:10; nocase; http.host; content:"9enternecera.ru.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/os//4.jpg"; depth:10; nocase; http.host; content:"9enternecera.ru.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198488; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/os//2.jpg"; depth:10; nocase; http.host; content:"9enternecera.ru.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"ximpromooo.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198483/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198483; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"yavashakrysha.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198484/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/os//1.jpg"; depth:10; nocase; http.host; content:"9enternecera.ru.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"vseochenxorosho.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198481/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"vymnenravites.by"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198482/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198482; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"spasibozavsedruziya.ru"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198478/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/os//6.jpg"; depth:10; nocase; http.host; content:"9enternecera.ru.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"sportlotovukraine.ru"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198480/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198480; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"pozvonimnepozvoni.ru"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198476/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"propertyofiranmy.ir"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198477/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"narkotikizlo.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198474/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198474; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"nekuritebambuk.ru"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198475/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"myvasocheunlyubim.ru"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198472/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198472; rev:1;) alert tcp $HOME_NET any -> [156.196.88.201] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"mymozhemesche.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198471/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198471; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.61.138.198"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"foodplacecafe.by"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198470/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"colbasaibliny.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198467/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198467; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"etovamnepomozhet.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198468/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e9c345fc99a4e67e.php"; depth:21; nocase; http.host; content:"henryjackson.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"cafewithcraftbeer.ru"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198466/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"antidomen.by"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198464/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"againandagaingmorder.ru"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198463/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198463; rev:1;) alert tcp $HOME_NET any -> [45.137.22.113] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198462; rev:1;) alert tcp $HOME_NET any -> [109.248.206.106] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198461; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"l0yolufbw5yeabs.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198460; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvmd54/"; depth:8; nocase; http.host; content:"l0yolufbw5yeabs.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zgbn19mx"; depth:9; nocase; http.host; content:"l0yolufbw5yeabs.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198458; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lander/chrome_1695206714/_index.php"; depth:36; nocase; http.host; content:"l0yolufbw5yeabs.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198459; rev:1;) alert tcp $HOME_NET any -> [94.156.66.37] 49539 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198456/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198456; rev:1;) alert tcp $HOME_NET any -> [94.156.66.37] 45944 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198455/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198455; rev:1;) alert tcp $HOME_NET any -> [221.12.129.226] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198454/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198454; rev:1;) alert tcp $HOME_NET any -> [5.61.53.75] 8007 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198453/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198453; rev:1;) alert tcp $HOME_NET any -> [106.14.144.30] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198452/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvmd54/"; depth:8; nocase; http.host; content:"cnswg1vzx6heh0f.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zgbn19mx"; depth:9; nocase; http.host; content:"cnswg1vzx6heh0f.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198364/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198364; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lander/chrome_1695206714/_index.php"; depth:36; nocase; http.host; content:"cnswg1vzx6heh0f.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198365; rev:1;) alert tcp $HOME_NET any -> [111.230.36.225] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198451; rev:1;) alert tcp $HOME_NET any -> [34.77.65.112] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198449; rev:1;) alert tcp $HOME_NET any -> [162.14.107.218] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198450; rev:1;) alert tcp $HOME_NET any -> [34.77.65.112] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198448; rev:1;) alert tcp $HOME_NET any -> [43.139.44.143] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198447; rev:1;) alert tcp $HOME_NET any -> [94.156.67.177] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198445/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198445; rev:1;) alert tcp $HOME_NET any -> [101.43.122.252] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198446/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198446; rev:1;) alert tcp $HOME_NET any -> [107.151.244.164] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198444; rev:1;) alert tcp $HOME_NET any -> [117.50.180.202] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198443; rev:1;) alert tcp $HOME_NET any -> [116.196.119.162] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198442; rev:1;) alert tcp $HOME_NET any -> [8.134.192.169] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198440; rev:1;) alert tcp $HOME_NET any -> [114.132.74.172] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198441; rev:1;) alert tcp $HOME_NET any -> [150.158.13.117] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198439; rev:1;) alert tcp $HOME_NET any -> [101.34.116.46] 10086 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198438; rev:1;) alert tcp $HOME_NET any -> [39.100.84.221] 8088 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198437; rev:1;) alert tcp $HOME_NET any -> [47.104.159.7] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198436; rev:1;) alert tcp $HOME_NET any -> [8.130.129.70] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198435; rev:1;) alert tcp $HOME_NET any -> [47.92.163.235] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198433; rev:1;) alert tcp $HOME_NET any -> [166.1.18.78] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198434; rev:1;) alert tcp $HOME_NET any -> [140.210.214.70] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198432; rev:1;) alert tcp $HOME_NET any -> [65.21.66.225] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198431; rev:1;) alert tcp $HOME_NET any -> [104.236.180.75] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198430; rev:1;) alert tcp $HOME_NET any -> [151.248.118.52] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198429; rev:1;) alert tcp $HOME_NET any -> [139.144.113.139] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198428; rev:1;) alert tcp $HOME_NET any -> [18.196.37.232] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198426; rev:1;) alert tcp $HOME_NET any -> [3.137.179.2] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198427; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test5-18b.timoni.dev"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clients.idnslookup.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"177.lan-vg2-1.static.rozabg.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198424; rev:1;) alert tcp $HOME_NET any -> [173.199.123.205] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198422/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_03; classtype:trojan-activity; sid:91198422; rev:1;) alert tcp $HOME_NET any -> [173.199.123.205] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198421/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_03; classtype:trojan-activity; sid:91198421; rev:1;) alert tcp $HOME_NET any -> [64.176.58.84] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198420/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_03; classtype:trojan-activity; sid:91198420; rev:1;) alert tcp $HOME_NET any -> [185.62.58.77] 80 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198419; rev:1;) alert tcp $HOME_NET any -> [95.214.26.67] 7788 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198418; rev:1;) alert tcp $HOME_NET any -> [115.74.32.60] 9999 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198416; rev:1;) alert tcp $HOME_NET any -> [95.214.26.88] 7788 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198417; rev:1;) alert tcp $HOME_NET any -> [115.74.37.140] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198415; rev:1;) alert tcp $HOME_NET any -> [156.224.27.87] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198414; rev:1;) alert tcp $HOME_NET any -> [156.224.27.121] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198413; rev:1;) alert tcp $HOME_NET any -> [47.242.95.207] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198412; rev:1;) alert tcp $HOME_NET any -> [172.245.92.84] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198411; rev:1;) alert tcp $HOME_NET any -> [157.245.23.86] 22535 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198410; rev:1;) alert tcp $HOME_NET any -> [185.196.8.91] 8008 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198409; rev:1;) alert tcp $HOME_NET any -> [94.156.68.178] 4448 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198408; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.makaa.work.gd"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198407; rev:1;) alert tcp $HOME_NET any -> [88.248.212.24] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198406; rev:1;) alert tcp $HOME_NET any -> [88.248.212.24] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198405; rev:1;) alert tcp $HOME_NET any -> [89.137.121.142] 4782 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198403; rev:1;) alert tcp $HOME_NET any -> [198.12.125.30] 8015 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198404; rev:1;) alert tcp $HOME_NET any -> [192.210.229.8] 8891 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198402; rev:1;) alert tcp $HOME_NET any -> [91.109.176.5] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198401; rev:1;) alert tcp $HOME_NET any -> [94.156.69.57] 81 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198399; rev:1;) alert tcp $HOME_NET any -> [91.109.176.5] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198400/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198400; rev:1;) alert tcp $HOME_NET any -> [103.141.68.91] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bedlinnenoutlet.nl"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-f9d37633.vps.ovh.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198396; rev:1;) alert tcp $HOME_NET any -> [35.178.203.77] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toroz.nl"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daanzeegersdesign.nl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198393; rev:1;) alert tcp $HOME_NET any -> [13.48.77.144] 80 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198392; rev:1;) alert tcp $HOME_NET any -> [192.227.193.22] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198391/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bsc.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bsd.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bse.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sdc.mrbonus.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bsr.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sdc.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dsc.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"dsc.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sdc.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"bsr.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sdc.mrbonus.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"bse.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"bsd.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198378; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"bsc.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198377; rev:1;) alert tcp $HOME_NET any -> [58.87.78.71] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198366/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198366; rev:1;) alert tcp $HOME_NET any -> [39.105.21.36] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198362/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198362; rev:1;) alert tcp $HOME_NET any -> [198.144.189.91] 80 (msg:"ThreatFox IRATA payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198360; rev:1;) alert tcp $HOME_NET any -> [198.144.189.91] 443 (msg:"ThreatFox IRATA payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198361; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ir.adf-za.fartit.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198357; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adfq-a.vizvaz.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198358; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ad-irt.vizvaz.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198359; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bsm.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198346; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sdhm.fartit.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198347; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bsf.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198348; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bsa.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198349; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dst.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198350; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rsc.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198351; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dsf.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198352; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adf-za.fartit.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198353; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"esc.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198354; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sdc.fartit.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198355; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dsb.mrbasic.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"ad-irt.vizvaz.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"adfq-a.vizvaz.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"ir.adf-za.fartit.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"dsb.mrbasic.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sdc.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"esc.fartit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adf-za.fartit.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"dsf.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"rsc.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"dst.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"bsf.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"bsa.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198335/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"sdhm.fartit.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"bsm.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198332; rev:1;) alert tcp $HOME_NET any -> [195.10.205.17] 8122 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cnswg1vzx6heh0f.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198306; rev:1;) alert tcp $HOME_NET any -> [54.87.62.237] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198304/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198304; rev:1;) alert tcp $HOME_NET any -> [3.71.41.123] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198303/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stats-tracked.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3ol33lgbrvyjk3d.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198301/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198301; rev:1;) alert tcp $HOME_NET any -> [106.55.107.93] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198300/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198300; rev:1;) alert tcp $HOME_NET any -> [89.108.103.92] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198299/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198299; rev:1;) alert tcp $HOME_NET any -> [51.12.244.215] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198298/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198298; rev:1;) alert tcp $HOME_NET any -> [49.233.111.215] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198297/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198297; rev:1;) alert tcp $HOME_NET any -> [91.92.243.151] 80 (msg:"ThreatFox PrivateLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198295; rev:1;) alert tcp $HOME_NET any -> [43.129.173.60] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198296/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"4m9q0m87vnmx0d1.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198284; rev:1;) alert tcp $HOME_NET any -> [109.248.206.51] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198285/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198285; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"23.234.200.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198294; rev:1;) alert tcp $HOME_NET any -> [140.210.214.70] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198293; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"140.210.214.70"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"richusaprod.azurewebsites.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198290; rev:1;) alert tcp $HOME_NET any -> [24.144.116.97] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:64; nocase; http.host; content:"richusaprod.azurewebsites.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198289; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"139.159.193.98"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198288; rev:1;) alert tcp $HOME_NET any -> [154.90.62.118] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198287/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198287; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"154.90.62.118"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198286/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198286; rev:1;) alert tcp $HOME_NET any -> [109.116.202.187] 88 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198283/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198283; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"3.137.154.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"38.54.115.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198281; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.35.40.78"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198280/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198280; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"jeraldsin3dsajdklafdmonk.com"; depth:28; nocase; reference:url, threatfox.abuse.ch/ioc/1198278/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198278; rev:1;) alert tcp $HOME_NET any -> [195.123.241.144] 2351 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198279/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198279; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"13.92.24.109"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198277; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"150.158.137.72"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198276; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198275; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"92.63.196.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198274; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"120.48.83.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198273; rev:1;) alert tcp $HOME_NET any -> [8.134.71.235] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198272/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198272; rev:1;) alert tcp $HOME_NET any -> [124.70.187.37] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198271/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198271; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/53908939210612680/loveland.apk"; depth:31; nocase; http.host; content:"185.162.235.46"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198270; rev:1;) alert tcp $HOME_NET any -> [185.162.235.46] 70 (msg:"ThreatFox IRATA payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198267; rev:1;) alert tcp $HOME_NET any -> [185.162.235.46] 80 (msg:"ThreatFox IRATA payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198268; rev:1;) alert tcp $HOME_NET any -> [185.162.235.46] 443 (msg:"ThreatFox IRATA payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pointernet.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198266/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198266; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in.php"; depth:7; nocase; http.host; content:"adl-vvs.mrbasic.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198265/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198265; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pointernet.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198264/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198264; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/salehi/"; depth:8; nocase; http.host; content:"pointernet.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198263/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198263; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/salehi/log.php"; depth:15; nocase; http.host; content:"pointernet.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198262/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198262; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/salehi/web.txt"; depth:15; nocase; http.host; content:"pointernet.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198261/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198261; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"darkmansion.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198258/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198258; rev:1;) alert tcp $HOME_NET any -> [103.212.81.160] 23591 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198251/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"socksboxes.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198256/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198256; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"vibedroom.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198257/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198257; rev:1;) alert tcp $HOME_NET any -> [150.158.37.125] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198255/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198255; rev:1;) alert tcp $HOME_NET any -> [124.70.82.142] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198254/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198254; rev:1;) alert tcp $HOME_NET any -> [47.99.57.95] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198253/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198253; rev:1;) alert tcp $HOME_NET any -> [124.220.75.107] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198252/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198252; rev:1;) alert tcp $HOME_NET any -> [107.150.18.101] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198250/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_03; classtype:trojan-activity; sid:91198250; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getfiles.zip"; depth:13; nocase; http.host; content:"116.202.182.32"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198249; rev:1;) alert tcp $HOME_NET any -> [82.157.154.37] 8082 (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198248/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198248; rev:1;) alert tcp $HOME_NET any -> [95.181.173.28] 80 (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198247/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198247; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 28278 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198183; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"safe242-28278.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198184; rev:1;) alert tcp $HOME_NET any -> [54.219.247.190] 18488 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198185/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198185; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4.tcp.us-cal-1.ngrok.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198186; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"gursgars.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iosninjafisk.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.103.93.33"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198213; rev:1;) alert tcp $HOME_NET any -> [135.181.11.41] 38051 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_03; classtype:trojan-activity; sid:91198217; rev:1;) alert tcp $HOME_NET any -> [167.179.103.206] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198246/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198246; rev:1;) alert tcp $HOME_NET any -> [45.32.140.39] 2078 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198245/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198245; rev:1;) alert tcp $HOME_NET any -> [85.208.118.169] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198244/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198244; rev:1;) alert tcp $HOME_NET any -> [62.234.55.111] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198243/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198243; rev:1;) alert tcp $HOME_NET any -> [4.193.233.245] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198242/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198242; rev:1;) alert tcp $HOME_NET any -> [107.189.11.113] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198241/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198241; rev:1;) alert tcp $HOME_NET any -> [190.133.226.233] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198240/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198240; rev:1;) alert tcp $HOME_NET any -> [154.246.142.0] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198239/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198239; rev:1;) alert tcp $HOME_NET any -> [195.74.225.69] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198238/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198238; rev:1;) alert tcp $HOME_NET any -> [121.147.122.230] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198237/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198237; rev:1;) alert tcp $HOME_NET any -> [74.12.145.223] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198236/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198236; rev:1;) alert tcp $HOME_NET any -> [31.167.145.12] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198235/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198235; rev:1;) alert tcp $HOME_NET any -> [218.82.118.55] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198234/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198234; rev:1;) alert tcp $HOME_NET any -> [185.193.125.140] 41909 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198233/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198233; rev:1;) alert tcp $HOME_NET any -> [35.178.199.73] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198232/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198232; rev:1;) alert tcp $HOME_NET any -> [91.102.162.229] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198230/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198230; rev:1;) alert tcp $HOME_NET any -> [149.154.158.34] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198229/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198229; rev:1;) alert tcp $HOME_NET any -> [149.154.158.34] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198228/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198228; rev:1;) alert tcp $HOME_NET any -> [178.33.168.52] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198227/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198227; rev:1;) alert tcp $HOME_NET any -> [34.124.211.197] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198226/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198226; rev:1;) alert tcp $HOME_NET any -> [103.159.133.163] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198225/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198225; rev:1;) alert tcp $HOME_NET any -> [45.155.37.101] 443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198224/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_03; classtype:trojan-activity; sid:91198224; rev:1;) alert tcp $HOME_NET any -> [146.59.220.235] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198223/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198223; rev:1;) alert tcp $HOME_NET any -> [35.169.120.200] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198222/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198222; rev:1;) alert tcp $HOME_NET any -> [213.100.180.158] 9998 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198221/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198221; rev:1;) alert tcp $HOME_NET any -> [118.24.128.204] 8087 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198220/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198220; rev:1;) alert tcp $HOME_NET any -> [158.69.40.137] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198219/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198219; rev:1;) alert tcp $HOME_NET any -> [89.40.11.42] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198218/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198218; rev:1;) alert tcp $HOME_NET any -> [36.134.119.180] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198216/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198216; rev:1;) alert tcp $HOME_NET any -> [45.149.93.93] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198215/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198215; rev:1;) alert tcp $HOME_NET any -> [89.108.103.92] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198214/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_03; classtype:trojan-activity; sid:91198214; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"114.115.220.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198212; rev:1;) alert tcp $HOME_NET any -> [114.115.220.199] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198211; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"114.115.220.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198210; rev:1;) alert tcp $HOME_NET any -> [45.61.139.234] 8083 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198209/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198209; rev:1;) alert tcp $HOME_NET any -> [91.92.253.37] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198202/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198202; rev:1;) alert tcp $HOME_NET any -> [54.221.127.105] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198201/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198201; rev:1;) alert tcp $HOME_NET any -> [18.156.84.197] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198200/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198200; rev:1;) alert tcp $HOME_NET any -> [91.92.240.91] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198199/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198199; rev:1;) alert tcp $HOME_NET any -> [91.92.246.64] 34771 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198198/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_02; classtype:trojan-activity; sid:91198198; rev:1;) alert tcp $HOME_NET any -> [213.139.205.136] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198197/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_02; classtype:trojan-activity; sid:91198197; rev:1;) alert tcp $HOME_NET any -> [193.149.185.196] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198196/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_02; classtype:trojan-activity; sid:91198196; rev:1;) alert tcp $HOME_NET any -> [172.86.75.163] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198195/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_02; classtype:trojan-activity; sid:91198195; rev:1;) alert tcp $HOME_NET any -> [45.129.199.158] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198194/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_02; classtype:trojan-activity; sid:91198194; rev:1;) alert tcp $HOME_NET any -> [181.90.42.189] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198192; rev:1;) alert tcp $HOME_NET any -> [185.193.126.90] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198191/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198191; rev:1;) alert tcp $HOME_NET any -> [161.35.174.5] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198189/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198189; rev:1;) alert tcp $HOME_NET any -> [195.244.112.143] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198188/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198188; rev:1;) alert tcp $HOME_NET any -> [120.78.135.166] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198187/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198187; rev:1;) alert tcp $HOME_NET any -> [77.124.16.58] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198182/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198182; rev:1;) alert tcp $HOME_NET any -> [117.215.21.86] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198181/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198181; rev:1;) alert tcp $HOME_NET any -> [181.94.42.6] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198180/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198180; rev:1;) alert tcp $HOME_NET any -> [85.107.13.41] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198179/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198179; rev:1;) alert tcp $HOME_NET any -> [31.190.242.89] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198178/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198178; rev:1;) alert tcp $HOME_NET any -> [172.86.96.200] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198177/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198177; rev:1;) alert tcp $HOME_NET any -> [52.15.189.183] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198176/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198176; rev:1;) alert tcp $HOME_NET any -> [103.57.250.152] 6477 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198175/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198175; rev:1;) alert tcp $HOME_NET any -> [157.245.48.209] 8088 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198174/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198174; rev:1;) alert tcp $HOME_NET any -> [104.36.229.15] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198173/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198173; rev:1;) alert tcp $HOME_NET any -> [31.220.2.200] 80 (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198172/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198172; rev:1;) alert tcp $HOME_NET any -> [195.123.233.144] 2351 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198080; rev:1;) alert tcp $HOME_NET any -> [139.180.217.229] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198072/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_02; classtype:trojan-activity; sid:91198072; rev:1;) alert tcp $HOME_NET any -> [139.59.29.27] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198073/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bjdm32dp/index.php"; depth:19; nocase; http.host; content:"167.235.20.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197907/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197907; rev:1;) alert tcp $HOME_NET any -> [103.158.190.167] 80 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7jshasds/index.php"; depth:19; nocase; http.host; content:"185.196.8.176"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197908/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197908; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e9c345fc99a4e67e.php"; depth:21; nocase; http.host; content:"ronaldrichards.icu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197906/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197906; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"profitcentronline.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197901/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197901; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soprateste.zip"; depth:15; nocase; http.host; content:"justlookaround.s3.amazonaws.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198094/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198094; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/poiiuyetr"; depth:10; nocase; http.host; content:"justlookaround.s3.amazonaws.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198095; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msikrxeiths"; depth:12; nocase; http.host; content:"shsukadadyuikmmonk.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198097; rev:1;) alert tcp $HOME_NET any -> [82.117.254.52] 2351 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~gollpree/4/inc/80c2d1651b23ae.php"; depth:35; nocase; http.host; content:"31.220.2.200"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198171; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 11337 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198169; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 11337 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198170; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 11337 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198168; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 11337 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198167; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 11337 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198166; rev:1;) alert tcp $HOME_NET any -> [20.22.18.80] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198165/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_02; classtype:trojan-activity; sid:91198165; rev:1;) alert tcp $HOME_NET any -> [210.243.8.247] 23399 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198164; rev:1;) alert tcp $HOME_NET any -> [3.13.191.225] 15432 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198162; rev:1;) alert tcp $HOME_NET any -> [3.134.125.175] 15432 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198163; rev:1;) alert tcp $HOME_NET any -> [3.14.182.203] 15432 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198161; rev:1;) alert tcp $HOME_NET any -> [3.17.7.232] 15432 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198160; rev:1;) alert tcp $HOME_NET any -> [3.22.30.40] 15432 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198158; rev:1;) alert tcp $HOME_NET any -> [3.134.39.220] 15432 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198159; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198157; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"116.204.114.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198156; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.obenkyou.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198155; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.obenkyou.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198154; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"game.easthudsoninvestments.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198152; rev:1;) alert tcp $HOME_NET any -> [3.144.132.153] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198153; rev:1;) alert tcp $HOME_NET any -> [138.197.127.231] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updates.imedicalhub.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"114.132.74.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198149; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"103.39.78.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/link.html"; depth:10; nocase; http.host; content:"35.171.155.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198147; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"110.42.222.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198146; rev:1;) alert tcp $HOME_NET any -> [69.24.199.30] 1800 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198145/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198145; rev:1;) alert tcp $HOME_NET any -> [142.93.143.86] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198144/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198144; rev:1;) alert tcp $HOME_NET any -> [82.156.151.200] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198142; rev:1;) alert tcp $HOME_NET any -> [47.102.209.7] 2443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198143; rev:1;) alert tcp $HOME_NET any -> [119.91.217.168] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198141; rev:1;) alert tcp $HOME_NET any -> [34.209.178.22] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198140; rev:1;) alert tcp $HOME_NET any -> [54.228.160.186] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198139; rev:1;) alert tcp $HOME_NET any -> [139.198.187.234] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198138; rev:1;) alert tcp $HOME_NET any -> [43.198.242.245] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198137; rev:1;) alert tcp $HOME_NET any -> [120.27.247.156] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198136; rev:1;) alert tcp $HOME_NET any -> [52.195.215.30] 10002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198135; rev:1;) alert tcp $HOME_NET any -> [119.96.222.21] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198134/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198134; rev:1;) alert tcp $HOME_NET any -> [16.162.88.155] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198133/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198133; rev:1;) alert tcp $HOME_NET any -> [1.116.241.31] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198131; rev:1;) alert tcp $HOME_NET any -> [47.74.33.150] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198132; rev:1;) alert tcp $HOME_NET any -> [31.192.238.6] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198130; rev:1;) alert tcp $HOME_NET any -> [47.115.215.27] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198128; rev:1;) alert tcp $HOME_NET any -> [111.67.195.24] 9090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198129/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198129; rev:1;) alert tcp $HOME_NET any -> [43.142.89.138] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198127; rev:1;) alert tcp $HOME_NET any -> [46.21.153.163] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198126/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198126; rev:1;) alert tcp $HOME_NET any -> [172.190.93.64] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198125; rev:1;) alert tcp $HOME_NET any -> [172.190.93.64] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-16-170-143-138.eu-north-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s.svmp.eu.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198123; rev:1;) alert tcp $HOME_NET any -> [156.224.27.43] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198120; rev:1;) alert tcp $HOME_NET any -> [106.52.95.146] 8880 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198121; rev:1;) alert tcp $HOME_NET any -> [156.224.27.217] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198119; rev:1;) alert tcp $HOME_NET any -> [156.224.27.163] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198117; rev:1;) alert tcp $HOME_NET any -> [156.224.27.129] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198118; rev:1;) alert tcp $HOME_NET any -> [156.224.27.131] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198116; rev:1;) alert tcp $HOME_NET any -> [156.224.27.144] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198115; rev:1;) alert tcp $HOME_NET any -> [156.224.27.118] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198113; rev:1;) alert tcp $HOME_NET any -> [156.224.27.254] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198114; rev:1;) alert tcp $HOME_NET any -> [156.224.27.74] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198112; rev:1;) alert tcp $HOME_NET any -> [156.224.27.209] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198110/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198110; rev:1;) alert tcp $HOME_NET any -> [156.224.27.115] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198111; rev:1;) alert tcp $HOME_NET any -> [156.224.27.252] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198109/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198109; rev:1;) alert tcp $HOME_NET any -> [156.224.27.238] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198107; rev:1;) alert tcp $HOME_NET any -> [156.224.27.106] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198108; rev:1;) alert tcp $HOME_NET any -> [156.224.27.71] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198106; rev:1;) alert tcp $HOME_NET any -> [156.224.27.243] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198105; rev:1;) alert tcp $HOME_NET any -> [156.224.27.57] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198103/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198103; rev:1;) alert tcp $HOME_NET any -> [156.224.27.92] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198104; rev:1;) alert tcp $HOME_NET any -> [156.224.27.236] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198102/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198102; rev:1;) alert tcp $HOME_NET any -> [115.74.32.60] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198101; rev:1;) alert tcp $HOME_NET any -> [148.135.95.95] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198100; rev:1;) alert tcp $HOME_NET any -> [35.87.234.204] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198099; rev:1;) alert tcp $HOME_NET any -> [92.118.235.251] 8080 (msg:"ThreatFox Bandit Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198096/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198096; rev:1;) alert tcp $HOME_NET any -> [94.156.64.213] 5200 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198079/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198079; rev:1;) alert tcp $HOME_NET any -> [38.87.198.238] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198078/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"enouselr.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198077; rev:1;) alert tcp $HOME_NET any -> [91.92.254.68] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198076/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198076; rev:1;) alert tcp $HOME_NET any -> [20.96.151.88] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198075/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198075; rev:1;) alert tcp $HOME_NET any -> [24.152.38.230] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198074/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aumr/unnec"; depth:11; nocase; http.host; content:"216.128.185.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198071; rev:1;) alert tcp $HOME_NET any -> [39.107.107.245] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198070/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wvieuje/overi"; depth:14; nocase; http.host; content:"45.77.72.139"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdh/gunne"; depth:10; nocase; http.host; content:"216.128.185.35"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198068; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"up.union-pay.vip"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198066; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"card.union-pay.vip"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198065; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"life.union-pay.vip"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198064; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"info.union-pay.vip"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.71.212.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"150.158.161.38"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198060/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"1.13.158.52"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198059/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"121.40.66.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198058/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/idle/1376547834/1"; depth:18; nocase; http.host; content:"146.19.170.210"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198057/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/idle/1376547834/1"; depth:18; nocase; http.host; content:"179.60.150.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198056/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/async/newtab_ogb"; depth:17; nocase; http.host; content:"8.219.207.66"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198055/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"150.158.50.177"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198054/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"150.158.181.243"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198053/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.100.180.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198052/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"121.40.250.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"5.8.18.237"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198050/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"d22h19icfueroa.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"54.217.61.189"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198048/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"110.42.222.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"43.136.38.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198046/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"121.40.66.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/link.html"; depth:10; nocase; http.host; content:"35.171.155.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.108.164.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198043/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198043; rev:1;) alert tcp $HOME_NET any -> [194.49.94.41] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198042/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198042; rev:1;) alert tcp $HOME_NET any -> [47.253.53.122] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198041/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.253.53.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"154.12.26.151"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198038/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198038; rev:1;) alert tcp $HOME_NET any -> [154.12.26.151] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198039/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198039; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"8.137.10.80"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198037/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198037; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"16.170.143.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198036; rev:1;) alert tcp $HOME_NET any -> [188.26.127.4] 13785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198035; rev:1;) alert tcp $HOME_NET any -> [194.59.40.141] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198034/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198034; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"124.221.174.192"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198033; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.138.187.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198032/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198032; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ug"; depth:3; nocase; http.host; content:"webmail.gpuxdrv.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198030/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198030; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.gpuxdrv.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1198031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198031; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"43.138.138.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198029; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"68.183.77.192"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198028; rev:1;) alert tcp $HOME_NET any -> [194.169.175.136] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198027/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198027; rev:1;) alert tcp $HOME_NET any -> [154.9.27.108] 9006 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198026/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198026; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 19097 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198025; rev:1;) alert tcp $HOME_NET any -> [3.125.102.39] 19097 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198024; rev:1;) alert tcp $HOME_NET any -> [39.100.84.221] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198022/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198022; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 19097 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198023; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.zip"; depth:11; nocase; http.host; content:"94.142.138.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198021; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.142.138.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1198020/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198020; rev:1;) alert tcp $HOME_NET any -> [94.156.64.212] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198019/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198019; rev:1;) alert tcp $HOME_NET any -> [5.182.211.177] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198018/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198018; rev:1;) alert tcp $HOME_NET any -> [15.235.44.231] 5938 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198017/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198017; rev:1;) alert tcp $HOME_NET any -> [176.92.103.90] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198016/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198016; rev:1;) alert tcp $HOME_NET any -> [76.138.97.245] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198015/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198015; rev:1;) alert tcp $HOME_NET any -> [75.134.206.177] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198014/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198014; rev:1;) alert tcp $HOME_NET any -> [39.40.185.182] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198013/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198013; rev:1;) alert tcp $HOME_NET any -> [20.94.83.139] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198012/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198012; rev:1;) alert tcp $HOME_NET any -> [103.57.250.152] 3771 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198011/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198011; rev:1;) alert tcp $HOME_NET any -> [95.179.157.228] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198010/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198010; rev:1;) alert tcp $HOME_NET any -> [104.36.229.15] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198009/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198009; rev:1;) alert tcp $HOME_NET any -> [104.36.229.15] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198008/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198008; rev:1;) alert tcp $HOME_NET any -> [47.103.205.56] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198007/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_02; classtype:trojan-activity; sid:91198007; rev:1;) alert tcp $HOME_NET any -> [194.87.217.31] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198006/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198006; rev:1;) alert tcp $HOME_NET any -> [47.109.19.188] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198005/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198005; rev:1;) alert tcp $HOME_NET any -> [54.144.111.154] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198004/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91198004; rev:1;) alert tcp $HOME_NET any -> [154.204.56.105] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198003/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198003; rev:1;) alert tcp $HOME_NET any -> [211.159.173.202] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198001/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198001; rev:1;) alert tcp $HOME_NET any -> [211.159.173.202] 49999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198002/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198002; rev:1;) alert tcp $HOME_NET any -> [16.170.143.138] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197999/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197999; rev:1;) alert tcp $HOME_NET any -> [3.254.254.189] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1198000/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91198000; rev:1;) alert tcp $HOME_NET any -> [185.172.128.97] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197998/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197998; rev:1;) alert tcp $HOME_NET any -> [43.132.210.141] 2083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197997/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-44-198-16-37.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197995/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clients.trafficmannager.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197996/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-43-198-242-245.ap-east-1.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197993/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hongtong502.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197994/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clients.dns-response.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197992/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-254-254-189.eu-west-1.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197991/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197991; rev:1;) alert tcp $HOME_NET any -> [195.123.233.206] 2351 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197990/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197990; rev:1;) alert tcp $HOME_NET any -> [156.224.27.195] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197989/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197989; rev:1;) alert tcp $HOME_NET any -> [156.224.27.140] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197988/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197988; rev:1;) alert tcp $HOME_NET any -> [156.224.27.157] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197986/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197986; rev:1;) alert tcp $HOME_NET any -> [156.224.27.123] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197987/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197987; rev:1;) alert tcp $HOME_NET any -> [156.224.27.89] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197985/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197985; rev:1;) alert tcp $HOME_NET any -> [156.224.27.218] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197984/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197984; rev:1;) alert tcp $HOME_NET any -> [156.224.27.246] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197982/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197982; rev:1;) alert tcp $HOME_NET any -> [156.224.27.55] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197983/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197983; rev:1;) alert tcp $HOME_NET any -> [156.224.27.184] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197981/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197981; rev:1;) alert tcp $HOME_NET any -> [156.224.27.132] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197979/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197979; rev:1;) alert tcp $HOME_NET any -> [156.224.27.117] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197980/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197980; rev:1;) alert tcp $HOME_NET any -> [156.224.27.186] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197977; rev:1;) alert tcp $HOME_NET any -> [156.224.27.148] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197978; rev:1;) alert tcp $HOME_NET any -> [156.224.27.216] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197976/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197976; rev:1;) alert tcp $HOME_NET any -> [156.224.27.182] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197974/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197974; rev:1;) alert tcp $HOME_NET any -> [156.224.27.111] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197975; rev:1;) alert tcp $HOME_NET any -> [156.224.27.207] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197973/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197973; rev:1;) alert tcp $HOME_NET any -> [156.224.27.93] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197971; rev:1;) alert tcp $HOME_NET any -> [156.224.27.210] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197972/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197972; rev:1;) alert tcp $HOME_NET any -> [156.224.27.56] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197970/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197970; rev:1;) alert tcp $HOME_NET any -> [156.224.27.36] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197968; rev:1;) alert tcp $HOME_NET any -> [156.224.27.174] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197969/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197969; rev:1;) alert tcp $HOME_NET any -> [156.224.27.68] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197967; rev:1;) alert tcp $HOME_NET any -> [156.224.27.241] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197965/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197965; rev:1;) alert tcp $HOME_NET any -> [156.224.27.242] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197966; rev:1;) alert tcp $HOME_NET any -> [156.224.27.103] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197964/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197964; rev:1;) alert tcp $HOME_NET any -> [156.224.27.90] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197962/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197962; rev:1;) alert tcp $HOME_NET any -> [156.224.27.151] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197963/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197963; rev:1;) alert tcp $HOME_NET any -> [156.224.27.248] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197961/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197961; rev:1;) alert tcp $HOME_NET any -> [156.224.27.197] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197959; rev:1;) alert tcp $HOME_NET any -> [156.224.27.136] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197960; rev:1;) alert tcp $HOME_NET any -> [156.224.27.231] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197958/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197958; rev:1;) alert tcp $HOME_NET any -> [156.224.27.67] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197956; rev:1;) alert tcp $HOME_NET any -> [156.224.27.232] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197957; rev:1;) alert tcp $HOME_NET any -> [156.224.27.208] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197955/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197955; rev:1;) alert tcp $HOME_NET any -> [156.224.27.82] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197953/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197953; rev:1;) alert tcp $HOME_NET any -> [156.224.27.145] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197954/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197954; rev:1;) alert tcp $HOME_NET any -> [156.224.27.138] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197951/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197951; rev:1;) alert tcp $HOME_NET any -> [156.224.27.54] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197952/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197952; rev:1;) alert tcp $HOME_NET any -> [156.224.27.126] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197950; rev:1;) alert tcp $HOME_NET any -> [156.224.27.95] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197948; rev:1;) alert tcp $HOME_NET any -> [156.224.27.225] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197949; rev:1;) alert tcp $HOME_NET any -> [156.224.27.116] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197947/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197947; rev:1;) alert tcp $HOME_NET any -> [156.224.27.50] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197945/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197945; rev:1;) alert tcp $HOME_NET any -> [156.224.27.193] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197946; rev:1;) alert tcp $HOME_NET any -> [156.224.27.65] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197944/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197944; rev:1;) alert tcp $HOME_NET any -> [156.224.27.161] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197942/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197942; rev:1;) alert tcp $HOME_NET any -> [156.224.27.86] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197943/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197943; rev:1;) alert tcp $HOME_NET any -> [156.224.27.100] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197941/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197941; rev:1;) alert tcp $HOME_NET any -> [156.224.27.185] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197939/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197939; rev:1;) alert tcp $HOME_NET any -> [156.224.27.130] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197940/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197940; rev:1;) alert tcp $HOME_NET any -> [128.90.108.62] 4433 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197938/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197938; rev:1;) alert tcp $HOME_NET any -> [156.224.27.119] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197937/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197937; rev:1;) alert tcp $HOME_NET any -> [156.224.27.204] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197935/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197935; rev:1;) alert tcp $HOME_NET any -> [156.224.27.75] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197936/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197936; rev:1;) alert tcp $HOME_NET any -> [156.224.27.114] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197933/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197933; rev:1;) alert tcp $HOME_NET any -> [156.224.27.24] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197934/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197934; rev:1;) alert tcp $HOME_NET any -> [156.224.27.20] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197932/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197932; rev:1;) alert tcp $HOME_NET any -> [156.224.26.138] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197931/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197931; rev:1;) alert tcp $HOME_NET any -> [43.128.85.89] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197930/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197930; rev:1;) alert tcp $HOME_NET any -> [154.244.248.129] 80 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197929/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197929; rev:1;) alert tcp $HOME_NET any -> [51.161.107.9] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197927/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197927; rev:1;) alert tcp $HOME_NET any -> [223.155.16.135] 23333 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197928; rev:1;) alert tcp $HOME_NET any -> [136.243.151.21] 69 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197926; rev:1;) alert tcp $HOME_NET any -> [162.55.36.154] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197924/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197924; rev:1;) alert tcp $HOME_NET any -> [207.246.74.117] 8000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197925; rev:1;) alert tcp $HOME_NET any -> [177.143.216.81] 3389 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197923/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197923; rev:1;) alert tcp $HOME_NET any -> [91.109.182.7] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197922/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197922; rev:1;) alert tcp $HOME_NET any -> [136.243.185.107] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197920/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197920; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apix.mircofots.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197921; rev:1;) alert tcp $HOME_NET any -> [64.227.179.34] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197919; rev:1;) alert tcp $HOME_NET any -> [20.220.86.194] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197917/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197917; rev:1;) alert tcp $HOME_NET any -> [91.92.255.32] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197918/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_02; classtype:trojan-activity; sid:91197918; rev:1;) alert tcp $HOME_NET any -> [3.94.88.252] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197916/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91197916; rev:1;) alert tcp $HOME_NET any -> [194.49.94.41] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197915/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_02; classtype:trojan-activity; sid:91197915; rev:1;) alert tcp $HOME_NET any -> [110.43.39.132] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197914/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197914; rev:1;) alert tcp $HOME_NET any -> [49.235.118.250] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197913/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197913; rev:1;) alert tcp $HOME_NET any -> [167.235.20.126] 80 (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197912/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197912; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getfiles.zip"; depth:13; nocase; http.host; content:"5.75.208.206"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197910/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197910; rev:1;) alert tcp $HOME_NET any -> [5.75.208.206] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197911/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197911; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.206"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197909/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197909; rev:1;) alert tcp $HOME_NET any -> [185.23.81.219] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197905/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197905; rev:1;) alert tcp $HOME_NET any -> [168.100.11.109] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197904/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197904; rev:1;) alert tcp $HOME_NET any -> [83.243.122.82] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197903/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197903; rev:1;) alert tcp $HOME_NET any -> [45.61.137.97] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197902/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197902; rev:1;) alert tcp $HOME_NET any -> [142.93.140.169] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197900/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197900; rev:1;) alert tcp $HOME_NET any -> [101.35.40.78] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197899; rev:1;) alert tcp $HOME_NET any -> [172.245.213.203] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197898; rev:1;) alert tcp $HOME_NET any -> [138.99.216.141] 33616 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197897; rev:1;) alert tcp $HOME_NET any -> [180.76.121.68] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197896; rev:1;) alert tcp $HOME_NET any -> [8.137.10.80] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197895/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197895; rev:1;) alert tcp $HOME_NET any -> [5.34.176.62] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197894/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197894; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"makaa.work.gd"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197893; rev:1;) alert tcp $HOME_NET any -> [185.249.197.248] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197891/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197891; rev:1;) alert tcp $HOME_NET any -> [185.249.197.248] 4444 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"config-update-ms.francecentral.cloudapp.azure.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197889/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197889; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"189.89.93.34.bc.googleusercontent.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197890/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197890; rev:1;) alert tcp $HOME_NET any -> [138.128.215.52] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197888/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197888; rev:1;) alert tcp $HOME_NET any -> [47.94.43.210] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197887/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197887; rev:1;) alert tcp $HOME_NET any -> [104.237.145.83] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197886/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197886; rev:1;) alert tcp $HOME_NET any -> [88.253.72.6] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197885/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197885; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"turanmetal.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197873/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197873; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hatchdesignsnh.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197874/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197874; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"angelbusinessteam.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197875/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197875; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"danagroupegypt.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197876/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197876; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bitscoinc.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197877/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197877; rev:1;) alert tcp $HOME_NET any -> [197.0.121.2] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197878/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197878; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"boezgrt.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197879/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197879; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jongchul.democrat"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197880/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197880; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bureaudecreationalienor.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197881/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197881; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pacatman.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197883/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197883; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hom4u.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197884/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197884; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lucasdoors.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197870/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"displaymercials.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197871/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197871; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"formulaautoparts.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197872/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197872; rev:1;) alert tcp $HOME_NET any -> [102.157.0.201] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197869/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197869; rev:1;) alert tcp $HOME_NET any -> [187.211.112.109] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197868/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197868; rev:1;) alert tcp $HOME_NET any -> [85.209.11.185] 2083 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197867/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197867; rev:1;) alert tcp $HOME_NET any -> [149.28.187.247] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197866/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197866; rev:1;) alert tcp $HOME_NET any -> [103.57.250.152] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197865/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197865; rev:1;) alert tcp $HOME_NET any -> [103.57.250.152] 6463 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197864/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197864; rev:1;) alert tcp $HOME_NET any -> [66.29.155.44] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197863/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197863; rev:1;) alert tcp $HOME_NET any -> [104.36.229.15] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197862/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197862; rev:1;) alert tcp $HOME_NET any -> [104.36.229.15] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197861/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197861; rev:1;) alert tcp $HOME_NET any -> [195.2.71.181] 4256 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197860/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197860; rev:1;) alert tcp $HOME_NET any -> [51.15.165.186] 4433 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197859/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197859; rev:1;) alert tcp $HOME_NET any -> [118.89.125.171] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197858/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197858; rev:1;) alert tcp $HOME_NET any -> [47.116.73.197] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197857/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197857; rev:1;) alert tcp $HOME_NET any -> [175.24.163.235] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197856/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197856; rev:1;) alert tcp $HOME_NET any -> [101.43.149.73] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197855/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197855; rev:1;) alert tcp $HOME_NET any -> [82.157.143.63] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197854/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197854; rev:1;) alert tcp $HOME_NET any -> [91.92.250.70] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197853/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197853; rev:1;) alert tcp $HOME_NET any -> [35.242.142.247] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197852/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197852; rev:1;) alert tcp $HOME_NET any -> [60.204.187.184] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197851/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197851; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"60.204.187.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197850/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197850; rev:1;) alert tcp $HOME_NET any -> [172.233.154.98] 13785 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197845; rev:1;) alert tcp $HOME_NET any -> [15.235.47.206] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197846/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197846; rev:1;) alert tcp $HOME_NET any -> [15.235.202.109] 2226 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197847/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197847; rev:1;) alert tcp $HOME_NET any -> [45.33.85.73] 13721 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197848; rev:1;) alert tcp $HOME_NET any -> [172.233.185.220] 5242 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197849/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197849; rev:1;) alert tcp $HOME_NET any -> [87.248.157.179] 1604 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197844/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197844; rev:1;) alert tcp $HOME_NET any -> [91.92.247.146] 3348 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197843/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197843; rev:1;) alert tcp $HOME_NET any -> [194.49.94.40] 21348 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197842/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197842; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"comperssw.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197841/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197841; rev:1;) alert tcp $HOME_NET any -> [91.92.242.226] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197840/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197840; rev:1;) alert tcp $HOME_NET any -> [107.189.3.19] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197839/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197839; rev:1;) alert tcp $HOME_NET any -> [1.12.69.169] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197838; rev:1;) alert tcp $HOME_NET any -> [154.55.138.239] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197837/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197837; rev:1;) alert tcp $HOME_NET any -> [8.219.207.66] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197836; rev:1;) alert tcp $HOME_NET any -> [8.130.27.224] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197835; rev:1;) alert tcp $HOME_NET any -> [45.32.119.154] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197833; rev:1;) alert tcp $HOME_NET any -> [45.207.27.28] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197834; rev:1;) alert tcp $HOME_NET any -> [43.142.89.138] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197832/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197832; rev:1;) alert tcp $HOME_NET any -> [146.190.141.158] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197831; rev:1;) alert tcp $HOME_NET any -> [107.174.115.126] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197830; rev:1;) alert tcp $HOME_NET any -> [47.104.159.7] 9100 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197829/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197829; rev:1;) alert tcp $HOME_NET any -> [176.222.54.164] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197828/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197828; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unruffled-heyrovsky.68-183-220-248.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197827/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197827; rev:1;) alert tcp $HOME_NET any -> [146.70.157.115] 8081 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197826/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_01; classtype:trojan-activity; sid:91197826; rev:1;) alert tcp $HOME_NET any -> [185.243.181.62] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197825/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197825; rev:1;) alert tcp $HOME_NET any -> [152.104.161.36] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197824/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_01; classtype:trojan-activity; sid:91197824; rev:1;) alert tcp $HOME_NET any -> [203.148.17.67] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197823/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_01; classtype:trojan-activity; sid:91197823; rev:1;) alert tcp $HOME_NET any -> [84.177.201.52] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197822/; target:src_ip; metadata: confidence_level 75, first_seen 2023_11_01; classtype:trojan-activity; sid:91197822; rev:1;) alert tcp $HOME_NET any -> [108.165.101.16] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197820/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197820; rev:1;) alert tcp $HOME_NET any -> [128.90.108.113] 4433 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197821/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197821; rev:1;) alert tcp $HOME_NET any -> [212.129.223.209] 4567 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197819/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197819; rev:1;) alert tcp $HOME_NET any -> [38.54.40.156] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197818/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197818; rev:1;) alert tcp $HOME_NET any -> [188.166.160.193] 22535 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197817/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197817; rev:1;) alert tcp $HOME_NET any -> [95.164.69.62] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197816; rev:1;) alert tcp $HOME_NET any -> [94.131.111.119] 80 (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197815/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197815; rev:1;) alert tcp $HOME_NET any -> [213.195.120.176] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197814/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197814; rev:1;) alert tcp $HOME_NET any -> [145.239.200.145] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197813/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197813; rev:1;) alert tcp $HOME_NET any -> [145.239.200.145] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197812/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197812; rev:1;) alert tcp $HOME_NET any -> [45.141.215.3] 3306 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197810; rev:1;) alert tcp $HOME_NET any -> [145.239.200.145] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197811/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197811; rev:1;) alert tcp $HOME_NET any -> [185.150.25.181] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197809; rev:1;) alert tcp $HOME_NET any -> [187.24.13.129] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197808; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heylele.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197806; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.abaadoffice.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197807; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msftonline.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197805; rev:1;) alert tcp $HOME_NET any -> [23.106.125.206] 443 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197804/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197804; rev:1;) alert tcp $HOME_NET any -> [54.217.61.189] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197803/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jjku/bruct"; depth:11; nocase; http.host; content:"64.176.212.255"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197801; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jjku/pagan"; depth:11; nocase; http.host; content:"64.176.212.255"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i1dqr/subwe"; depth:12; nocase; http.host; content:"64.176.193.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197799; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i1dqr/mulad"; depth:12; nocase; http.host; content:"64.176.193.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197800/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197800; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1wsnrcv/lyotr"; depth:14; nocase; http.host; content:"49.13.94.147"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197797/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197797; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i1dqr/serge"; depth:12; nocase; http.host; content:"64.176.193.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197798/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197798; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amywa/nonas"; depth:12; nocase; http.host; content:"45.77.79.67"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197796/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197796; rev:1;) alert tcp $HOME_NET any -> [54.163.42.140] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197795/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197795; rev:1;) alert tcp $HOME_NET any -> [91.92.242.59] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197794/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197794; rev:1;) alert tcp $HOME_NET any -> [46.8.158.224] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197793/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197793; rev:1;) alert tcp $HOME_NET any -> [43.136.113.152] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197792/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197792; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.we-bank.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197791/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197791; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.we-bank.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197790/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197790; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3886d2276f6914c4.php"; depth:21; nocase; http.host; content:"jameskelly.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197789/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197789; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"82.156.29.83"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197788/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197788; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"49.232.233.128"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197787/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197787; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"20.64.84.1"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197786/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197786; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"42.51.45.98"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197785/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197785; rev:1;) alert tcp $HOME_NET any -> [116.198.34.83] 8009 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197784/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197784; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"106.13.15.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197783/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197783; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"79.124.78.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197782/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197782; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"duhodown.fun"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197781/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"45.204.80.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197780; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"103.39.78.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197779; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.98.250.97"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197778; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"115.159.221.202"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197777/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"95.181.173.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197776; rev:1;) alert tcp $HOME_NET any -> [116.204.133.232] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197775/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197775; rev:1;) alert tcp $HOME_NET any -> [175.24.184.205] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197774/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197774; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"1.94.26.40"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197773; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modcenturiongoldlabel.dyndns-at-home.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197758/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197758; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"hgfdytrywq.com"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1197762/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197762; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.43.249.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197772/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197772; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"103.39.78.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197771/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197771; rev:1;) alert tcp $HOME_NET any -> [34.199.123.211] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197770/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197770; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d2m9vnw3tqtaju.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197769/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197769; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profile.html"; depth:13; nocase; http.host; content:"d2m9vnw3tqtaju.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197768/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197768; rev:1;) alert tcp $HOME_NET any -> [188.116.22.65] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197767/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197767; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdnjsdelivr.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197766/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197766; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"cdnjsdelivr.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197765/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197765; rev:1;) alert tcp $HOME_NET any -> [35.171.155.9] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197764/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197764; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mg.html"; depth:8; nocase; http.host; content:"35.171.155.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197763/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197763; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mg.html"; depth:8; nocase; http.host; content:"35.171.155.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197761/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197761; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d22h19icfueroa.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197760/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197760; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"d22h19icfueroa.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197759/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197759; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"openxmegaeur97.serveblog.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197728/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197728; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold1.ddns.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197729/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197729; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold10.myftp.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197730/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197730; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold11.myftp.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197731; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold12.myvnc.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197732/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197732; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold13.onthewifi.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197733/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197733; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold15.servebeer.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197734/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197734; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold16.serveblog.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197735/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197735; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold18.serveftp.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197736/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197736; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold19.servegame.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197737/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197737; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold2.ddnsking.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197738/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197738; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold23.serveminecraft.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197739/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197739; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold25.servepics.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197740/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197740; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold26.servequake.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197741/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197741; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold28.viewdns.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197742/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197742; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold29.webhop.me"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197743/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197743; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold3.3utilities.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197744/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197744; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold31.serveblog.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197745/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197745; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold4.bounceme.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197746/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197746; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold5.freedynamicdns.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197747/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197747; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold8.hopto.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197750/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197750; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold6.freedynamicdns.org"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197748/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197748; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold7.gotdns.ch"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197749/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197749; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orionprimexgold9.myddns.me"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197751/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197751; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orogold22cstrike.myddns.me"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197752/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197752; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pkdelasexgold24.servepics.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197753/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197753; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plataplatamygold9x9.bounceme.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197754/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197754; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"privgold20x10.servegame.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197755/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197755; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vemmoneyxgold27.viewdns.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197756/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197756; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"144.172.123.14"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197757/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197757; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axeroldcapitalx9x.onthewifi.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197725/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197725; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diamond9x.getmyip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197726/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197726; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hx9bemmexgold21.serveblog.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197727/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197727; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arcadaaliancamex.dyndns-wiki.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197724/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197724; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"babyeona.icu"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197719/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197719; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"babyeonb.icu"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197720/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197720; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"koludsa.pw"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197721/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"booudbras.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197723/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197723; rev:1;) alert tcp $HOME_NET any -> [147.124.205.228] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197722/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197722; rev:1;) alert tcp $HOME_NET any -> [1.14.127.220] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197718/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197718; rev:1;) alert tcp $HOME_NET any -> [45.152.67.31] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197717/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197717; rev:1;) alert tcp $HOME_NET any -> [42.51.33.45] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197716/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197716; rev:1;) alert tcp $HOME_NET any -> [101.43.103.253] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197715/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197715; rev:1;) alert tcp $HOME_NET any -> [121.36.55.149] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197714/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197714; rev:1;) alert tcp $HOME_NET any -> [43.143.246.164] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197713/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197713; rev:1;) alert tcp $HOME_NET any -> [43.142.241.70] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197712/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197712; rev:1;) alert tcp $HOME_NET any -> [101.43.142.116] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197711/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197711; rev:1;) alert tcp $HOME_NET any -> [139.198.181.40] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197710/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197710; rev:1;) alert tcp $HOME_NET any -> [111.231.31.198] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197709/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197709; rev:1;) alert tcp $HOME_NET any -> [47.110.149.136] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197708/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197708; rev:1;) alert tcp $HOME_NET any -> [124.71.230.106] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197707/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197707; rev:1;) alert tcp $HOME_NET any -> [39.105.231.22] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197706/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197706; rev:1;) alert tcp $HOME_NET any -> [162.14.209.70] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197705/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197705; rev:1;) alert tcp $HOME_NET any -> [118.126.95.13] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197704/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197704; rev:1;) alert tcp $HOME_NET any -> [110.42.192.76] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197703/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197703; rev:1;) alert tcp $HOME_NET any -> [114.132.243.226] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197702/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197702; rev:1;) alert tcp $HOME_NET any -> [47.94.221.227] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197701/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197701; rev:1;) alert tcp $HOME_NET any -> [47.103.106.214] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197700/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197700; rev:1;) alert tcp $HOME_NET any -> [103.39.78.153] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197699/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197699; rev:1;) alert tcp $HOME_NET any -> [91.92.241.117] 8787 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197698/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197698; rev:1;) alert tcp $HOME_NET any -> [18.156.13.209] 13144 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197697/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197697; rev:1;) alert tcp $HOME_NET any -> [3.126.37.18] 13144 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197696/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197696; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 13144 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197695/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197695; rev:1;) alert tcp $HOME_NET any -> [18.157.68.73] 13144 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197694/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197694; rev:1;) alert tcp $HOME_NET any -> [3.127.138.57] 13144 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197693/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197693; rev:1;) alert tcp $HOME_NET any -> [95.219.222.31] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197692/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197692; rev:1;) alert tcp $HOME_NET any -> [105.186.229.243] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197691/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197691; rev:1;) alert tcp $HOME_NET any -> [94.192.238.136] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197690/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197690; rev:1;) alert tcp $HOME_NET any -> [102.113.114.14] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197689/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197689; rev:1;) alert tcp $HOME_NET any -> [31.190.115.12] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197688/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197688; rev:1;) alert tcp $HOME_NET any -> [105.224.21.193] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197687/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197687; rev:1;) alert tcp $HOME_NET any -> [74.12.145.223] 2083 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197686/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197686; rev:1;) alert tcp $HOME_NET any -> [222.65.177.80] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197685/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197685; rev:1;) alert tcp $HOME_NET any -> [60.54.212.189] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197684/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197684; rev:1;) alert tcp $HOME_NET any -> [145.82.152.150] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197683/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197683; rev:1;) alert tcp $HOME_NET any -> [106.14.147.179] 53 (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197682/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197682; rev:1;) alert tcp $HOME_NET any -> [194.195.113.220] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197681/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197681; rev:1;) alert tcp $HOME_NET any -> [35.167.204.55] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197680/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197680; rev:1;) alert tcp $HOME_NET any -> [104.238.61.150] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197679/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197679; rev:1;) alert tcp $HOME_NET any -> [216.238.78.86] 6666 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197678/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197678; rev:1;) alert tcp $HOME_NET any -> [103.57.250.152] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197677/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197677; rev:1;) alert tcp $HOME_NET any -> [20.216.129.54] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197676/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197676; rev:1;) alert tcp $HOME_NET any -> [91.92.247.146] 14977 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197674; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3012.qmananan.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197543; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3013.qmananan.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197544/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197544; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3010.qmananan.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197541; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3011.qmananan.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197542; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3009.qmananan.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197540; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"17.cmananan.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197537/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197537; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3005.qmananan.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197539; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"10.cmananan.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197535/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197535; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"15.cmananan.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197536/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197536; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"30.cmananan.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197538/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197538; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aivoicechanger.cc"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197533; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"10-10.telecgram.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197534; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4.cmananan.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197547/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197547; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3015.qmananan.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197545/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197545; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3016.qmananan.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197546/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197546; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"482e6192z0.goho.co"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197548/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197548; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6.cmananan.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197549/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197549; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6x514937w5.goho.co"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197550/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197550; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6xj.telegramh.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197551/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197551; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7001.aadaa1.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197552; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7002.aadaa1.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197553; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7003.aadaa1.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197554/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197554; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"792c682w73.goho.co"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197555; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a2.aadaa1.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197556/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chao1323301.e1.luyouxia.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197557/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197557; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hei.xjbtv.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197558/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197558; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hk.yunpingbao.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197559/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197559; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kekn.asselst.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197560/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197560; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knight114.e1.luyouxia.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197561/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197561; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kyy1010.e1.luyouxia.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197562/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197562; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lfh520.e1.luyouxia.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197563/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197563; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lfh521.e1.luyouxia.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197564/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197564; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lyh111.e3.luyouxia.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197565/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197565; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nmslcnmsb1.e2.luyouxia.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197566/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197566; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nzh995188.e2.luyouxia.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197567/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197567; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"op114514.e1.luyouxia.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197568/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197568; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"player1.e3.luyouxia.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197569/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197569; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qq.honker.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197570/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197570; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rere.e3.luyouxia.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197571/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197571; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sccwangluo.asselst.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197572/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197572; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shaoshuai3.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197573/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197573; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shengfutong-pay.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197574/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197574; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t1492261251.e1.luyouxia.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197575/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197575; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vb147258.e1.luyouxia.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197576/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197576; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wangchenchao.e1.luyouxia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197577/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197577; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.lqwljs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197579/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197579; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xy1.youjucan.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197580/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197580; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zhj08.e2.luyouxia.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197581/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197581; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zhodaji.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197582/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197582; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6.tcp.us-cal-1.ngrok.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197668; rev:1;) alert tcp $HOME_NET any -> [54.176.73.138] 12288 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197667; rev:1;) alert tcp $HOME_NET any -> [101.36.106.114] 8443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197672/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197672; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"telemetry.africa"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197494; rev:1;) alert tcp $HOME_NET any -> [162.55.189.218] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197495/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197495; rev:1;) alert tcp $HOME_NET any -> [94.156.67.155] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197673/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197673; rev:1;) alert tcp $HOME_NET any -> [5.182.87.27] 80 (msg:"ThreatFox Medusa botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197671/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197671; rev:1;) alert tcp $HOME_NET any -> [96.126.124.159] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197670/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197670; rev:1;) alert tcp $HOME_NET any -> [3.79.242.82] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197669/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197669; rev:1;) alert tcp $HOME_NET any -> [68.183.77.192] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197666/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197666; rev:1;) alert tcp $HOME_NET any -> [18.210.31.174] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197665/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197665; rev:1;) alert tcp $HOME_NET any -> [144.126.218.242] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197664/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197664; rev:1;) alert tcp $HOME_NET any -> [47.120.32.29] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197663; rev:1;) alert tcp $HOME_NET any -> [101.43.127.45] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197662/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197662; rev:1;) alert tcp $HOME_NET any -> [62.234.166.174] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197661; rev:1;) alert tcp $HOME_NET any -> [38.207.178.57] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197660/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197660; rev:1;) alert tcp $HOME_NET any -> [47.115.208.246] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197659/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197659; rev:1;) alert tcp $HOME_NET any -> [45.207.27.28] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197658; rev:1;) alert tcp $HOME_NET any -> [165.232.124.9] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197656; rev:1;) alert tcp $HOME_NET any -> [172.178.72.1] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197657/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197657; rev:1;) alert tcp $HOME_NET any -> [43.138.204.171] 8078 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197655/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197655; rev:1;) alert tcp $HOME_NET any -> [8.137.10.97] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197654/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197654; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bisongdamall.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197653; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jangholi.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197651; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clients.doubleclickad.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197652; rev:1;) alert tcp $HOME_NET any -> [195.123.233.201] 2351 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197650; rev:1;) alert tcp $HOME_NET any -> [165.154.227.192] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197649/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_01; classtype:trojan-activity; sid:91197649; rev:1;) alert tcp $HOME_NET any -> [128.14.105.245] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197648/; target:src_ip; metadata: confidence_level 90, first_seen 2023_11_01; classtype:trojan-activity; sid:91197648; rev:1;) alert tcp $HOME_NET any -> [156.224.27.244] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197647/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197647; rev:1;) alert tcp $HOME_NET any -> [123.57.182.3] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197646/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197646; rev:1;) alert tcp $HOME_NET any -> [38.181.25.62] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197645; rev:1;) alert tcp $HOME_NET any -> [47.120.35.131] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197644; rev:1;) alert tcp $HOME_NET any -> [154.12.254.216] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197643; rev:1;) alert tcp $HOME_NET any -> [86.130.196.77] 80 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197642; rev:1;) alert tcp $HOME_NET any -> [91.109.176.10] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197640/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197640; rev:1;) alert tcp $HOME_NET any -> [91.109.176.10] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197641/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197641; rev:1;) alert tcp $HOME_NET any -> [51.161.107.8] 1177 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197639; rev:1;) alert tcp $HOME_NET any -> [172.86.100.151] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197638; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"88-99-71-225.cprapid.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197637; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.testsite.uno"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197636/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197636; rev:1;) alert tcp $HOME_NET any -> [13.48.77.144] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_11_01; classtype:trojan-activity; sid:91197635; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"102.33.35.142"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197634/; target:src_ip; metadata: confidence_level 50, first_seen 2023_11_01; classtype:trojan-activity; sid:91197634; rev:1;) alert tcp $HOME_NET any -> [91.92.244.211] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197633/; target:src_ip; metadata: confidence_level 80, first_seen 2023_11_01; classtype:trojan-activity; sid:91197633; rev:1;) alert tcp $HOME_NET any -> [93.242.233.250] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197632/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197632; rev:1;) alert tcp $HOME_NET any -> [122.225.124.110] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197631/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197631; rev:1;) alert tcp $HOME_NET any -> [59.110.239.147] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197630/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197630; rev:1;) alert tcp $HOME_NET any -> [45.91.134.6] 1177 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197629/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197629; rev:1;) alert tcp $HOME_NET any -> [188.137.57.12] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197628/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197628; rev:1;) alert tcp $HOME_NET any -> [92.34.35.119] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197627/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197627; rev:1;) alert tcp $HOME_NET any -> [178.9.55.222] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197626/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197626; rev:1;) alert tcp $HOME_NET any -> [54.38.116.47] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197625/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197625; rev:1;) alert tcp $HOME_NET any -> [139.99.117.0] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197624/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197624; rev:1;) alert tcp $HOME_NET any -> [74.77.124.104] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197623/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197623; rev:1;) alert tcp $HOME_NET any -> [103.114.104.79] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197622/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197622; rev:1;) alert tcp $HOME_NET any -> [58.27.212.38] 54984 (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197621/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197621; rev:1;) alert tcp $HOME_NET any -> [110.43.39.104] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197620/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197620; rev:1;) alert tcp $HOME_NET any -> [59.108.232.7] 8087 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197619/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197619; rev:1;) alert tcp $HOME_NET any -> [190.101.206.107] 81 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197618/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197618; rev:1;) alert tcp $HOME_NET any -> [122.193.120.44] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197617/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197617; rev:1;) alert tcp $HOME_NET any -> [81.30.254.247] 443 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197616/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197616; rev:1;) alert tcp $HOME_NET any -> [90.152.137.179] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197615/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197615; rev:1;) alert tcp $HOME_NET any -> [90.152.152.28] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197614/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197614; rev:1;) alert tcp $HOME_NET any -> [90.152.159.168] 10001 (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197613/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197613; rev:1;) alert tcp $HOME_NET any -> [129.148.40.221] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197612/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197612; rev:1;) alert tcp $HOME_NET any -> [95.13.113.250] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197611/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197611; rev:1;) alert tcp $HOME_NET any -> [38.41.53.164] 84 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197610/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197610; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 54138 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197609/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197609; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 55553 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197608/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197608; rev:1;) alert tcp $HOME_NET any -> [189.250.28.178] 2062 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197607/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197607; rev:1;) alert tcp $HOME_NET any -> [188.187.63.5] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197606/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197606; rev:1;) alert tcp $HOME_NET any -> [185.254.37.40] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197605/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197605; rev:1;) alert tcp $HOME_NET any -> [163.123.142.252] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197604/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197604; rev:1;) alert tcp $HOME_NET any -> [185.124.166.20] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197603/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197603; rev:1;) alert tcp $HOME_NET any -> [39.98.192.182] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197602/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197602; rev:1;) alert tcp $HOME_NET any -> [95.104.60.98] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197601/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197601; rev:1;) alert tcp $HOME_NET any -> [69.41.3.163] 1604 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197600/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197600; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 55443 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197599/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197599; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 55000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197598/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197598; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 55442 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197597/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197597; rev:1;) alert tcp $HOME_NET any -> [173.64.116.145] 55554 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197596/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197596; rev:1;) alert tcp $HOME_NET any -> [57.129.0.118] 80 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197595/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197595; rev:1;) alert tcp $HOME_NET any -> [3.0.147.54] 80 (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197594/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197594; rev:1;) alert tcp $HOME_NET any -> [124.223.54.248] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197593/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197593; rev:1;) alert tcp $HOME_NET any -> [121.40.119.94] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197592/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197592; rev:1;) alert tcp $HOME_NET any -> [119.23.229.180] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197591/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197591; rev:1;) alert tcp $HOME_NET any -> [120.53.220.154] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197590/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197590; rev:1;) alert tcp $HOME_NET any -> [62.234.53.167] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197589/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197589; rev:1;) alert tcp $HOME_NET any -> [123.56.24.63] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197588/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197588; rev:1;) alert tcp $HOME_NET any -> [101.43.49.244] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197587/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197587; rev:1;) alert tcp $HOME_NET any -> [47.94.137.101] 50050 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197586/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197586; rev:1;) alert tcp $HOME_NET any -> [185.216.70.231] 80 (msg:"ThreatFox MintStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197585/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197585; rev:1;) alert tcp $HOME_NET any -> [85.209.11.185] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197584/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197584; rev:1;) alert tcp $HOME_NET any -> [91.103.253.146] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197583/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197583; rev:1;) alert tcp $HOME_NET any -> [3.83.233.35] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197532/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197532; rev:1;) alert tcp $HOME_NET any -> [106.54.216.162] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197531/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197531; rev:1;) alert tcp $HOME_NET any -> [91.103.253.146] 50500 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197530; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"106.54.216.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197529; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"115.159.205.225"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197528; rev:1;) alert tcp $HOME_NET any -> [106.54.216.162] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197527/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ckylake.fun"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197526; rev:1;) alert tcp $HOME_NET any -> [54.166.213.120] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197525/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197525; rev:1;) alert tcp $HOME_NET any -> [51.68.144.135] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197524/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197524; rev:1;) alert tcp $HOME_NET any -> [139.84.141.174] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197523/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zgbn19mx"; depth:9; nocase; http.host; content:"eofjdo3zwxvbi57.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zgbn19mx"; depth:9; nocase; http.host; content:"poibvyctm21e.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvmd54/"; depth:8; nocase; http.host; content:"eofjdo3zwxvbi57.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197520; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eofjdo3zwxvbi57.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197519; rev:1;) alert tcp $HOME_NET any -> [105.108.28.61] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197518/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197518; rev:1;) alert tcp $HOME_NET any -> [2.50.16.232] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197517/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197517; rev:1;) alert tcp $HOME_NET any -> [88.229.79.182] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197516/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197516; rev:1;) alert tcp $HOME_NET any -> [102.159.175.39] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197515/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197515; rev:1;) alert tcp $HOME_NET any -> [190.28.101.208] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197514/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197514; rev:1;) alert tcp $HOME_NET any -> [78.180.99.106] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197513/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197513; rev:1;) alert tcp $HOME_NET any -> [197.0.51.109] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197512/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197512; rev:1;) alert tcp $HOME_NET any -> [190.133.226.55] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197511/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197511; rev:1;) alert tcp $HOME_NET any -> [108.49.159.2] 990 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197510/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197510; rev:1;) alert tcp $HOME_NET any -> [105.224.22.137] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197509/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197509; rev:1;) alert tcp $HOME_NET any -> [147.182.251.155] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197508/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197508; rev:1;) alert tcp $HOME_NET any -> [208.115.220.176] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197507/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197507; rev:1;) alert tcp $HOME_NET any -> [157.245.48.209] 143 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197506/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197506; rev:1;) alert tcp $HOME_NET any -> [216.189.155.134] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197505/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197505; rev:1;) alert tcp $HOME_NET any -> [103.57.250.152] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197504/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197504; rev:1;) alert tcp $HOME_NET any -> [103.57.250.152] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197502/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197502; rev:1;) alert tcp $HOME_NET any -> [103.57.250.152] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197503/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197503; rev:1;) alert tcp $HOME_NET any -> [47.103.205.56] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197501/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197501; rev:1;) alert tcp $HOME_NET any -> [60.204.206.200] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197500/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197500; rev:1;) alert tcp $HOME_NET any -> [38.60.251.60] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197499; rev:1;) alert tcp $HOME_NET any -> [185.196.8.143] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197498/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197498; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"loobrain.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197497/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197497; rev:1;) alert tcp $HOME_NET any -> [95.214.56.243] 443 (msg:"ThreatFox BumbleBee botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197496/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_31; classtype:trojan-activity; sid:91197496; rev:1;) alert tcp $HOME_NET any -> [38.181.44.106] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197493/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197493; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"voice.aktivewebsitedesign.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197490; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"us.voiceaipro.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197491; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aivoicechanger.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197492; rev:1;) alert tcp $HOME_NET any -> [45.77.17.125] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197489/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197489; rev:1;) alert tcp $HOME_NET any -> [13.229.3.203] 18984 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baakbfe6kaj8.s.u00.ca"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197486; rev:1;) alert tcp $HOME_NET any -> [24.144.100.26] 4444 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197487; rev:1;) alert tcp $HOME_NET any -> [136.243.104.235] 443 (msg:"ThreatFox FlawedAmmyy botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197414; rev:1;) alert tcp $HOME_NET any -> [193.117.208.147] 7700 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197415; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s.u00.ca"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197423; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baakbmyvkaba.s.u00.ca"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197485; rev:1;) alert tcp $HOME_NET any -> [106.14.75.240] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197483; rev:1;) alert tcp $HOME_NET any -> [52.233.69.141] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197484/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197484; rev:1;) alert tcp $HOME_NET any -> [106.14.75.240] 1443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197482; rev:1;) alert tcp $HOME_NET any -> [124.221.237.200] 7892 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197480; rev:1;) alert tcp $HOME_NET any -> [192.3.128.204] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197481; rev:1;) alert tcp $HOME_NET any -> [122.5.204.189] 6001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197479; rev:1;) alert tcp $HOME_NET any -> [192.227.249.178] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197478; rev:1;) alert tcp $HOME_NET any -> [43.138.199.178] 9000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197476; rev:1;) alert tcp $HOME_NET any -> [185.254.37.184] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197477; rev:1;) alert tcp $HOME_NET any -> [120.79.225.52] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197475; rev:1;) alert tcp $HOME_NET any -> [45.204.80.66] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197474; rev:1;) alert tcp $HOME_NET any -> [38.207.178.57] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197472; rev:1;) alert tcp $HOME_NET any -> [38.207.178.57] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197473/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197473; rev:1;) alert tcp $HOME_NET any -> [18.212.92.122] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197471; rev:1;) alert tcp $HOME_NET any -> [202.165.122.11] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197469; rev:1;) alert tcp $HOME_NET any -> [207.246.77.95] 18080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197470; rev:1;) alert tcp $HOME_NET any -> [47.113.204.127] 5792 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197468; rev:1;) alert tcp $HOME_NET any -> [43.138.187.61] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197467; rev:1;) alert tcp $HOME_NET any -> [77.73.131.134] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197466; rev:1;) alert tcp $HOME_NET any -> [115.159.205.225] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197465; rev:1;) alert tcp $HOME_NET any -> [47.92.146.116] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197464; rev:1;) alert tcp $HOME_NET any -> [45.204.80.59] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197462; rev:1;) alert tcp $HOME_NET any -> [13.209.8.247] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197463; rev:1;) alert tcp $HOME_NET any -> [45.121.48.114] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197461/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197461; rev:1;) alert tcp $HOME_NET any -> [18.207.168.29] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197460/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197460; rev:1;) alert tcp $HOME_NET any -> [123.57.172.136] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197458/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197458; rev:1;) alert tcp $HOME_NET any -> [101.43.170.225] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197459/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197459; rev:1;) alert tcp $HOME_NET any -> [20.64.84.1] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197457; rev:1;) alert tcp $HOME_NET any -> [202.165.122.12] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197455; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apps.hongsheng6898.vip"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197456; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clients.adobe-research.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197454; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clients.msexplorer.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197452; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clients.loadbalance-akadns.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197453; rev:1;) alert tcp $HOME_NET any -> [178.128.144.35] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197451/; target:src_ip; metadata: confidence_level 90, first_seen 2023_10_31; classtype:trojan-activity; sid:91197451; rev:1;) alert tcp $HOME_NET any -> [14.1.57.196] 20034 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197450; rev:1;) alert tcp $HOME_NET any -> [111.203.154.198] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197449/; target:src_ip; metadata: confidence_level 90, first_seen 2023_10_31; classtype:trojan-activity; sid:91197449; rev:1;) alert tcp $HOME_NET any -> [165.154.227.192] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197447/; target:src_ip; metadata: confidence_level 90, first_seen 2023_10_31; classtype:trojan-activity; sid:91197447; rev:1;) alert tcp $HOME_NET any -> [88.119.169.116] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197448/; target:src_ip; metadata: confidence_level 90, first_seen 2023_10_31; classtype:trojan-activity; sid:91197448; rev:1;) alert tcp $HOME_NET any -> [5.252.178.38] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197446/; target:src_ip; metadata: confidence_level 90, first_seen 2023_10_31; classtype:trojan-activity; sid:91197446; rev:1;) alert tcp $HOME_NET any -> [5.252.178.38] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197445/; target:src_ip; metadata: confidence_level 90, first_seen 2023_10_31; classtype:trojan-activity; sid:91197445; rev:1;) alert tcp $HOME_NET any -> [189.250.28.178] 2116 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197444; rev:1;) alert tcp $HOME_NET any -> [189.250.28.178] 2052 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197443; rev:1;) alert tcp $HOME_NET any -> [189.250.28.178] 2095 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197441; rev:1;) alert tcp $HOME_NET any -> [189.250.28.178] 2145 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197442; rev:1;) alert tcp $HOME_NET any -> [189.250.28.178] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197440/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197440; rev:1;) alert tcp $HOME_NET any -> [189.250.28.178] 1756 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197438/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197438; rev:1;) alert tcp $HOME_NET any -> [189.250.28.178] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197439/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197439; rev:1;) alert tcp $HOME_NET any -> [45.251.240.111] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197437/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197437; rev:1;) alert tcp $HOME_NET any -> [164.92.83.74] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197436/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197436; rev:1;) alert tcp $HOME_NET any -> [138.91.111.23] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197435/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197435; rev:1;) alert tcp $HOME_NET any -> [212.192.12.222] 5000 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197434; rev:1;) alert tcp $HOME_NET any -> [1.54.107.38] 4444 (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197433; rev:1;) alert tcp $HOME_NET any -> [149.56.244.237] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197432; rev:1;) alert tcp $HOME_NET any -> [192.3.86.10] 8089 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197431; rev:1;) alert tcp $HOME_NET any -> [191.82.252.100] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197430; rev:1;) alert tcp $HOME_NET any -> [145.239.200.145] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197429; rev:1;) alert tcp $HOME_NET any -> [216.244.84.180] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197428; rev:1;) alert tcp $HOME_NET any -> [91.109.188.2] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197427; rev:1;) alert tcp $HOME_NET any -> [91.109.188.2] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197426; rev:1;) alert tcp $HOME_NET any -> [186.102.174.131] 2404 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197425; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"idpm.stellantis-service.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197424; rev:1;) alert tcp $HOME_NET any -> [192.3.255.42] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197422/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197422; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns2.4399tv.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197421/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.4399tv.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197419; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns1.4399tv.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197420; rev:1;) alert tcp $HOME_NET any -> [18.226.79.33] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197418; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"activity.quicksmartmoney.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197417; rev:1;) alert tcp $HOME_NET any -> [45.178.180.24] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197416/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197416; rev:1;) alert tcp $HOME_NET any -> [198.13.41.138] 25002 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197413; rev:1;) alert tcp $HOME_NET any -> [207.191.226.206] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197412/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197412; rev:1;) alert tcp $HOME_NET any -> [20.57.137.253] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197411/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197411; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"metallife.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197401/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"frightysever.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197402/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bigbricks.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197403/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197403; rev:1;) alert tcp $HOME_NET any -> [95.214.26.19] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197404/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197404; rev:1;) alert tcp $HOME_NET any -> [95.214.26.24] 443 (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197405/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197405; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"36.110.138.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197410; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"165.227.68.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197409; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"101.43.127.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197408/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197408; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"18.163.193.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197407/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197407; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"202.165.122.10"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197406/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197406; rev:1;) alert tcp $HOME_NET any -> [5.161.69.1] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197400/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197400; rev:1;) alert tcp $HOME_NET any -> [50.116.54.138] 13724 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197395/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197395; rev:1;) alert tcp $HOME_NET any -> [15.235.47.80] 23399 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197396/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197396; rev:1;) alert tcp $HOME_NET any -> [51.195.232.97] 13782 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197397/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197397; rev:1;) alert tcp $HOME_NET any -> [15.235.45.155] 2221 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197398/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197398; rev:1;) alert tcp $HOME_NET any -> [51.79.143.215] 13783 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197399/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197399; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pvuln/foede"; depth:12; nocase; http.host; content:"49.13.119.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197394/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197394; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dboztxs/coman"; depth:14; nocase; http.host; content:"49.13.94.145"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197393/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197393; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"43.159.136.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197392/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197392; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"123.207.5.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197391/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197391; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"123.207.29.252"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197390/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197390; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"39.107.113.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197389/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197389; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"121.37.198.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197388/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197388; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197387/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197387; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"89.23.103.35"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197386/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197386; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"165.227.141.64"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197385/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197385; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"d3a95mnixoebky.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197384/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197384; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"81.161.229.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197383/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197383; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"92.63.196.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197382/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197382; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"16.162.90.177"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197381/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197381; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ona65mv/flust"; depth:14; nocase; http.host; content:"208.167.242.194"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197380/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197380; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/la6p/rapie"; depth:11; nocase; http.host; content:"149.28.72.201"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197379/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197379; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/76dkn6/plast"; depth:13; nocase; http.host; content:"188.34.192.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197377/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197377; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zaiv/guern"; depth:11; nocase; http.host; content:"45.76.171.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197378/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197378; rev:1;) alert tcp $HOME_NET any -> [139.144.97.180] 2224 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197375; rev:1;) alert tcp $HOME_NET any -> [140.82.56.164] 5632 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197376/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"18.163.193.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197374; rev:1;) alert tcp $HOME_NET any -> [146.190.145.40] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"146.190.145.40"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/contact/v9.23/aodfy6x8uv"; depth:25; nocase; http.host; content:"142.93.2.25"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/design/query/9x5m3soe0f"; depth:24; nocase; http.host; content:"84.32.131.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"42.192.229.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"110.41.142.241"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/css3/index2.shtml"; depth:18; nocase; http.host; content:"162.244.80.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197367; rev:1;) alert tcp $HOME_NET any -> [54.94.98.53] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197366/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197366; rev:1;) alert tcp $HOME_NET any -> [23.105.207.35] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197365/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197365; rev:1;) alert tcp $HOME_NET any -> [106.13.15.6] 8009 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197364/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197364; rev:1;) alert tcp $HOME_NET any -> [64.190.113.186] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197363/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197363; rev:1;) alert tcp $HOME_NET any -> [103.102.5.180] 443 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197362; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/43350307.php"; depth:13; nocase; http.host; content:"ct70489.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197361; rev:1;) alert tcp $HOME_NET any -> [146.70.149.61] 8008 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197360; rev:1;) alert tcp $HOME_NET any -> [136.244.104.72] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197357/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197357; rev:1;) alert tcp $HOME_NET any -> [193.142.59.240] 5151 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197356/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_31; classtype:trojan-activity; sid:91197356; rev:1;) alert tcp $HOME_NET any -> [54.164.160.66] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197355/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197355; rev:1;) alert tcp $HOME_NET any -> [195.201.175.22] 80 (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197354/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197354; rev:1;) alert tcp $HOME_NET any -> [51.68.147.114] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197353/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197353; rev:1;) alert tcp $HOME_NET any -> [154.3.1.226] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197352/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197352; rev:1;) alert tcp $HOME_NET any -> [104.233.140.138] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197351/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197351; rev:1;) alert tcp $HOME_NET any -> [187.224.31.136] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197350/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197350; rev:1;) alert tcp $HOME_NET any -> [79.130.56.110] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197349/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197349; rev:1;) alert tcp $HOME_NET any -> [102.159.105.82] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197348/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197348; rev:1;) alert tcp $HOME_NET any -> [217.165.235.169] 22 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197347/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197347; rev:1;) alert tcp $HOME_NET any -> [76.68.170.117] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197346/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197346; rev:1;) alert tcp $HOME_NET any -> [80.78.22.31] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197345/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197345; rev:1;) alert tcp $HOME_NET any -> [35.221.29.34] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197344/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197344; rev:1;) alert tcp $HOME_NET any -> [104.238.61.150] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197343/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197343; rev:1;) alert tcp $HOME_NET any -> [104.238.61.150] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197342/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_31; classtype:trojan-activity; sid:91197342; rev:1;) alert tcp $HOME_NET any -> [185.163.47.137] 443 (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/111.php"; depth:8; nocase; http.host; content:"pdfinfinity.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/qzwewmrqqgqnaww.php"; depth:26; nocase; http.host; content:"cinaprofilm.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/minlen.php"; depth:18; nocase; http.host; content:"cinaprofilm.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.249.33"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197282; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"susohudan.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197284; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"climedballon.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197277; rev:1;) alert tcp $HOME_NET any -> [49.232.233.128] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197341/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197341; rev:1;) alert tcp $HOME_NET any -> [103.239.247.51] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197340/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"045885cm.nyashcrack.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wnajunfmvxskf"; depth:14; nocase; http.host; content:"146.190.157.174"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197338; rev:1;) alert tcp $HOME_NET any -> [181.217.95.27] 1024 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197337; rev:1;) alert tcp $HOME_NET any -> [54.234.203.148] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197336/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197336; rev:1;) alert tcp $HOME_NET any -> [84.32.131.81] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197335/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197335; rev:1;) alert tcp $HOME_NET any -> [114.55.177.67] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197334/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197334; rev:1;) alert tcp $HOME_NET any -> [194.180.49.42] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197333/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197333; rev:1;) alert tcp $HOME_NET any -> [104.243.242.103] 44662 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_31; classtype:trojan-activity; sid:91197332; rev:1;) alert tcp $HOME_NET any -> [144.34.175.65] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197331/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197331; rev:1;) alert tcp $HOME_NET any -> [95.217.214.127] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197330/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197330; rev:1;) alert tcp $HOME_NET any -> [65.109.177.145] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197325/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197325; rev:1;) alert tcp $HOME_NET any -> [36.110.138.149] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197324/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_31; classtype:trojan-activity; sid:91197324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/axca"; depth:5; nocase; http.host; content:"118.89.125.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197323/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_30; classtype:trojan-activity; sid:91197323; rev:1;) alert tcp $HOME_NET any -> [118.89.125.171] 6536 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"157.90.152.131"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197316; rev:1;) alert tcp $HOME_NET any -> [195.201.34.151] 2083 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197317; rev:1;) alert tcp $HOME_NET any -> [142.132.204.231] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197318; rev:1;) alert tcp $HOME_NET any -> [116.202.182.32] 2083 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197319; rev:1;) alert tcp $HOME_NET any -> [89.38.135.11] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197320; rev:1;) alert tcp $HOME_NET any -> [157.90.152.131] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.182.32"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197314; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"89.38.135.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197315; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"142.132.204.231"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197313; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.34.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197312; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/octobrains"; depth:11; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197309; rev:1;) alert tcp $HOME_NET any -> [195.201.249.33] 2083 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197310; rev:1;) alert tcp $HOME_NET any -> [5.75.209.4] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197311; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199566884947"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197308; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getfiles.zip"; depth:13; nocase; http.host; content:"5.75.209.4"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197307; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.209.4"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197306; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getfiles.zip"; depth:13; nocase; http.host; content:"195.201.249.33"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197304; rev:1;) alert tcp $HOME_NET any -> [47.108.227.145] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197305; rev:1;) alert tcp $HOME_NET any -> [103.146.179.69] 8834 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197303; rev:1;) alert tcp $HOME_NET any -> [202.165.122.14] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197302; rev:1;) alert tcp $HOME_NET any -> [172.245.126.188] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197301/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197301; rev:1;) alert tcp $HOME_NET any -> [18.167.72.152] 17465 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197300; rev:1;) alert tcp $HOME_NET any -> [18.163.193.10] 888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197299/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197299; rev:1;) alert tcp $HOME_NET any -> [18.163.193.10] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197298/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.gpt-use.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197297/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197297; rev:1;) alert tcp $HOME_NET any -> [52.195.211.16] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197296/; target:src_ip; metadata: confidence_level 90, first_seen 2023_10_30; classtype:trojan-activity; sid:91197296; rev:1;) alert tcp $HOME_NET any -> [100.25.110.137] 80 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197295; rev:1;) alert tcp $HOME_NET any -> [92.87.6.121] 80 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197294; rev:1;) alert tcp $HOME_NET any -> [45.12.253.222] 115 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197293; rev:1;) alert tcp $HOME_NET any -> [138.197.62.89] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"viapaths.co.uk"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197291; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/resources/main.js"; depth:18; nocase; http.host; content:"viapaths.co.uk"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197290; rev:1;) alert tcp $HOME_NET any -> [104.194.233.213] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs.10011.fun"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197288; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"cs.10011.fun"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197287/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197287; rev:1;) alert tcp $HOME_NET any -> [3.123.1.189] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197286/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197286; rev:1;) alert tcp $HOME_NET any -> [42.51.45.98] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197285/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197285; rev:1;) alert tcp $HOME_NET any -> [8.210.114.200] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197283/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197283; rev:1;) alert tcp $HOME_NET any -> [87.251.67.169] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197281/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_30; classtype:trojan-activity; sid:91197281; rev:1;) alert tcp $HOME_NET any -> [193.109.120.249] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197280/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_30; classtype:trojan-activity; sid:91197280; rev:1;) alert tcp $HOME_NET any -> [193.168.141.50] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197279/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_30; classtype:trojan-activity; sid:91197279; rev:1;) alert tcp $HOME_NET any -> [193.168.141.39] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197278/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_30; classtype:trojan-activity; sid:91197278; rev:1;) alert tcp $HOME_NET any -> [54.94.248.37] 15928 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197276; rev:1;) alert tcp $HOME_NET any -> [45.137.22.173] 7802 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197275; rev:1;) alert tcp $HOME_NET any -> [34.143.178.184] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197274/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197274; rev:1;) alert tcp $HOME_NET any -> [91.109.188.2] 5050 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197273; rev:1;) alert tcp $HOME_NET any -> [3.145.111.138] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197272/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197272; rev:1;) alert tcp $HOME_NET any -> [18.139.9.214] 17648 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197271; rev:1;) alert tcp $HOME_NET any -> [18.136.148.247] 17648 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197269; rev:1;) alert tcp $HOME_NET any -> [13.229.3.203] 17648 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197270; rev:1;) alert tcp $HOME_NET any -> [52.220.121.212] 17648 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197268; rev:1;) alert tcp $HOME_NET any -> [23.251.128.205] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197267/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197267; rev:1;) alert tcp $HOME_NET any -> [64.176.44.81] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197266/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197266; rev:1;) alert tcp $HOME_NET any -> [202.182.121.203] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197265/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197265; rev:1;) alert tcp $HOME_NET any -> [104.200.28.75] 2222 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197264/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197264; rev:1;) alert tcp $HOME_NET any -> [158.247.210.203] 2222 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197263/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197263; rev:1;) alert tcp $HOME_NET any -> [77.49.51.13] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197262/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197262; rev:1;) alert tcp $HOME_NET any -> [39.40.191.36] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197261/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197261; rev:1;) alert tcp $HOME_NET any -> [188.49.64.23] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197260/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197260; rev:1;) alert tcp $HOME_NET any -> [5.193.89.53] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197259/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197259; rev:1;) alert tcp $HOME_NET any -> [37.210.162.30] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197258/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197258; rev:1;) alert tcp $HOME_NET any -> [217.165.15.244] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197257/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197257; rev:1;) alert tcp $HOME_NET any -> [45.62.74.6] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197256/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197256; rev:1;) alert tcp $HOME_NET any -> [52.12.216.60] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197255/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197255; rev:1;) alert tcp $HOME_NET any -> [134.195.198.40] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197254/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197254; rev:1;) alert tcp $HOME_NET any -> [104.238.61.150] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197253/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197253; rev:1;) alert tcp $HOME_NET any -> [180.165.189.185] 17272 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197252/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197252; rev:1;) alert tcp $HOME_NET any -> [185.173.38.57] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197251/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197251; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foxgazafreego.mypsx.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197250/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197250; rev:1;) alert tcp $HOME_NET any -> [149.100.158.96] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197249/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197249; rev:1;) alert tcp $HOME_NET any -> [45.204.80.50] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197248/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197248; rev:1;) alert tcp $HOME_NET any -> [194.169.175.220] 30615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197247/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197247; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"kowersize.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197246/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197246; rev:1;) alert tcp $HOME_NET any -> [95.142.40.85] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197245/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197245; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"345727892cm.whiteproducts.ru"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197244/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197244; rev:1;) alert tcp $HOME_NET any -> [37.156.26.161] 10000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197243/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197243; rev:1;) alert tcp $HOME_NET any -> [3.71.53.238] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197242/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197242; rev:1;) alert tcp $HOME_NET any -> [162.244.80.165] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197241/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197241; rev:1;) alert tcp $HOME_NET any -> [185.130.226.220] 2351 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197233/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197233; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/work/83461806.img"; depth:18; nocase; http.host; content:"atelierzolotas.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197234/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197234; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"webdataspace.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197239/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197239; rev:1;) alert tcp $HOME_NET any -> [8.219.231.241] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197238/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197238; rev:1;) alert tcp $HOME_NET any -> [206.237.2.203] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197237/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197237; rev:1;) alert tcp $HOME_NET any -> [202.165.122.13] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197236/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197236; rev:1;) alert tcp $HOME_NET any -> [38.147.172.79] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197235/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197235; rev:1;) alert tcp $HOME_NET any -> [192.121.87.187] 8081 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197232/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197232; rev:1;) alert tcp $HOME_NET any -> [154.12.83.47] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197231/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197231; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"poibvyctm21e.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197229/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197229; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"volkstera.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197230/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197230; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvmd54/"; depth:8; nocase; http.host; content:"poibvyctm21e.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197228/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197228; rev:1;) alert tcp $HOME_NET any -> [8.134.71.235] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197227/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197227; rev:1;) alert tcp $HOME_NET any -> [8.134.71.235] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197226/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197226; rev:1;) alert tcp $HOME_NET any -> [45.204.80.50] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197225/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197225; rev:1;) alert tcp $HOME_NET any -> [193.42.61.102] 2096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197224/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197224; rev:1;) alert tcp $HOME_NET any -> [101.43.70.206] 19999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197223/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197223; rev:1;) alert tcp $HOME_NET any -> [138.197.62.89] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197222/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197222; rev:1;) alert tcp $HOME_NET any -> [8.134.154.220] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197221/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197221; rev:1;) alert tcp $HOME_NET any -> [178.128.123.154] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197219/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197219; rev:1;) alert tcp $HOME_NET any -> [80.76.51.99] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197220/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197220; rev:1;) alert tcp $HOME_NET any -> [23.94.179.33] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197218/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197218; rev:1;) alert tcp $HOME_NET any -> [165.154.130.222] 3344 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197217/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197217; rev:1;) alert tcp $HOME_NET any -> [94.156.6.67] 8083 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197216/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197216; rev:1;) alert tcp $HOME_NET any -> [175.178.229.176] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197215/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197215; rev:1;) alert tcp $HOME_NET any -> [111.92.243.88] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197214/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197214; rev:1;) alert tcp $HOME_NET any -> [111.92.243.88] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197213/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197213; rev:1;) alert tcp $HOME_NET any -> [77.73.131.134] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197211/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197211; rev:1;) alert tcp $HOME_NET any -> [77.73.131.134] 1433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197212/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197212; rev:1;) alert tcp $HOME_NET any -> [106.54.227.251] 5000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197210/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197210; rev:1;) alert tcp $HOME_NET any -> [45.204.80.66] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197208; rev:1;) alert tcp $HOME_NET any -> [45.204.80.59] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197209; rev:1;) alert tcp $HOME_NET any -> [47.108.227.145] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197207/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197207; rev:1;) alert tcp $HOME_NET any -> [118.178.253.198] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197206; rev:1;) alert tcp $HOME_NET any -> [115.159.221.202] 10001 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197205/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197205; rev:1;) alert tcp $HOME_NET any -> [115.159.221.202] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197204/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197204; rev:1;) alert tcp $HOME_NET any -> [79.124.78.173] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197203; rev:1;) alert tcp $HOME_NET any -> [123.249.40.118] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197202; rev:1;) alert tcp $HOME_NET any -> [43.139.26.210] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197201; rev:1;) alert tcp $HOME_NET any -> [79.133.180.226] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197200; rev:1;) alert tcp $HOME_NET any -> [101.43.112.74] 8008 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197199; rev:1;) alert tcp $HOME_NET any -> [206.119.171.239] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197198; rev:1;) alert tcp $HOME_NET any -> [43.139.146.14] 5432 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197197; rev:1;) alert tcp $HOME_NET any -> [144.168.61.116] 8888 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197196; rev:1;) alert tcp $HOME_NET any -> [47.98.250.97] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197195; rev:1;) alert tcp $HOME_NET any -> [43.143.141.97] 3100 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197194; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"festive-jones.68-183-220-248.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197192; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alpha.kehulaile.cn"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197193; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mysqlrunner-ha-4dbbd03e.mysql.database.azure.com"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197190; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"great-merkle.68-183-220-248.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197191; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vicoin.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197189; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clubpro.space"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197187; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"distracted-perlman.57-128-165-239.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hasbulla.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197186; rev:1;) alert tcp $HOME_NET any -> [146.185.219.33] 443 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197185/; target:src_ip; metadata: confidence_level 90, first_seen 2023_10_30; classtype:trojan-activity; sid:91197185; rev:1;) alert tcp $HOME_NET any -> [46.17.103.152] 8081 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197184/; target:src_ip; metadata: confidence_level 90, first_seen 2023_10_30; classtype:trojan-activity; sid:91197184; rev:1;) alert tcp $HOME_NET any -> [187.135.139.197] 2176 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197183; rev:1;) alert tcp $HOME_NET any -> [187.135.139.197] 2000 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197181; rev:1;) alert tcp $HOME_NET any -> [187.135.139.197] 2053 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197182/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197182; rev:1;) alert tcp $HOME_NET any -> [187.135.139.197] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197179/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197179; rev:1;) alert tcp $HOME_NET any -> [187.135.139.197] 1722 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197180/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197180; rev:1;) alert tcp $HOME_NET any -> [189.250.28.178] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197178/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197178; rev:1;) alert tcp $HOME_NET any -> [189.250.28.178] 2083 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197176; rev:1;) alert tcp $HOME_NET any -> [189.250.28.178] 2181 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197177; rev:1;) alert tcp $HOME_NET any -> [79.192.178.52] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197175/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_30; classtype:trojan-activity; sid:91197175; rev:1;) alert tcp $HOME_NET any -> [84.177.193.163] 5000 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197174/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_30; classtype:trojan-activity; sid:91197174; rev:1;) alert tcp $HOME_NET any -> [23.26.76.142] 2004 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197173/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197173; rev:1;) alert tcp $HOME_NET any -> [116.102.233.195] 8000 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197172/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197172; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c2.yihuan.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197171/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197171; rev:1;) alert tcp $HOME_NET any -> [35.225.49.240] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197170/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197170; rev:1;) alert tcp $HOME_NET any -> [85.215.194.162] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197169/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197169; rev:1;) alert tcp $HOME_NET any -> [45.77.3.60] 82 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197167/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197167; rev:1;) alert tcp $HOME_NET any -> [107.148.238.82] 4783 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197168/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197168; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"contacto25.stafsolutions.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197166/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197166; rev:1;) alert tcp $HOME_NET any -> [211.62.168.220] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197165/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197165; rev:1;) alert tcp $HOME_NET any -> [191.82.223.103] 2000 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197164/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197164; rev:1;) alert tcp $HOME_NET any -> [144.126.159.54] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197163/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197163; rev:1;) alert tcp $HOME_NET any -> [213.195.120.176] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197162/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197162; rev:1;) alert tcp $HOME_NET any -> [88.251.135.18] 20000 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197160/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197160; rev:1;) alert tcp $HOME_NET any -> [213.195.120.176] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197161/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197161; rev:1;) alert tcp $HOME_NET any -> [88.251.135.18] 888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197159/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197159; rev:1;) alert tcp $HOME_NET any -> [216.244.84.180] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197157/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197157; rev:1;) alert tcp $HOME_NET any -> [209.127.186.195] 2222 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197158/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197158; rev:1;) alert tcp $HOME_NET any -> [197.246.187.103] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197156/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197156; rev:1;) alert tcp $HOME_NET any -> [91.109.188.8] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197154; rev:1;) alert tcp $HOME_NET any -> [186.102.174.131] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197155; rev:1;) alert tcp $HOME_NET any -> [197.246.199.162] 7777 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197153; rev:1;) alert tcp $HOME_NET any -> [91.109.180.4] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197152; rev:1;) alert tcp $HOME_NET any -> [187.24.71.243] 5155 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197150; rev:1;) alert tcp $HOME_NET any -> [187.24.71.243] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197151/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197151; rev:1;) alert tcp $HOME_NET any -> [185.241.208.136] 1177 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-44-202-151-94.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197148/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197148; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmd119001.contaboserver.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197147; rev:1;) alert tcp $HOME_NET any -> [185.222.58.83] 1780 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197146/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197146; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"110.40.184.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197145/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197145; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"106.14.75.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197144; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"124.220.215.247"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197143; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"101.43.165.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197142; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"123.207.20.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197141; rev:1;) alert tcp $HOME_NET any -> [202.165.122.10] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197140/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197140; rev:1;) alert tcp $HOME_NET any -> [18.229.146.63] 13490 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197138; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 13490 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197139; rev:1;) alert tcp $HOME_NET any -> [18.229.248.167] 13490 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197137; rev:1;) alert tcp $HOME_NET any -> [18.228.115.60] 13490 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197136; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"106.54.227.251"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197135; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.45.85.201"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197134/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197134; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.43.170.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197133/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197133; rev:1;) alert tcp $HOME_NET any -> [91.103.253.21] 1080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197132; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ku.js"; depth:6; nocase; http.host; content:"databasewebdevelopment.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197130; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"databasewebdevelopment.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197131; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"194.26.135.137"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197129/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197129; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"175.178.3.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197128; rev:1;) alert tcp $HOME_NET any -> [51.222.194.216] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"setrester.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197126/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197126; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stop/v6.62/b6b0lqmj"; depth:20; nocase; http.host; content:"setrester.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197125; rev:1;) alert tcp $HOME_NET any -> [106.54.227.251] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197124; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 2531 (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197123; rev:1;) alert tcp $HOME_NET any -> [45.137.22.182] 1781 (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197122; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erikskite.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nasaprodu.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197120; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gcdnbabl3png.erikskite.fun"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197121; rev:1;) alert tcp $HOME_NET any -> [137.220.202.115] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197118/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197118; rev:1;) alert tcp $HOME_NET any -> [18.234.109.250] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197117/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197117; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"guhomush.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197116; rev:1;) alert tcp $HOME_NET any -> [18.195.40.238] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197115/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197115; rev:1;) alert tcp $HOME_NET any -> [167.235.247.158] 8056 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197114/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_30; classtype:trojan-activity; sid:91197114; rev:1;) alert tcp $HOME_NET any -> [116.198.203.229] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197113/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197113; rev:1;) alert tcp $HOME_NET any -> [142.234.157.35] 8056 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197112/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_30; classtype:trojan-activity; sid:91197112; rev:1;) alert tcp $HOME_NET any -> [172.234.16.175] 2083 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197111/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197111; rev:1;) alert tcp $HOME_NET any -> [65.20.82.17] 5938 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197110/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197110; rev:1;) alert tcp $HOME_NET any -> [164.155.201.130] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197109/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197109; rev:1;) alert tcp $HOME_NET any -> [124.70.13.125] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197108/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197108; rev:1;) alert tcp $HOME_NET any -> [101.43.127.45] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197107/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197107; rev:1;) alert tcp $HOME_NET any -> [159.65.235.56] 5555 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197106/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197106; rev:1;) alert tcp $HOME_NET any -> [197.0.244.88] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197105/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197105; rev:1;) alert tcp $HOME_NET any -> [105.108.190.169] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197104/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197104; rev:1;) alert tcp $HOME_NET any -> [105.108.190.169] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197103/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197103; rev:1;) alert tcp $HOME_NET any -> [2.50.137.63] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197102/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197102; rev:1;) alert tcp $HOME_NET any -> [142.154.18.47] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197101/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197101; rev:1;) alert tcp $HOME_NET any -> [112.29.177.34] 10036 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197100/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197100; rev:1;) alert tcp $HOME_NET any -> [45.61.130.40] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197099/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197099; rev:1;) alert tcp $HOME_NET any -> [103.159.133.163] 20321 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197098/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197098; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f5wbqfdsw44c35w"; depth:16; nocase; http.host; content:"146.190.157.174"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197097/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197097; rev:1;) alert tcp $HOME_NET any -> [139.99.153.82] 8181 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196920/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196920; rev:1;) alert tcp $HOME_NET any -> [138.201.189.141] 4444 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196921/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196921; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 45753 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196922/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196922; rev:1;) alert tcp $HOME_NET any -> [41.216.188.29] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196924/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196924; rev:1;) alert tcp $HOME_NET any -> [163.5.215.212] 1337 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196923/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196923; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 57076 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196925/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196925; rev:1;) alert tcp $HOME_NET any -> [163.5.215.212] 8072 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196926/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196926; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 56343 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196927/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196927; rev:1;) alert tcp $HOME_NET any -> [95.164.18.46] 2608 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196929/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196929; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 61360 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196928/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196928; rev:1;) alert tcp $HOME_NET any -> [157.254.223.19] 8000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196930/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196930; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 57012 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196931/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196931; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/testo5/"; depth:8; nocase; http.host; content:"89.119.67.154"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196947/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196947; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kukutrustnet777888.info"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196948/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196948; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"klkjwre77638dfqwieuoi888.info"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196949/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196949; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.klkjwre9fqwieluoi.info"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196950/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196950; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_az/"; depth:5; nocase; http.host; content:"pois.in"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196956/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196956; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"serviceadminwebmailboxupgrace.biz.wf"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196957/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196957; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chi/index.php"; depth:14; nocase; http.host; content:"37.72.175.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196958/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196958; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"josebrazuca-44072.portmap.host"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196959/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196959; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"74.201.28.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196960/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196960; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/break/"; depth:7; nocase; http.host; content:"149.56.173.78"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196961/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196961; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cass/index.php"; depth:15; nocase; http.host; content:"209.61.195.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196962/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196962; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/87778/index.php"; depth:16; nocase; http.host; content:"up908.viewdns.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196965/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196965; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naz/index.php"; depth:14; nocase; http.host; content:"209.61.195.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196963/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196963; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_az/"; depth:5; nocase; http.host; content:"work.wrklantc.in"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196964/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196964; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calm/index.php"; depth:15; nocase; http.host; content:"104.152.185.198"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196966/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196966; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/007/index.php"; depth:14; nocase; http.host; content:"178.216.50.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196967/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196967; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cool/index.php"; depth:15; nocase; http.host; content:"104.171.121.51"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196968/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196968; rev:1;) alert tcp $HOME_NET any -> [37.217.2.176] 7777 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196970/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196970; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 60921 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196971/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196971; rev:1;) alert tcp $HOME_NET any -> [95.214.27.6] 3366 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196972/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196972; rev:1;) alert tcp $HOME_NET any -> [2.59.254.111] 3346 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196973/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196973; rev:1;) alert tcp $HOME_NET any -> [179.61.237.12] 443 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196974/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196974; rev:1;) alert tcp $HOME_NET any -> [95.214.27.83] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196975/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196975; rev:1;) alert tcp $HOME_NET any -> [193.142.59.106] 5832 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196976/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196976; rev:1;) alert tcp $HOME_NET any -> [185.255.114.50] 2404 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196977/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196977; rev:1;) alert tcp $HOME_NET any -> [185.225.73.200] 2580 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196978/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196978; rev:1;) alert tcp $HOME_NET any -> [80.66.75.51] 37481 (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196979/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196979; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gfkodssnvosdjvlksnvldkj.con-ip.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196980/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196980; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"donpapii.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196981/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196981; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"spm23.casacam.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196982/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196982; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rdpown.ydns.eu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196983/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196983; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"apples.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196984/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196984; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lestfuckinggoon.broke-it.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196985/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196985; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sdvjhdibvcksdnvisdhvsds.con-ip.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196986/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196986; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"war.bumbleshrimp.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196987/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196987; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"danielitopt.con-ip.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196988/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196988; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sxvcddhcbdjcbixg.con-ip.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196989/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196989; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dsojvhocnvlkvokcvond.con-ip.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196990/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196990; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"haroldmoscotelora09.con-ip.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196992/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196992; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"whitecat.space"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196991/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196991; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"asegurar100.4cloud.click"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196993/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196993; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"grantadistciaret.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196994/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196994; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"filwelreg.pw"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196995/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196995; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"blackrockxp.dyndns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196996/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196996; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"somto.ydns.eu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196997/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196997; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"drivebackupupdate.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196999/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196999; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"miradores.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196998/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91196998; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kashrteletts.giize.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197000/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197000; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"secure.cloudproxyserv.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197001/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197001; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sheddy1122.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197002/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197002; rev:1;) alert tcp $HOME_NET any -> [103.114.106.183] 47074 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196914/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196914; rev:1;) alert tcp $HOME_NET any -> [51.81.216.78] 1111 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196916/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196916; rev:1;) alert tcp $HOME_NET any -> [20.197.231.178] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196918/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196918; rev:1;) alert tcp $HOME_NET any -> [66.94.97.98] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196917/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196917; rev:1;) alert tcp $HOME_NET any -> [20.229.184.215] 65350 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196913/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196913; rev:1;) alert tcp $HOME_NET any -> [101.99.92.161] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196915/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196915; rev:1;) alert tcp $HOME_NET any -> [216.230.73.215] 6789 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196919/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196919; rev:1;) alert tcp $HOME_NET any -> [51.89.158.83] 7000 (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196912/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196912; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frostycheats-30646.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196910/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196910; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lee44.kozow.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196911/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196911; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adult-purchased.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196909/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196909; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rules-views.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196907/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196907; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jameshde18.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196905/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196905; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testarosa.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196903/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196903; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mike09-55168.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196902/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196902; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mode-apollo.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196900/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196900; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"face-kissing.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196897/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196897; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serverwindor.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196898/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196898; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmsh.publicvm.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196899/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196899; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"androidmedallo.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196896/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196896; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brightle.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196893/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196893; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowsmanagerhost.ddns.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196892/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196892; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"friend-deer.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196888/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196888; rev:1;) alert tcp $HOME_NET any -> [103.192.226.100] 8000 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196873/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196873; rev:1;) alert tcp $HOME_NET any -> [103.192.226.100] 8080 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196874/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196874; rev:1;) alert tcp $HOME_NET any -> [103.56.53.106] 110 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196875/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196875; rev:1;) alert tcp $HOME_NET any -> [103.56.53.106] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196876/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196876; rev:1;) alert tcp $HOME_NET any -> [103.56.53.106] 5938 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196877/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196877; rev:1;) alert tcp $HOME_NET any -> [103.56.53.106] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196878/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196878; rev:1;) alert tcp $HOME_NET any -> [45.134.83.41] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196879/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196879; rev:1;) alert tcp $HOME_NET any -> [45.134.83.41] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196880/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196880; rev:1;) alert tcp $HOME_NET any -> [45.134.83.41] 8080 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196881/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196881; rev:1;) alert tcp $HOME_NET any -> [45.142.166.112] 110 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196882/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196882; rev:1;) alert tcp $HOME_NET any -> [45.142.166.112] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196883/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196883; rev:1;) alert tcp $HOME_NET any -> [45.251.240.55] 443 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196884/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196884; rev:1;) alert tcp $HOME_NET any -> [45.251.240.55] 8000 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196885/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196885; rev:1;) alert tcp $HOME_NET any -> [45.251.240.55] 8080 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196886/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196886; rev:1;) alert tcp $HOME_NET any -> [103.192.226.100] 5938 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196871/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196871; rev:1;) alert tcp $HOME_NET any -> [103.192.226.100] 80 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196872/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196872; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.quochoice.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196868/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196868; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.systeminfor.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196869/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196869; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rainydaysweb.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196865/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196865; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.manager2013.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196867/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196867; rev:1;) alert tcp $HOME_NET any -> [103.192.226.100] 110 (msg:"ThreatFox PlugX botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196870/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196870; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.apple-net.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196866/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196866; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"detail.misecure.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196863/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196863; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hdviet.tv-vn.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196864/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91196864; rev:1;) alert tcp $HOME_NET any -> [100.80.114.4] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197003/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197003; rev:1;) alert tcp $HOME_NET any -> [120.25.239.25] 59823 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197004/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197004; rev:1;) alert tcp $HOME_NET any -> [135.181.235.186] 2424 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197005/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197005; rev:1;) alert tcp $HOME_NET any -> [156.206.138.228] 5552 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197006/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197006; rev:1;) alert tcp $HOME_NET any -> [172.234.16.71] 4444 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197007/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197007; rev:1;) alert tcp $HOME_NET any -> [182.92.222.213] 7453 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197008/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197008; rev:1;) alert tcp $HOME_NET any -> [188.134.71.71] 5559 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197009/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197009; rev:1;) alert tcp $HOME_NET any -> [197.61.171.237] 5552 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197010/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197010; rev:1;) alert tcp $HOME_NET any -> [34.118.240.134] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197011/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197011; rev:1;) alert tcp $HOME_NET any -> [37.216.22.195] 888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197012/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197012; rev:1;) alert tcp $HOME_NET any -> [37.216.22.195] 8888 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197013/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197013; rev:1;) alert tcp $HOME_NET any -> [45.76.251.189] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197014/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197014; rev:1;) alert tcp $HOME_NET any -> [90.255.152.189] 4782 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197015/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197015; rev:1;) alert tcp $HOME_NET any -> [90.255.152.189] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197016/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197016; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cameraunitsdtock.sytes.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197017/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197017; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cherrywoods-29890.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197018/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197018; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"go-bean.at.ply.gg"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197021/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197021; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msi.servet.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197023/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197023; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nancyagoatron.sytes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197024/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197024; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neko10.tplinkdns.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197025/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197025; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"overheaven.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197026/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197026; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prnt.dedyn.io"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197028/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197028; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prtsc.kozow.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197029/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197029; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpurrybeatmecamtest.ddns.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197031/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197031; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"si.servet.site"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197033/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197033; rev:1;) alert tcp $HOME_NET any -> [179.43.142.55] 1995 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197034/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197034; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bitnow7005.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1197035/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197035; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.assassinsx.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197045/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197045; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.allinfo.pw"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197042/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197042; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.anquyebt.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197043/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197043; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.asdgain.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197044/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197044; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"goodlocka.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197036/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197036; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exoq"; depth:5; nocase; http.host; content:"134.195.211.181"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197041/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197041; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.biohazardgraphics.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197046/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197046; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.chosenncrowned.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197047/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197047; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/"; depth:11; nocase; http.host; content:"www.clinkccaddress.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197048/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197048; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.createinfo.pw"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197049/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197049; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.eceinfos.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197050/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197050; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.ecgbg.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197051/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197051; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.efxety.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197052/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197052; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.fcektsy.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197053/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197053; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.fddnice.pw"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197054/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197054; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/"; depth:11; nocase; http.host; content:"www.fidgetiesout.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197055/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197055; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/"; depth:11; nocase; http.host; content:"www.frivoloument.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197056/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197056; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.gaintt.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197057/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197057; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.gianninidesign.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197058/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197058; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.hbgents.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197059/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197059; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.hhgenice.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197060/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197060; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/"; depth:11; nocase; http.host; content:"www.influenceted.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197061/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197061; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/"; depth:11; nocase; http.host; content:"www.infoanalysiser.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197062; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.infokscents.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197063/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197063; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/"; depth:11; nocase; http.host; content:"www.irritabletion.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197064/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197064; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.iyiqian.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197065/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197065; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.jsxjbxx.pw"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197066/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197066; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.kvubgc.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197067/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197067; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.mkpmc.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197069/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197069; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/"; depth:11; nocase; http.host; content:"www.likewisemeticulous.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197068/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197068; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.nextinfo.pw"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197070/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197070; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.nicekkk.pw"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197071/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197071; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.nvdmzf.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197072/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197072; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.rsnzhy.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197073/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197073; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/"; depth:11; nocase; http.host; content:"www.sblinfo.pw"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197074/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197074; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.sokoinfo.pw"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197075/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197075; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/"; depth:11; nocase; http.host; content:"www.tendenctioned.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197076/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197076; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.tpyyf.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197077/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197077; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.uefhkice.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197078/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197078; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.wgqpw.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197079/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197079; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.wygexde.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197080; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.xxhufdc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197081; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.yarchworkshop.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197082/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197082; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info/"; depth:6; nocase; http.host; content:"www.zhxxjs.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.znsjis.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197084; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.zzhlike.pw"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ml341/index.php"; depth:16; nocase; http.host; content:"ruiw.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197096/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197096; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sy55xqoxsn8juevekzyo"; depth:21; nocase; http.host; content:"146.190.157.174"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197095/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197095; rev:1;) alert tcp $HOME_NET any -> [57.128.165.239] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197094/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197094; rev:1;) alert tcp $HOME_NET any -> [62.234.46.156] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197093/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197093; rev:1;) alert tcp $HOME_NET any -> [185.212.47.90] 8843 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197092/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197092; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cv59914.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197091/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197091; rev:1;) alert tcp $HOME_NET any -> [79.110.62.42] 80 (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197090/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_30; classtype:trojan-activity; sid:91197090; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mes/fre.php"; depth:12; nocase; http.host; content:"79.110.62.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197089/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197089; rev:1;) alert tcp $HOME_NET any -> [175.27.154.148] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197088/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_30; classtype:trojan-activity; sid:91197088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1njt"; depth:5; nocase; http.host; content:"120.46.63.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197087/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_30; classtype:trojan-activity; sid:91197087; rev:1;) alert tcp $HOME_NET any -> [65.109.160.253] 443 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_30; classtype:trojan-activity; sid:91197086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.108.183.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197040/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91197040; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"104.243.47.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197039/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91197039; rev:1;) alert tcp $HOME_NET any -> [54.201.226.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1197038/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91197038; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"54.201.226.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1197037/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91197037; rev:1;) alert tcp $HOME_NET any -> [145.239.135.9] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196969/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196969; rev:1;) alert tcp $HOME_NET any -> [45.77.41.214] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196955/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196955; rev:1;) alert tcp $HOME_NET any -> [5.182.27.71] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196954/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_29; classtype:trojan-activity; sid:91196954; rev:1;) alert tcp $HOME_NET any -> [193.149.187.189] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196953/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_29; classtype:trojan-activity; sid:91196953; rev:1;) alert tcp $HOME_NET any -> [172.86.75.90] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196952/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_29; classtype:trojan-activity; sid:91196952; rev:1;) alert tcp $HOME_NET any -> [154.23.182.73] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196951/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196951; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b5c586aec2e1004c.php"; depth:21; nocase; http.host; content:"bidbur.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196946/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196946; rev:1;) alert tcp $HOME_NET any -> [220.137.149.184] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196945/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196945; rev:1;) alert tcp $HOME_NET any -> [4.224.84.20] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196944/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196944; rev:1;) alert tcp $HOME_NET any -> [86.98.20.49] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196943/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196943; rev:1;) alert tcp $HOME_NET any -> [79.119.10.237] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196942/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196942; rev:1;) alert tcp $HOME_NET any -> [190.134.140.205] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196941/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196941; rev:1;) alert tcp $HOME_NET any -> [90.4.65.117] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196940/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196940; rev:1;) alert tcp $HOME_NET any -> [176.224.131.213] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196939/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196939; rev:1;) alert tcp $HOME_NET any -> [76.110.157.166] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196938/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196938; rev:1;) alert tcp $HOME_NET any -> [136.243.185.107] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196937/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196937; rev:1;) alert tcp $HOME_NET any -> [176.31.163.140] 40056 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196936/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196936; rev:1;) alert tcp $HOME_NET any -> [94.131.3.160] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196935/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196935; rev:1;) alert tcp $HOME_NET any -> [45.86.163.224] 5483 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196934/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196934; rev:1;) alert tcp $HOME_NET any -> [45.61.130.40] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196933/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196933; rev:1;) alert tcp $HOME_NET any -> [62.109.24.105] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196932/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196932; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload.zip"; depth:11; nocase; http.host; content:"23.88.45.254"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196862/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196862; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"23.88.45.254"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196861/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196861; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload.zip"; depth:11; nocase; http.host; content:"5.75.188.83"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196860/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196860; rev:1;) alert tcp $HOME_NET any -> [5.75.188.83] 3306 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196858/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196858; rev:1;) alert tcp $HOME_NET any -> [23.88.45.254] 80 (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196859/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196859; rev:1;) alert tcp $HOME_NET any -> [37.221.120.155] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196857/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196857; rev:1;) alert tcp $HOME_NET any -> [2.59.254.205] 9005 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196856/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196856; rev:1;) alert tcp $HOME_NET any -> [2.59.254.206] 9005 (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196855/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196855; rev:1;) alert tcp $HOME_NET any -> [104.21.17.179] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196853/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196853; rev:1;) alert tcp $HOME_NET any -> [172.67.177.191] 443 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196852/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196852; rev:1;) alert tcp $HOME_NET any -> [172.67.177.191] 80 (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196851/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196851; rev:1;) alert tcp $HOME_NET any -> [83.41.141.79] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196850/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196850; rev:1;) alert tcp $HOME_NET any -> [194.182.70.200] 8443 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196849/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196849; rev:1;) alert tcp $HOME_NET any -> [45.137.22.168] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196848/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196848; rev:1;) alert tcp $HOME_NET any -> [110.41.142.241] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196847/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196847; rev:1;) alert tcp $HOME_NET any -> [52.22.145.117] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196846/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196846; rev:1;) alert tcp $HOME_NET any -> [18.231.93.153] 14192 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196845/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196845; rev:1;) alert tcp $HOME_NET any -> [18.229.146.63] 14192 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196844/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196844; rev:1;) alert tcp $HOME_NET any -> [18.229.248.167] 14192 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196843/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196843; rev:1;) alert tcp $HOME_NET any -> [93.123.85.27] 45 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196839/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_29; classtype:trojan-activity; sid:91196839; rev:1;) alert tcp $HOME_NET any -> [185.40.20.15] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196842/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196842; rev:1;) alert tcp $HOME_NET any -> [64.227.29.171] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196841/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196841; rev:1;) alert tcp $HOME_NET any -> [45.141.57.136] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196840/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196840; rev:1;) alert tcp $HOME_NET any -> [74.48.18.44] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196837/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196837; rev:1;) alert tcp $HOME_NET any -> [194.49.94.11] 80 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196838/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196838; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"150.158.50.177"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196836/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196836; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.100.190.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196835/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196835; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-cia1auek-1314775489.gz.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196834/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196834; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-cia1auek-1314775489.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196833/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196833; rev:1;) alert tcp $HOME_NET any -> [194.87.31.142] 3000 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196832/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196832; rev:1;) alert tcp $HOME_NET any -> [188.121.110.191] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196831/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196831; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"188.121.110.191"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196830/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196830; rev:1;) alert tcp $HOME_NET any -> [83.112.71.239] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196829/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196829; rev:1;) alert tcp $HOME_NET any -> [46.243.180.196] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196828/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196828; rev:1;) alert tcp $HOME_NET any -> [164.92.246.33] 80 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196827/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196827; rev:1;) alert tcp $HOME_NET any -> [13.52.36.101] 8081 (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196826/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196826; rev:1;) alert tcp $HOME_NET any -> [93.115.20.114] 448 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196825/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196825; rev:1;) alert tcp $HOME_NET any -> [165.22.116.84] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196824/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196824; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"119.96.176.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196823/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196823; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"92.63.196.46"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196822/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196822; rev:1;) alert tcp $HOME_NET any -> [8.210.114.200] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196821/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196821; rev:1;) alert tcp $HOME_NET any -> [95.214.27.30] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196820/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196820; rev:1;) alert tcp $HOME_NET any -> [47.108.24.98] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196819/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196819; rev:1;) alert tcp $HOME_NET any -> [159.65.217.78] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196818/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196818; rev:1;) alert tcp $HOME_NET any -> [8.222.238.137] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196817/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196817; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"8.130.128.97"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196816/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196816; rev:1;) alert tcp $HOME_NET any -> [149.248.77.184] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196815/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196815; rev:1;) alert tcp $HOME_NET any -> [1.117.58.30] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196814/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196814; rev:1;) alert tcp $HOME_NET any -> [171.22.28.210] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196813/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196813; rev:1;) alert tcp $HOME_NET any -> [213.183.57.58] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196812/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196812; rev:1;) alert tcp $HOME_NET any -> [143.92.58.97] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196811/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196811; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.140.122.248"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196810/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196810; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"114.132.197.186"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196809/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196809; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"101.34.83.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196808/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196808; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"156.225.2.119"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196807/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196807; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"165.227.141.64"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196806/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196806; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"123.60.151.249"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196805/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196805; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"147.78.47.231"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196804/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196804; rev:1;) alert tcp $HOME_NET any -> [79.110.62.57] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196803/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196803; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"121.40.66.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196802/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196802; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.115.215.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196801/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196801; rev:1;) alert tcp $HOME_NET any -> [193.233.133.91] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196800/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196800; rev:1;) alert tcp $HOME_NET any -> [185.222.58.55] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196799/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196799; rev:1;) alert tcp $HOME_NET any -> [107.172.196.12] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196721/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_29; classtype:trojan-activity; sid:91196721; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firegate.php"; depth:17; nocase; http.host; content:"193.42.32.118"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196731/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196731; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.85.115.26"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196773/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196773; rev:1;) alert tcp $HOME_NET any -> [185.171.120.183] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196798/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196798; rev:1;) alert tcp $HOME_NET any -> [147.78.13.240] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196797/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196797; rev:1;) alert tcp $HOME_NET any -> [185.171.120.49] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196796/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196796; rev:1;) alert tcp $HOME_NET any -> [3.125.209.94] 16825 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196795/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196795; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 16825 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196794/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196794; rev:1;) alert tcp $HOME_NET any -> [185.241.208.27] 2404 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196793/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196793; rev:1;) alert tcp $HOME_NET any -> [141.98.10.132] 8888 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196792/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196792; rev:1;) alert tcp $HOME_NET any -> [60.54.25.21] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196791/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196791; rev:1;) alert tcp $HOME_NET any -> [31.167.93.64] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196790/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196790; rev:1;) alert tcp $HOME_NET any -> [73.48.1.116] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196789/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196789; rev:1;) alert tcp $HOME_NET any -> [154.247.93.3] 993 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196788/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196788; rev:1;) alert tcp $HOME_NET any -> [197.3.128.34] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196787/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196787; rev:1;) alert tcp $HOME_NET any -> [140.82.35.207] 445 (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196786/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196786; rev:1;) alert tcp $HOME_NET any -> [24.144.90.189] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196785/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196785; rev:1;) alert tcp $HOME_NET any -> [104.238.35.163] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196784/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196784; rev:1;) alert tcp $HOME_NET any -> [162.19.175.101] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196783/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196783; rev:1;) alert tcp $HOME_NET any -> [198.148.80.86] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196782/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196782; rev:1;) alert tcp $HOME_NET any -> [103.141.68.145] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196781/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196781; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"jomanboy.fun"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196780/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196780; rev:1;) alert tcp $HOME_NET any -> [130.51.42.169] 7702 (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196779/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196779; rev:1;) alert tcp $HOME_NET any -> [45.142.214.190] 3669 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196778/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196778; rev:1;) alert tcp $HOME_NET any -> [116.204.110.99] 8082 (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196777/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_29; classtype:trojan-activity; sid:91196777; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"alosevera.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196776/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196776; rev:1;) alert tcp $HOME_NET any -> [3.93.77.101] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196775/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_29; classtype:trojan-activity; sid:91196775; rev:1;) alert tcp $HOME_NET any -> [47.111.82.157] 42090 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196774/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_29; classtype:trojan-activity; sid:91196774; rev:1;) alert tcp $HOME_NET any -> [172.67.219.160] 80 (msg:"ThreatFox MintStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196771/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196771; rev:1;) alert tcp $HOME_NET any -> [104.21.94.45] 443 (msg:"ThreatFox MintStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196770/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196770; rev:1;) alert tcp $HOME_NET any -> [79.137.202.91] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196765/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196765; rev:1;) alert tcp $HOME_NET any -> [208.64.33.102] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196764/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196764; rev:1;) alert tcp $HOME_NET any -> [45.11.91.14] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196763/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196763; rev:1;) alert tcp $HOME_NET any -> [95.214.25.236] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196762/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196762; rev:1;) alert tcp $HOME_NET any -> [193.31.118.35] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196761/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196761; rev:1;) alert tcp $HOME_NET any -> [167.235.130.175] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196760/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196760; rev:1;) alert tcp $HOME_NET any -> [193.56.255.166] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196759/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196759; rev:1;) alert tcp $HOME_NET any -> [213.252.245.28] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196758/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196758; rev:1;) alert tcp $HOME_NET any -> [95.214.25.240] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196757/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196757; rev:1;) alert tcp $HOME_NET any -> [195.85.114.171] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196756/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196756; rev:1;) alert tcp $HOME_NET any -> [194.169.175.125] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196755/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196755; rev:1;) alert tcp $HOME_NET any -> [45.74.19.132] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196754/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196754; rev:1;) alert tcp $HOME_NET any -> [45.135.232.54] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196753/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196753; rev:1;) alert tcp $HOME_NET any -> [194.169.175.123] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196752/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196752; rev:1;) alert tcp $HOME_NET any -> [5.161.143.161] 8081 (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196751/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196751; rev:1;) alert tcp $HOME_NET any -> [106.14.153.130] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196750/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196750; rev:1;) alert tcp $HOME_NET any -> [164.92.246.58] 9087 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196749/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196749; rev:1;) alert tcp $HOME_NET any -> [38.181.35.175] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196748/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196748; rev:1;) alert tcp $HOME_NET any -> [107.175.243.138] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196747/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196747; rev:1;) alert tcp $HOME_NET any -> [154.53.42.53] 8845 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196746/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196746; rev:1;) alert tcp $HOME_NET any -> [5.181.80.69] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196745/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196745; rev:1;) alert tcp $HOME_NET any -> [45.81.39.179] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196744/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196744; rev:1;) alert tcp $HOME_NET any -> [77.91.124.111] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196743/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196743; rev:1;) alert tcp $HOME_NET any -> [103.147.185.18] 1604 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196742/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196742; rev:1;) alert tcp $HOME_NET any -> [107.189.169.135] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196741/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196741; rev:1;) alert tcp $HOME_NET any -> [45.138.16.187] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196740/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196740; rev:1;) alert tcp $HOME_NET any -> [45.138.16.187] 9898 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196739/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196739; rev:1;) alert tcp $HOME_NET any -> [172.94.103.13] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196738/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196738; rev:1;) alert tcp $HOME_NET any -> [119.91.99.194] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196737/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196737; rev:1;) alert tcp $HOME_NET any -> [51.75.52.3] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196736/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196736; rev:1;) alert tcp $HOME_NET any -> [141.98.6.98] 8848 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196735/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196735; rev:1;) alert tcp $HOME_NET any -> [119.91.99.194] 8088 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196734/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196734; rev:1;) alert tcp $HOME_NET any -> [3.131.147.49] 12994 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196733/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196733; rev:1;) alert tcp $HOME_NET any -> [123.60.151.249] 6666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196732/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196732; rev:1;) alert tcp $HOME_NET any -> [85.209.11.185] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196730/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196730; rev:1;) alert tcp $HOME_NET any -> [83.212.96.62] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196729/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196729; rev:1;) alert tcp $HOME_NET any -> [161.142.78.158] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196728/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196728; rev:1;) alert tcp $HOME_NET any -> [146.70.79.19] 80 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196727/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196727; rev:1;) alert tcp $HOME_NET any -> [57.128.171.220] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196726/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196726; rev:1;) alert tcp $HOME_NET any -> [139.84.144.181] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196725/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196725; rev:1;) alert tcp $HOME_NET any -> [175.136.232.225] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196724/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196724; rev:1;) alert tcp $HOME_NET any -> [175.136.232.226] 8080 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196723/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196723; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"165.22.234.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196722/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196722; rev:1;) alert tcp $HOME_NET any -> [78.141.239.24] 80 (msg:"ThreatFox Medusa botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196720/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196720; rev:1;) alert tcp $HOME_NET any -> [79.137.207.44] 80 (msg:"ThreatFox Medusa botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196719/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196719; rev:1;) alert tcp $HOME_NET any -> [109.107.181.169] 80 (msg:"ThreatFox Medusa botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196718/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196718; rev:1;) alert tcp $HOME_NET any -> [178.236.246.39] 80 (msg:"ThreatFox Medusa botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196717/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196717; rev:1;) alert tcp $HOME_NET any -> [20.0.25.177] 80 (msg:"ThreatFox Medusa botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196716/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196716; rev:1;) alert tcp $HOME_NET any -> [45.150.65.121] 80 (msg:"ThreatFox Medusa botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196715/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196715; rev:1;) alert tcp $HOME_NET any -> [8.217.23.144] 80 (msg:"ThreatFox Medusa botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196714/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196714; rev:1;) alert tcp $HOME_NET any -> [212.118.52.90] 80 (msg:"ThreatFox Medusa botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196713/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196713; rev:1;) alert tcp $HOME_NET any -> [185.26.239.246] 81 (msg:"ThreatFox Medusa botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196712/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196712; rev:1;) alert tcp $HOME_NET any -> [178.236.247.9] 80 (msg:"ThreatFox Medusa botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196711/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196711; rev:1;) alert tcp $HOME_NET any -> [95.181.173.181] 80 (msg:"ThreatFox Medusa botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196710/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196710; rev:1;) alert tcp $HOME_NET any -> [199.127.62.181] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196709/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196709; rev:1;) alert tcp $HOME_NET any -> [104.243.47.102] 8080 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196707/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196707; rev:1;) alert tcp $HOME_NET any -> [38.181.20.78] 6000 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196706/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196706; rev:1;) alert tcp $HOME_NET any -> [80.85.141.108] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196705/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196705; rev:1;) alert tcp $HOME_NET any -> [83.243.122.151] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196704/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_28; classtype:trojan-activity; sid:91196704; rev:1;) alert tcp $HOME_NET any -> [77.73.133.88] 5000 (msg:"ThreatFox TitanStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196703/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196703; rev:1;) alert tcp $HOME_NET any -> [46.8.210.75] 5000 (msg:"ThreatFox TitanStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196702/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196702; rev:1;) alert tcp $HOME_NET any -> [159.69.95.42] 5000 (msg:"ThreatFox TitanStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196701/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196701; rev:1;) alert tcp $HOME_NET any -> [195.123.209.20] 5000 (msg:"ThreatFox TitanStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196700/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196700; rev:1;) alert tcp $HOME_NET any -> [89.23.98.188] 5000 (msg:"ThreatFox TitanStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196699/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196699; rev:1;) alert tcp $HOME_NET any -> [94.142.138.58] 5000 (msg:"ThreatFox TitanStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196698/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196698; rev:1;) alert tcp $HOME_NET any -> [94.142.138.145] 5000 (msg:"ThreatFox TitanStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196697/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196697; rev:1;) alert tcp $HOME_NET any -> [94.142.138.170] 5000 (msg:"ThreatFox TitanStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196696/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196696; rev:1;) alert tcp $HOME_NET any -> [82.115.223.71] 5000 (msg:"ThreatFox TitanStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196695/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196695; rev:1;) alert tcp $HOME_NET any -> [78.153.130.231] 5000 (msg:"ThreatFox TitanStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196694/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196694; rev:1;) alert tcp $HOME_NET any -> [194.26.135.137] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196693/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196693; rev:1;) alert tcp $HOME_NET any -> [45.135.165.166] 13172 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196692/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196692; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"en.voiceaipro.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196676/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196676; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"en.voice-ai.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196677/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196677; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"voice.2005thavenue.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196678/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196678; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"elizgerls.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196679/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196679; rev:1;) alert tcp $HOME_NET any -> [185.106.94.167] 5631 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196691/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196691; rev:1;) alert tcp $HOME_NET any -> [45.79.174.92] 1194 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196690/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196690; rev:1;) alert tcp $HOME_NET any -> [88.252.226.162] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196689/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196689; rev:1;) alert tcp $HOME_NET any -> [105.109.175.169] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196688/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196688; rev:1;) alert tcp $HOME_NET any -> [71.104.100.168] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196687/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196687; rev:1;) alert tcp $HOME_NET any -> [197.14.193.226] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196686/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196686; rev:1;) alert tcp $HOME_NET any -> [220.79.237.55] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196685/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196685; rev:1;) alert tcp $HOME_NET any -> [193.92.178.156] 995 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196684/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196684; rev:1;) alert tcp $HOME_NET any -> [104.238.35.163] 5984 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196683/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196683; rev:1;) alert tcp $HOME_NET any -> [46.148.139.144] 4444 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196682/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196682; rev:1;) alert tcp $HOME_NET any -> [35.73.40.176] 80 (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196681/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196681; rev:1;) alert tcp $HOME_NET any -> [75.119.142.33] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196680/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196680; rev:1;) alert tcp $HOME_NET any -> [123.57.30.117] 22222 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196674/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196674; rev:1;) alert tcp $HOME_NET any -> [120.46.63.196] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196675/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196675; rev:1;) alert tcp $HOME_NET any -> [176.9.122.154] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196673/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196673; rev:1;) alert tcp $HOME_NET any -> [8.130.128.97] 8081 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196672/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196672; rev:1;) alert tcp $HOME_NET any -> [8.219.251.170] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196671/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196671; rev:1;) alert tcp $HOME_NET any -> [38.60.199.202] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196670/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196670; rev:1;) alert tcp $HOME_NET any -> [124.221.174.192] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196669/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196669; rev:1;) alert tcp $HOME_NET any -> [156.224.26.49] 5555 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196668/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196668; rev:1;) alert tcp $HOME_NET any -> [103.247.29.175] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196666/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196666; rev:1;) alert tcp $HOME_NET any -> [176.9.122.103] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196667/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196667; rev:1;) alert tcp $HOME_NET any -> [165.22.234.230] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196665/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196665; rev:1;) alert tcp $HOME_NET any -> [124.220.42.214] 4433 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196664/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196664; rev:1;) alert tcp $HOME_NET any -> [43.138.39.212] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196663/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196663; rev:1;) alert tcp $HOME_NET any -> [54.147.120.150] 5004 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196661/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196661; rev:1;) alert tcp $HOME_NET any -> [149.88.71.219] 81 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196662/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196662; rev:1;) alert tcp $HOME_NET any -> [54.147.120.150] 5003 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196660/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196660; rev:1;) alert tcp $HOME_NET any -> [162.14.74.124] 88 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196659/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196659; rev:1;) alert tcp $HOME_NET any -> [8.142.69.99] 55443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196658/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196658; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"havoc.riggcorp.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196657/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196657; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-94-98-53.sa-east-1.compute.amazonaws.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196656/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196656; rev:1;) alert tcp $HOME_NET any -> [88.99.46.160] 31337 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196655/; target:src_ip; metadata: confidence_level 90, first_seen 2023_10_28; classtype:trojan-activity; sid:91196655; rev:1;) alert tcp $HOME_NET any -> [121.32.27.111] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196654/; target:src_ip; metadata: confidence_level 90, first_seen 2023_10_28; classtype:trojan-activity; sid:91196654; rev:1;) alert tcp $HOME_NET any -> [189.250.25.77] 1756 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196653/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196653; rev:1;) alert tcp $HOME_NET any -> [189.250.25.77] 2190 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196651/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196651; rev:1;) alert tcp $HOME_NET any -> [189.250.25.77] 2281 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196652/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196652; rev:1;) alert tcp $HOME_NET any -> [189.250.25.77] 2125 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196650/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196650; rev:1;) alert tcp $HOME_NET any -> [189.250.25.77] 2086 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196648/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196648; rev:1;) alert tcp $HOME_NET any -> [189.250.25.77] 2116 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196649/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196649; rev:1;) alert tcp $HOME_NET any -> [46.30.188.150] 62222 (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196647/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196647; rev:1;) alert tcp $HOME_NET any -> [185.196.9.51] 23 (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196646/; target:src_ip; metadata: confidence_level 90, first_seen 2023_10_28; classtype:trojan-activity; sid:91196646; rev:1;) alert tcp $HOME_NET any -> [141.98.10.132] 4444 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196645/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196645; rev:1;) alert tcp $HOME_NET any -> [139.224.198.190] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196644/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196644; rev:1;) alert tcp $HOME_NET any -> [108.142.191.247] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196643/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196643; rev:1;) alert tcp $HOME_NET any -> [108.142.191.239] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196642/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196642; rev:1;) alert tcp $HOME_NET any -> [34.123.6.222] 30006 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196641/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196641; rev:1;) alert tcp $HOME_NET any -> [81.161.229.91] 6667 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196640/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196640; rev:1;) alert tcp $HOME_NET any -> [118.70.46.160] 8080 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196639/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196639; rev:1;) alert tcp $HOME_NET any -> [107.148.8.5] 4783 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196638/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196638; rev:1;) alert tcp $HOME_NET any -> [141.164.37.178] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196637/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196637; rev:1;) alert tcp $HOME_NET any -> [141.164.37.178] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196636/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196636; rev:1;) alert tcp $HOME_NET any -> [185.81.157.12] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196635/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196635; rev:1;) alert tcp $HOME_NET any -> [91.208.92.210] 1411 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196633/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196633; rev:1;) alert tcp $HOME_NET any -> [197.246.196.91] 9999 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196634/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196634; rev:1;) alert tcp $HOME_NET any -> [91.109.190.5] 8808 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196631/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196631; rev:1;) alert tcp $HOME_NET any -> [187.24.69.150] 8888 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196632/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196632; rev:1;) alert tcp $HOME_NET any -> [185.81.157.112] 6606 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196630/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196630; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.buesem2021.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196629/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196629; rev:1;) alert tcp $HOME_NET any -> [94.131.98.34] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196628/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196628; rev:1;) alert tcp $HOME_NET any -> [41.103.29.232] 999 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196627/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196627; rev:1;) alert tcp $HOME_NET any -> [188.121.110.191] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196626/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196626; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.jangholi.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196625/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196625; rev:1;) alert tcp $HOME_NET any -> [194.190.152.148] 5871 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196624/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196624; rev:1;) alert tcp $HOME_NET any -> [146.0.79.23] 11224 (msg:"ThreatFox Mekotio botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196620/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196620; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gamesstartf.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196612/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196612; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nuevo2gameslop.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196613/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196613; rev:1;) alert tcp $HOME_NET any -> [146.0.79.25] 11223 (msg:"ThreatFox Mekotio botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196614/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196614; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mouseoiet.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196616/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196616; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"boddyshow.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196617/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196617; rev:1;) alert tcp $HOME_NET any -> [109.107.182.211] 28913 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196618/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196618; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nuevoconceti.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196621/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196621; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"repicdominic.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196622/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196622; rev:1;) alert tcp $HOME_NET any -> [185.222.58.238] 55615 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196623/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196623; rev:1;) alert tcp $HOME_NET any -> [198.37.111.235] 15804 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196619/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196619; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"121.40.66.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196615/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196615; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"85.175.101.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196611/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196611; rev:1;) alert tcp $HOME_NET any -> [65.21.101.233] 4714 (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196609/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196609; rev:1;) alert tcp $HOME_NET any -> [125.141.145.185] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196610/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196610; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"103.61.0.241"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196608/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196608; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.242.51.201"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196607/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196607; rev:1;) alert tcp $HOME_NET any -> [139.224.206.244] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196606/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196606; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-m2easdvn-1303971391.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196604/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196604; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-m2easdvn-1303971391.bj.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196605/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196605; rev:1;) alert tcp $HOME_NET any -> [103.61.0.241] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196603/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196603; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"103.234.72.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196602/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196602; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"103.61.0.241"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196601/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196601; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"89.23.103.35"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196600/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196600; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.70.45.102"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196599/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196599; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compare/v1.44/vxk7p0gbe8"; depth:25; nocase; http.host; content:"185.225.74.128"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196598/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196598; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"20.51.226.216"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196597/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196597; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sdl.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196592/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196592; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdm.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196593/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196593; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cfb.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196594/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196594; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"adsh.vizvaz.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196595/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196595; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rbm.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196596/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196596; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"39.108.189.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196591/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196591; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"momalua.fun"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196589/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196589; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"kusmanin.fun"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196590/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196590; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.188.83"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196588/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196588; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/settings"; depth:13; nocase; http.host; content:"175.24.176.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196587/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196587; rev:1;) alert tcp $HOME_NET any -> [45.141.87.124] 13 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196583/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_28; classtype:trojan-activity; sid:91196583; rev:1;) alert tcp $HOME_NET any -> [93.123.85.12] 1791 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196584/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_28; classtype:trojan-activity; sid:91196584; rev:1;) alert tcp $HOME_NET any -> [47.98.158.167] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196586/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196586; rev:1;) alert tcp $HOME_NET any -> [45.142.214.121] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196585/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196585; rev:1;) alert tcp $HOME_NET any -> [62.233.50.25] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196582/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196582; rev:1;) alert tcp $HOME_NET any -> [91.109.190.5] 7707 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196581/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196581; rev:1;) alert tcp $HOME_NET any -> [139.144.31.103] 1194 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196580/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196580; rev:1;) alert tcp $HOME_NET any -> [156.224.22.198] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196579/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196579; rev:1;) alert tcp $HOME_NET any -> [222.88.186.81] 23703 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196578/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196578; rev:1;) alert tcp $HOME_NET any -> [113.207.105.235] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196577/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196577; rev:1;) alert tcp $HOME_NET any -> [112.213.101.73] 1145 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196576/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196576; rev:1;) alert tcp $HOME_NET any -> [78.19.233.19] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196575/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196575; rev:1;) alert tcp $HOME_NET any -> [78.180.83.241] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196574/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196574; rev:1;) alert tcp $HOME_NET any -> [197.204.20.144] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196573/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196573; rev:1;) alert tcp $HOME_NET any -> [105.102.31.198] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196572/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196572; rev:1;) alert tcp $HOME_NET any -> [80.192.52.128] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196571/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196571; rev:1;) alert tcp $HOME_NET any -> [41.99.8.115] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196570/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196570; rev:1;) alert tcp $HOME_NET any -> [217.165.234.145] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196569/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196569; rev:1;) alert tcp $HOME_NET any -> [157.230.124.53] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196568/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196568; rev:1;) alert tcp $HOME_NET any -> [85.13.118.11] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196567/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196567; rev:1;) alert tcp $HOME_NET any -> [45.56.165.27] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196566/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196566; rev:1;) alert tcp $HOME_NET any -> [104.236.210.243] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196565/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196565; rev:1;) alert tcp $HOME_NET any -> [104.238.35.163] 8000 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196564/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196564; rev:1;) alert tcp $HOME_NET any -> [104.238.35.163] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196563/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196563; rev:1;) alert tcp $HOME_NET any -> [161.189.238.234] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196562/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196562; rev:1;) alert tcp $HOME_NET any -> [92.116.89.214] 443 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196561/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_28; classtype:trojan-activity; sid:91196561; rev:1;) alert tcp $HOME_NET any -> [147.78.47.231] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196560/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196560; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/settings"; depth:13; nocase; http.host; content:"175.24.176.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196559/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_28; classtype:trojan-activity; sid:91196559; rev:1;) alert tcp $HOME_NET any -> [104.238.35.163] 8443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196558/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196558; rev:1;) alert tcp $HOME_NET any -> [101.34.83.16] 30002 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196557/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_28; classtype:trojan-activity; sid:91196557; rev:1;) alert tcp $HOME_NET any -> [104.238.35.163] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196556/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196556; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmd119000.contaboserver.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196555/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196555; rev:1;) alert tcp $HOME_NET any -> [220.69.33.60] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196554/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196554; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 5631 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196553/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196553; rev:1;) alert tcp $HOME_NET any -> [147.185.221.17] 3442 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196552/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196552; rev:1;) alert tcp $HOME_NET any -> [46.4.112.27] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196551/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196551; rev:1;) alert tcp $HOME_NET any -> [141.105.71.158] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196550/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196550; rev:1;) alert tcp $HOME_NET any -> [101.43.85.101] 4443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196549/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196549; rev:1;) alert tcp $HOME_NET any -> [216.128.176.211] 2222 (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196548/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196548; rev:1;) alert tcp $HOME_NET any -> [83.110.223.153] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196547/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196547; rev:1;) alert tcp $HOME_NET any -> [79.130.61.1] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196546/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196546; rev:1;) alert tcp $HOME_NET any -> [102.157.55.168] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196545/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196545; rev:1;) alert tcp $HOME_NET any -> [85.13.118.40] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196544/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196544; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"adsh.vizvaz.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196542/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196542; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"rbm.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196543/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196543; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"cdm.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196540/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196540; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"cfb.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196541/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196541; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sdl.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196539/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196539; rev:1;) alert tcp $HOME_NET any -> [91.215.85.23] 4361 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196534/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196534; rev:1;) alert tcp $HOME_NET any -> [179.43.191.202] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196533/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196533; rev:1;) alert tcp $HOME_NET any -> [108.142.191.234] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196532/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196532; rev:1;) alert tcp $HOME_NET any -> [64.227.106.181] 443 (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196531/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196531; rev:1;) alert tcp $HOME_NET any -> [157.90.123.205] 14376 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196530/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196530; rev:1;) alert tcp $HOME_NET any -> [46.149.79.55] 24264 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196529/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196529; rev:1;) alert tcp $HOME_NET any -> [77.91.124.221] 18408 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196528/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196528; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drugrim/wa/id.txt"; depth:18; nocase; http.host; content:"hfastt.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196527/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196527; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drugrim/wa/sms.php"; depth:19; nocase; http.host; content:"hfastt.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196526/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196526; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drugrim/wa/sms.php"; depth:19; nocase; http.host; content:"hfastt.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196525/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196525; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drugrim/wa/requests.php"; depth:24; nocase; http.host; content:"hfastt.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196524/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196524; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rahaishere.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196523/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196523; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"rahaishere.site"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1196522/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196522; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1001921881932"; depth:19; nocase; http.host; content:"rahaishere.site"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196520/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196520; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/-1001921881932"; depth:22; nocase; http.host; content:"rahaishere.site"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196521/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196521; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"apuyhh.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196518/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196518; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apuyhh.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196519/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196519; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in.php"; depth:7; nocase; http.host; content:"tsm.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196517/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196517; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sxo/log.php"; depth:12; nocase; http.host; content:"apuyhh.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196516/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196516; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sxo/web.txt"; depth:12; nocase; http.host; content:"apuyhh.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196515/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196515; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.s"; depth:3; nocase; http.host; content:"ehduhehudhedhu.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196514/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196514; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.s/bot/"; depth:8; nocase; http.host; content:"ehduhehudhedhu.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196513/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196513; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.s/bot/panels"; depth:14; nocase; http.host; content:"ehduhehudhedhu.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196512/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196512; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.s/bot/panels/darkdemon"; depth:24; nocase; http.host; content:"ehduhehudhedhu.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196511/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196511; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.s/bot/panels/darkdemon/panel.php"; depth:34; nocase; http.host; content:"ehduhehudhedhu.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196509/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196509; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.s/bot/panels/darkdemon/panel.php"; depth:34; nocase; http.host; content:"ehduhehudhedhu.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196510/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196510; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.s/bot/panels/darkdemon/panel.php"; depth:34; nocase; http.host; content:"ehduhehudhedhu.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196508/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196508; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/king2/"; depth:7; nocase; http.host; content:"hfastt.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196506/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196506; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/king2/wa/"; depth:10; nocase; http.host; content:"hfastt.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196507/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196507; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/king2/wa/contact.php"; depth:21; nocase; http.host; content:"hfastt.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196505/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196505; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/king2/wa/requests.php"; depth:22; nocase; http.host; content:"hfastt.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196504/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196504; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/king2/wa/id.txt"; depth:16; nocase; http.host; content:"hfastt.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196503/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196503; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/king2/wa/sms.php"; depth:17; nocase; http.host; content:"hfastt.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196502/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196502; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/-1001848854474"; depth:22; nocase; http.host; content:"mrcomishere.site"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196500/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196500; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrcomishere.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196501/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196501; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1001848854474"; depth:19; nocase; http.host; content:"mrcomishere.site"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196499/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196499; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"355212cm.nyashnyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196498/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196498; rev:1;) alert tcp $HOME_NET any -> [114.132.197.186] 8099 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196497/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196497; rev:1;) alert tcp $HOME_NET any -> [202.95.8.183] 8888 (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196496/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196496; rev:1;) alert tcp $HOME_NET any -> [178.208.87.21] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196495/; target:src_ip; metadata: confidence_level 60, first_seen 2023_10_27; classtype:trojan-activity; sid:91196495; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"121.40.66.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196494/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196494; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"45.136.14.51"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196493/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196493; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"165.227.141.64"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196492/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196492; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"8.134.71.235"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196491/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196491; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"101.43.170.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196490/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196490; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"31.44.184.73"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196489/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196489; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.132.152.51"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196488/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196488; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ehduhehudhedhu.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196487/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196487; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ehduhehudhedhu.site"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1196486/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196486; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config/-1001830809790"; depth:22; nocase; http.host; content:"mekerishere.site"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196484/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196484; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mekerishere.site"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196485/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196485; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/-1001830809790"; depth:19; nocase; http.host; content:"mekerishere.site"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196483/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196483; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mekerishere.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196482/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196482; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xdpanel.cloud"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196480/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196480; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stableconn.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196481/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196481; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"stableconn.online"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1196479/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196479; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/end/strawberry.php"; depth:19; nocase; http.host; content:"stableconn.online"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196478/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196478; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/end/info.php"; depth:13; nocase; http.host; content:"stableconn.online"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196477/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196477; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/end/"; depth:5; nocase; http.host; content:"stableconn.online"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196476/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196476; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"xdpanel.cloud"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1196475/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196475; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tools/end.json"; depth:15; nocase; http.host; content:"xdpanel.cloud"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196474/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196474; rev:1;) alert tcp $HOME_NET any -> [47.92.197.211] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196473/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196473; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"safe.fogreir.fun"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196471/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196471; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fogreir.fun"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196472/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196472; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"safe.fogreir.fun"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1196470/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hamid/"; depth:7; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196469/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196469; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hamid/web.txt"; depth:14; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196468/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196468; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hamid/log.php"; depth:14; nocase; http.host; content:"safe.fogreir.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196467/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196467; rev:1;) alert tcp $HOME_NET any -> [82.115.223.138] 40360 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196461/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196461; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in.php"; depth:7; nocase; http.host; content:"sdm.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196466/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196466; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kihan/web.txt"; depth:14; nocase; http.host; content:"ap.ronappig.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196465/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196465; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kihan"; depth:6; nocase; http.host; content:"ap.ronappig.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196464/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196464; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kihan/log.php"; depth:14; nocase; http.host; content:"ap.ronappig.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196463/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196463; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kihan/phone.txt"; depth:16; nocase; http.host; content:"ap.ronappig.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196462/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196462; rev:1;) alert tcp $HOME_NET any -> [3.67.112.102] 14817 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196439/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196439; rev:1;) alert tcp $HOME_NET any -> [3.127.181.115] 14817 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196445/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196445; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"198.37.105.223"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1196410/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196410; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 14817 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196437/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196437; rev:1;) alert tcp $HOME_NET any -> [3.67.62.142] 14817 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196438/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196438; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"menge.duckdns.org"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1196411/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196411; rev:1;) alert tcp $HOME_NET any -> [3.67.161.133] 14817 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196440/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196440; rev:1;) alert tcp $HOME_NET any -> [18.158.58.205] 14817 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196446/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196446; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"onlyblack.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196447/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196447; rev:1;) alert tcp $HOME_NET any -> [46.246.86.18] 2815 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196458/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196458; rev:1;) alert tcp $HOME_NET any -> [3.126.224.214] 19698 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196460/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196460; rev:1;) alert tcp $HOME_NET any -> [3.68.56.232] 19698 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196459/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196459; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/in.php"; depth:7; nocase; http.host; content:"das.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196457/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196457; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hfastt.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196456/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196456; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/master/wa/"; depth:11; nocase; http.host; content:"hfastt.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196455/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196455; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/master/wa/id.txt"; depth:17; nocase; http.host; content:"hfastt.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196454/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196454; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/master/wa/sms.php"; depth:18; nocase; http.host; content:"hfastt.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196453/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196453; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/master/wa/requests.php"; depth:23; nocase; http.host; content:"hfastt.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196452/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196452; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/master/wa/contact.php"; depth:22; nocase; http.host; content:"hfastt.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196451/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196451; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hfastt.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196450/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196450; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ap.ronappig.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196448/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196448; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ronappig.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196449/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196449; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sezar/log.php"; depth:14; nocase; http.host; content:"ap.ronappig.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196444/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196444; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sezar/web.txt"; depth:14; nocase; http.host; content:"ap.ronappig.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196443/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196443; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sezar/phone.txt"; depth:16; nocase; http.host; content:"ap.ronappig.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196442/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196442; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sezar"; depth:6; nocase; http.host; content:"ap.ronappig.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196441/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196441; rev:1;) alert tcp $HOME_NET any -> [154.12.225.201] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196436/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196436; rev:1;) alert tcp $HOME_NET any -> [185.216.71.202] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196435/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196435; rev:1;) alert tcp $HOME_NET any -> [82.156.29.83] 7777 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196434/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196434; rev:1;) alert tcp $HOME_NET any -> [82.157.142.84] 28443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196432/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196432; rev:1;) alert tcp $HOME_NET any -> [20.168.67.83] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196433/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196433; rev:1;) alert tcp $HOME_NET any -> [88.214.26.54] 32228 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196431/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196431; rev:1;) alert tcp $HOME_NET any -> [43.143.47.110] 3334 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196430/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196430; rev:1;) alert tcp $HOME_NET any -> [43.136.113.152] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196429/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196429; rev:1;) alert tcp $HOME_NET any -> [124.70.45.102] 8090 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196428/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196428; rev:1;) alert tcp $HOME_NET any -> [43.140.203.115] 82 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196426/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196426; rev:1;) alert tcp $HOME_NET any -> [110.41.144.91] 10000 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196427/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196427; rev:1;) alert tcp $HOME_NET any -> [49.234.126.221] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196425/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196425; rev:1;) alert tcp $HOME_NET any -> [193.218.201.8] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196424/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196424; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"log.bisongdamall.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196423/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196423; rev:1;) alert tcp $HOME_NET any -> [149.202.45.103] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196422/; target:src_ip; metadata: confidence_level 90, first_seen 2023_10_27; classtype:trojan-activity; sid:91196422; rev:1;) alert tcp $HOME_NET any -> [46.17.103.152] 8080 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196421/; target:src_ip; metadata: confidence_level 90, first_seen 2023_10_27; classtype:trojan-activity; sid:91196421; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoftoutlook.sytes.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196420/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196420; rev:1;) alert tcp $HOME_NET any -> [108.142.191.197] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196419/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196419; rev:1;) alert tcp $HOME_NET any -> [35.225.227.102] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196418/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196418; rev:1;) alert tcp $HOME_NET any -> [20.90.46.68] 8080 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196417/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196417; rev:1;) alert tcp $HOME_NET any -> [198.12.125.30] 8019 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196416/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196416; rev:1;) alert tcp $HOME_NET any -> [209.145.56.0] 6666 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196415/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196415; rev:1;) alert tcp $HOME_NET any -> [51.254.33.199] 443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196414/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196414; rev:1;) alert tcp $HOME_NET any -> [5.255.114.119] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196413/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196413; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cms.credsera.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196412/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196412; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rubalasksigysmanlkavayssstezya.website"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196394/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196394; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"monbruusr2aqr.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196396/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196396; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ldrglobal.casa"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196409/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196409; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"trackingg2-protectioon.cdn4.mozilla.net"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196392/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196392; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"trackingg1-protectioon.cdn5.mozilla.net"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196393/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196393; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pssiofrotms1q.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196388/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196388; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dgokmertli23q.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196390/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196390; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"onlinepoints.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196391/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196391; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nalgysmanurmaskmikluhasya.website"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196387/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196387; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mifrutty.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196389/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196389; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gnalmgysmanask4ermanderezya.website"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196383/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196383; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rutramagysmanskkmoderatordstezya.website"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196385/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196385; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"glamrgysmanaskdkambibatstezya.space"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196386/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196386; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rramaskkmigysmanleronurzya.website"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196382/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196382; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rubymgysmanmaskrufinurtdrfezya.website"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196384/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196384; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sramrmaskgysmanproteploszya.space"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196377/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196377; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rufgysmanymrmaskbteyryeuliliezya.website"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196378/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196378; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rbabamrgysmanmaskriserdfnstezya.space"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196379/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196379; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rusitmgysmanaskpikabyatezya.website"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196380/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196380; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rurprgysmanamskprikchinhdncstezya.space"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196381/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196381; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rmonaasgysmankktxubastaezya.live"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196376/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196376; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"liset.ched3ck.bi1ng.com"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1196374/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196374; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.247.42.215"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1196375/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196375; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"listwhfidte.check3.yaho1o.com"; depth:29; nocase; reference:url, threatfox.abuse.ch/ioc/1196372/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196372; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"lisfwhidte.ch2eck.yaheoo.com"; depth:28; nocase; reference:url, threatfox.abuse.ch/ioc/1196373/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196373; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.242.217.120"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1196371/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196371; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"list.check.bin1g.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1196369/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196369; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"listwhite.che1ck.yah1oo.com"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1196370/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196370; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"iextrawebty.com"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1196368/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196368; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"170.130.55.65"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1196367/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196367; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"igrovdow.com"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1196365/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196365; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.247.42.100"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1196366/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196366; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rzipaurgysmanmaskssmastaezya.abkhazia.su"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196395/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196395; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"systemcheck.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196397/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196397; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rsiskmasgysmankbzfdrosterzya.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196399/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196399; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rrakomaskpgysmancdakirgitushkanchikzya.adygeya.su"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196398/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196398; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"slammagysmanskkapsulrttezya.website"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196400/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196400; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rutichhdaskgysmanoltogorovidsnstezya.space"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196401/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196401; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"incontroler.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196402/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196402; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"whofos.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196403/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196403; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rurparagysmanmaskstreptokokusstezya.space"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196404/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196404; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rkovkagysmanmasksemyanastezya.adygeya.su"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196405/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196405; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"runyanmgysmanaskklasgindtezya.space"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196406/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196406; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"onlinepoints.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196407/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196407; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"skumrmgysmanaskihglassdzya.website"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196408/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196408; rev:1;) alert tcp $HOME_NET any -> [47.242.51.201] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196364/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196364; rev:1;) alert tcp $HOME_NET any -> [198.12.88.147] 80 (msg:"ThreatFox IRATA payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196362/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196362; rev:1;) alert tcp $HOME_NET any -> [198.12.88.147] 443 (msg:"ThreatFox IRATA payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196363/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196363; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sta.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196361/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196361; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"tsa.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196360/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196360; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"ceb.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196358/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196358; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"smt.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196359/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196359; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"des.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196357/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196357; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sef.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196356/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196356; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sde.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196355/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196355; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sda.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196354/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196354; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"tes.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196353/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196353; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"fda.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196352/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196352; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"srd.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196351/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196351; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"tsm.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196349/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196349; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sev.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196350/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196350; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"deb.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196348/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196348; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sel.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196347/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196347; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"edm.mrbasic.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196346/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196346; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"ebd.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196345/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196345; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"res.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196344/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196344; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"fsa.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196343/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196343; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"edb.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196341/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196341; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"eds.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196342/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196342; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sds.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196340/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196340; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"sah.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196339/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196339; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"seb.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196337/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196337; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"efa.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196338/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196338; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"esb.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196336/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196336; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"tbs.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196334/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196334; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sba.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196335/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196335; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"srm.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196333/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196333; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"efs.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196332/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196332; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"ebc.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196331/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196331; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"e.faqserv.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196330/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196330; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"srb.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196328/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196328; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"stm.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196329/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196329; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sem.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196327/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196327; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sat.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196326/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196326; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sra.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196324/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196324; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; nocase; http.host; content:"ebf.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196325/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196325; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"tdm.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196323/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196323; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sdm.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196321/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196321; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"sed.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196322/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196322; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"das.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196320/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196320; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saham.apk"; depth:10; nocase; http.host; content:"esd.faqserv.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196319/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196319; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tes.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196310/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196310; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sda.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196311/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196311; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sde.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196312/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196312; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sef.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196313/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196313; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"des.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196314/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196314; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ceb.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196315/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196315; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"smt.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196316/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196316; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tsa.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196317/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196317; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sta.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196318/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196318; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"efs.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196285/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196285; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"srm.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196286/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196286; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bams.faqserv.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196287/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196287; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tbs.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196288/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196288; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sba.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196289/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196289; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"esb.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196290/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196290; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sexb.faqserv.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196291/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196291; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"seb.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196292/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196292; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"efa.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196293/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196293; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sah.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196294/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196294; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dem.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196295/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196295; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sds.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196296/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196296; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"edb.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196297/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196297; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eds.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196298/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196298; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fsa.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196299/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196299; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"res.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196300/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196300; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fed.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196301/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196301; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ebd.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196302/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196302; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"edm.mrbasic.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196303/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196303; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sel.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196304/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196304; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"deb.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196305/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196305; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tsm.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196306/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196306; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sev.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196307/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196307; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"srd.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196308/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196308; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fda.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196309/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196309; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"esd.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196269/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196269; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"das.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196270/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196270; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sdm.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196271/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196271; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sed.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196272/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196272; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tdm.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196273/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196273; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eba.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196274/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196274; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sra.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196275/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196275; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ebf.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196276/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196276; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sat.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196277/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196277; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sexi.faqserv.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196278/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196278; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sem.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196279/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196279; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"srb.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196280/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196280; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stm.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196281/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196281; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"e.faqserv.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196282/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196282; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ebc.faqserv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196283/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196283; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bamd.faqserv.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196284/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196284; rev:1;) alert tcp $HOME_NET any -> [194.147.140.138] 1604 (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196268/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196268; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"harold.ns01.info"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196267/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196267; rev:1;) alert tcp $HOME_NET any -> [35.228.198.215] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196210/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196210; rev:1;) alert tcp $HOME_NET any -> [66.63.168.75] 443 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196204/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196204; rev:1;) alert tcp $HOME_NET any -> [198.44.140.67] 8008 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196207/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196207; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"122.51.116.186"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196209/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196209; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"85.209.11.162"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196208/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196208; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus"; depth:17; nocase; http.host; content:"45.136.14.103"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196206/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196206; rev:1;) alert tcp $HOME_NET any -> [52.28.174.18] 2376 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196205/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196205; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"47.108.145.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196203/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196203; rev:1;) alert tcp $HOME_NET any -> [121.196.202.174] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196202/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196202; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/recite/v9.52/6fcq3uvd9"; depth:23; nocase; http.host; content:"121.196.202.174"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196201/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196201; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"113.250.188.15"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196200/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196200; rev:1;) alert tcp $HOME_NET any -> [175.24.176.154] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196199/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196199; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/js"; depth:7; nocase; http.host; content:"175.24.176.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196198/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196198; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"d3a95mnixoebky.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196197/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196197; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"179.60.150.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196196/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196196; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"124.221.206.123"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196195/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196195; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.70.62.48"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196194/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196194; rev:1;) alert tcp $HOME_NET any -> [119.29.225.65] 13426 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196193/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196193; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"165.227.141.64"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196192/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196192; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"117.50.187.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196191/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196191; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.42.22.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196190/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196190; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"92.63.196.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196189/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196189; rev:1;) alert tcp $HOME_NET any -> [107.21.217.80] 53 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196188/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196188; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.pebrord.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196187/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196187; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"219.151.137.59"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196186/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196186; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"moodelstore.tel"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196185/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196185; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"31.44.184.73"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196184/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196184; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"114.116.49.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196183/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196183; rev:1;) alert tcp $HOME_NET any -> [220.69.33.123] 443 (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196182/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196182; rev:1;) alert tcp $HOME_NET any -> [95.214.25.164] 59666 (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196179/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_27; classtype:trojan-activity; sid:91196179; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bot.pvp-rivals.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196180/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_27; classtype:trojan-activity; sid:91196180; rev:1;) alert tcp $HOME_NET any -> [156.207.236.180] 5552 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196181/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196181; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taochinashowwers.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196175/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196175; rev:1;) alert tcp $HOME_NET any -> [82.117.253.34] 2351 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196176/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196176; rev:1;) alert tcp $HOME_NET any -> [82.117.253.34] 8080 (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196177/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196177; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"modalefastnow.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196178/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196178; rev:1;) alert tcp $HOME_NET any -> [116.203.90.155] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196174/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196174; rev:1;) alert tcp $HOME_NET any -> [175.24.176.154] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196173/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196173; rev:1;) alert tcp $HOME_NET any -> [142.171.103.152] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196172/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196172; rev:1;) alert tcp $HOME_NET any -> [59.7.95.201] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196171/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196171; rev:1;) alert tcp $HOME_NET any -> [31.190.109.0] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196170/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196170; rev:1;) alert tcp $HOME_NET any -> [70.29.101.16] 2222 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196169/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196169; rev:1;) alert tcp $HOME_NET any -> [74.12.146.78] 2078 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196168/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196168; rev:1;) alert tcp $HOME_NET any -> [31.190.227.57] 443 (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196167/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196167; rev:1;) alert tcp $HOME_NET any -> [104.238.61.150] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196166/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196166; rev:1;) alert tcp $HOME_NET any -> [54.193.91.232] 9001 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196165/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196165; rev:1;) alert tcp $HOME_NET any -> [45.56.165.27] 8080 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196164/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196164; rev:1;) alert tcp $HOME_NET any -> [45.56.165.27] 443 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196163/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196163; rev:1;) alert tcp $HOME_NET any -> [45.56.165.27] 80 (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196162/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196162; rev:1;) alert tcp $HOME_NET any -> [180.184.32.156] 10250 (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196161/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196161; rev:1;) alert tcp $HOME_NET any -> [104.238.187.71] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196160/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196160; rev:1;) alert tcp $HOME_NET any -> [185.216.71.238] 9909 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196159/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_27; classtype:trojan-activity; sid:91196159; rev:1;) alert tcp $HOME_NET any -> [185.216.71.238] 7708 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196158/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_27; classtype:trojan-activity; sid:91196158; rev:1;) alert tcp $HOME_NET any -> [45.227.255.34] 47473 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196157/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196157; rev:1;) alert tcp $HOME_NET any -> [45.227.255.34] 39289 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196156/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196156; rev:1;) alert tcp $HOME_NET any -> [185.216.71.238] 8008 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196155/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196155; rev:1;) alert tcp $HOME_NET any -> [212.113.116.63] 47534 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196154/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196154; rev:1;) alert tcp $HOME_NET any -> [3.124.142.205] 14516 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196153/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196153; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 14516 (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196152/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196152; rev:1;) alert tcp $HOME_NET any -> [83.97.20.183] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196151/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196151; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"qwer.gybritanalytsesystem.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196149/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196149; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"meilleur.playerofsunshine.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196150/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196150; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/group/five/fre.php"; depth:19; nocase; http.host; content:"moodelstore.tel"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196148/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_27; classtype:trojan-activity; sid:91196148; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/group/five/fre.php"; depth:19; nocase; http.host; content:"moodelstore.tel"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196147/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196147; rev:1;) alert tcp $HOME_NET any -> [31.147.207.51] 8081 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196146/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196146; rev:1;) alert tcp $HOME_NET any -> [144.91.86.133] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196145/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196145; rev:1;) alert tcp $HOME_NET any -> [103.61.0.241] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196143/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196143; rev:1;) alert tcp $HOME_NET any -> [103.61.0.241] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196144/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196144; rev:1;) alert tcp $HOME_NET any -> [34.209.178.22] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196142/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196142; rev:1;) alert tcp $HOME_NET any -> [43.138.248.121] 15666 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196140/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196140; rev:1;) alert tcp $HOME_NET any -> [92.118.112.156] 6881 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196141/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196141; rev:1;) alert tcp $HOME_NET any -> [120.78.217.200] 8096 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196139/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196139; rev:1;) alert tcp $HOME_NET any -> [79.47.242.116] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196137/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196137; rev:1;) alert tcp $HOME_NET any -> [23.94.200.114] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196138/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196138; rev:1;) alert tcp $HOME_NET any -> [110.40.137.62] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196136/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196136; rev:1;) alert tcp $HOME_NET any -> [47.113.198.180] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196134/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196134; rev:1;) alert tcp $HOME_NET any -> [8.130.128.168] 4444 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196135/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196135; rev:1;) alert tcp $HOME_NET any -> [185.112.147.45] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196133/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196133; rev:1;) alert tcp $HOME_NET any -> [124.71.46.93] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196132/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196132; rev:1;) alert tcp $HOME_NET any -> [129.211.210.61] 8082 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196130/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196130; rev:1;) alert tcp $HOME_NET any -> [124.222.147.8] 8443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196131/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196131; rev:1;) alert tcp $HOME_NET any -> [158.247.240.30] 8089 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196129/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196129; rev:1;) alert tcp $HOME_NET any -> [45.152.66.136] 54223 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196128/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196128; rev:1;) alert tcp $HOME_NET any -> [110.41.142.241] 9999 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196126/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196126; rev:1;) alert tcp $HOME_NET any -> [107.148.33.46] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196127/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196127; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"68.183.220.248.sslip.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196125/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196125; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gruposermesa.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196123/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196123; rev:1;) alert tcp $HOME_NET any -> [45.95.175.112] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196124/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196124; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hasbulla.su"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196122/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196122; rev:1;) alert tcp $HOME_NET any -> [103.175.218.61] 443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196121/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196121; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theodonal.ddns.me"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196120/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196120; rev:1;) alert tcp $HOME_NET any -> [194.163.160.254] 80 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196119/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196119; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crwalho.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196118/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196118; rev:1;) alert tcp $HOME_NET any -> [104.248.43.248] 587 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196117/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196117; rev:1;) alert tcp $HOME_NET any -> [194.163.160.254] 587 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196115/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196115; rev:1;) alert tcp $HOME_NET any -> [104.248.43.248] 25 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196116/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196116; rev:1;) alert tcp $HOME_NET any -> [194.163.160.254] 25 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196114/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196114; rev:1;) alert tcp $HOME_NET any -> [103.175.218.61] 465 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196112/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196112; rev:1;) alert tcp $HOME_NET any -> [103.175.218.61] 587 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196113/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196113; rev:1;) alert tcp $HOME_NET any -> [103.175.218.61] 25 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196111/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196111; rev:1;) alert tcp $HOME_NET any -> [124.126.116.6] 8002 (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196110/; target:src_ip; metadata: confidence_level 90, first_seen 2023_10_27; classtype:trojan-activity; sid:91196110; rev:1;) alert tcp $HOME_NET any -> [198.44.186.71] 4449 (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196109/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196109; rev:1;) alert tcp $HOME_NET any -> [103.234.72.31] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196108/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196108; rev:1;) alert tcp $HOME_NET any -> [117.50.184.22] 8888 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196107/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196107; rev:1;) alert tcp $HOME_NET any -> [167.172.136.176] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196106/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196106; rev:1;) alert tcp $HOME_NET any -> [62.182.84.234] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196104/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196104; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2r-cn2.lifeisff.fun"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196105/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196105; rev:1;) alert tcp $HOME_NET any -> [188.40.162.125] 7443 (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196103/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196103; rev:1;) alert tcp $HOME_NET any -> [112.213.101.35] 1145 (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196102/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196102; rev:1;) alert tcp $HOME_NET any -> [185.81.157.12] 5555 (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196101/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196101; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abaadoffice.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196100/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196100; rev:1;) alert tcp $HOME_NET any -> [158.160.74.251] 8443 (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196099/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196099; rev:1;) alert tcp $HOME_NET any -> [3.253.77.60] 443 (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196098/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_27; classtype:trojan-activity; sid:91196098; rev:1;) alert tcp $HOME_NET any -> [39.109.112.180] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196097/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196097; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ugopounds.ironoreprod.top"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196095/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196095; rev:1;) alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"davinci.kalnet.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1196096/; target:src_ip; metadata: confidence_level 50, first_seen 2023_10_27; classtype:trojan-activity; sid:91196096; rev:1;) alert tcp $HOME_NET any -> [72.11.148.153] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196094/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196094; rev:1;) alert tcp $HOME_NET any -> [88.214.25.246] 3790 (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196093/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196093; rev:1;) alert tcp $HOME_NET any -> [150.158.141.97] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196092/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196092; rev:1;) alert tcp $HOME_NET any -> [45.95.169.45] 80 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196091/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_27; classtype:trojan-activity; sid:91196091; rev:1;) alert tcp $HOME_NET any -> [18.206.175.252] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196090/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_26; classtype:trojan-activity; sid:91196090; rev:1;) alert tcp $HOME_NET any -> [54.163.249.10] 8083 (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196089/; target:src_ip; metadata: confidence_level 80, first_seen 2023_10_26; classtype:trojan-activity; sid:91196089; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4a7a990a47cd52ad.php"; depth:21; nocase; http.host; content:"91.103.253.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196088/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_26; classtype:trojan-activity; sid:91196088; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"170.187.224.194"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196087/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_26; classtype:trojan-activity; sid:91196087; rev:1;) alert tcp $HOME_NET any -> [165.22.245.142] 443 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196086/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_26; classtype:trojan-activity; sid:91196086; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"165.22.245.142"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196085/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_26; classtype:trojan-activity; sid:91196085; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"bacon.danger-zone.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196084/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_26; classtype:trojan-activity; sid:91196084; rev:1;) alert tcp $HOME_NET any -> [51.68.169.133] 8080 (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196083/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_26; classtype:trojan-activity; sid:91196083; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/promote/php/kzw7d2j79gk"; depth:24; nocase; http.host; content:"ticketbox23.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1196082/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_26; classtype:trojan-activity; sid:91196082; rev:1;) alert tcp $HOME_NET any -> [194.169.175.234] 27221 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196081/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_26; classtype:trojan-activity; sid:91196081; rev:1;) alert tcp $HOME_NET any -> [194.169.175.220] 21676 (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196080/; target:src_ip; metadata: confidence_level 100, first_seen 2023_10_26; classtype:trojan-activity; sid:91196080; rev:1;) alert tcp $HOME_NET any -> [213.139.205.123] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196079/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_26; classtype:trojan-activity; sid:91196079; rev:1;) alert tcp $HOME_NET any -> [165.22.212.20] 80 (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1196078/; target:src_ip; metadata: confidence_level 75, first_seen 2023_10_26; classtype:trojan-activity; sid:91196078; rev:1;) # Number of entries: 53846